CWE-862: Missing Authorization

low-risk

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Abstraction: Class

Common Consequences

Confidentiality Read Application Data
Integrity Modify Application Data
Access Control Gain Privileges or Assume Identity
Availability DoS: Crash, Exit, or Restart

Detection Methods

Automated Static Analysis

Automated static analysis is useful for detecting commonly-used idioms for authorization. A tool may be able to analyze related configuration files, such as .htaccess in Apache web servers, or detect the usage of commonly-used authorization libraries. Generally, automated static analysis tools have difficulty detecting custom authorization schemes. In addition, the software's design may include some functionality that is accessible to any user and does not require an authorization check; an automated technique that detects the absence of authorization may report false positives.

Automated Dynamic Analysis

Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.

Manual Analysis

This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. Specifically, manual static analysis is useful for evaluating the correctness of custom authorization mechanisms.

Manual Static Analysis - Binary or Bytecode

According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Automated Results Interpretation

According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Web Application Scanner Web Services Scanner Database Scanners

Dynamic Analysis with Manual Results Interpretation

According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Host Application Interface Scanner Fuzz Tester Framework-based Fuzzer

Manual Static Analysis - Source Code

According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)

Automated Static Analysis - Source Code

According to SOAR [REF-1479], the following detection techniques may be useful: Cost effective for partial coverage: Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer

Architecture or Design Review

According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.) Formal Methods / Correct-By-Construction

Real-World Examples (10)

CVE CVSS EPSS KEV
CVE-2022-0543 10.0 94.4% Y
CVE-2022-0543 10.0 94.4% Y
CVE-2021-39226 9.8 94.3% Y
CVE-2023-6875 9.8 93.7%
CVE-2023-6875 9.8 93.7%
CVE-2019-16097 6.5 93.7%
CVE-2020-8772 9.8 93.6%
CVE-2023-25573 8.6 93.6%
CVE-2022-1329 8.8 93.4%
CVE-2022-1329 8.8 93.4%
4
/ 100
low-risk
Active Threat 4/50 · Minimal
Exploit Availability 0/50 · Minimal