CWE-639: Authorization Bypass Through User-Controlled Key
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism
说明: Access control checks for specific user data or functionality can be bypassed.
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity
说明: Horizontal escalation of privilege is possible (one user can view/modify information of another user).
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity
说明: Vertical escalation of privilege is possible if the user-controlled key is actually a flag that indicates administrator status, allowing the attacker to gain administrative access.
潜在缓解措施
阶段: Architecture and Design
描述: For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
阶段: Architecture and Design Implementation
描述: Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
阶段: Architecture and Design
描述: Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2021-36539
An educational application does not appropriately restrict file IDs to a particular user. The attacker can brute-force guess IDs, indicating IDOR.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |