CAPEC Details
Name Accessing Functionality Not Properly Constrained by ACLs
Likelyhood of attack Typical severity
High High
Summary In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
Prerequisites The application must be navigable in a manner that associates elements (subsections) of the application with ACLs. The various resources, or individual URLs, must be somehow discoverable by the attacker The administrator must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource.
Execution Flow
Step Phase Description Techniques
1 Explore [Survey] The attacker surveys the target application, possibly as a valid and authenticated user
  • Spidering web sites for all available links
  • Brute force guessing of resource names
  • Brute force guessing of user names / credentials
  • Brute force guessing of function names / actions
2 Explore [Identify Functionality] At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions
  • Use the web inventory of all forms and inputs and apply attack data to those inputs.
  • Use a packet sniffer to capture and record network traffic
  • Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment.
3 Experiment [Iterate over access capabilities] Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.
  • Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters)
Solutions In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.
Related Weaknesses
CWE ID Description
CWE-276 Incorrect Default Permissions
CWE-285 Improper Authorization
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-693 Protection Mechanism Failure
CWE-721 OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
CWE-732 Incorrect Permission Assignment for Critical Resource
CWE-1191 Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization
CWE-1193 Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
CWE-1220 Insufficient Granularity of Access Control
CWE-1224 Improper Restriction of Write-Once Bit Fields
CWE-1244 Improper Access to Sensitive Information Using Debug and Test Interfaces
CWE-1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
CWE-1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions
CWE-1262 Register Interface Allows Software Access to Sensitive Data or Security Settings
CWE-1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents
CWE-1283 Mutable Attestation or Measurement Reporting Data
CWE-1311 Improper Translation of Security Attributes by Fabric Bridge
CWE-1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
CWE-1313 Hardware Allows Activation of Test or Debug Logic at Runtime
CWE-1314 Missing Write Protection for Parametric Data Values
CWE-1315 Improper Setting of Bus Controlling Capability in Fabric End-point
CWE-1318 Missing Support for Security Features in On-chip Fabrics or Buses
CWE-1320 Improper Protection for Out of Bounds Signal Level Alerts
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1326 Missing Immutable Root of Trust in Hardware
CWE-1327 Binding to an Unrestricted IP Address
Related CAPECS
CAPEC ID Description
CAPEC-17 An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-122 An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.
Taxonomy: ATTACK
Entry ID Entry Name
1574.010 Hijack Execution Flow: ServicesFile Permissions Weakness