High Severity
🟠 Missing Function Level Access Control
🧠 Description
Application fails to verify that the authenticated user has permission to access specific functionality. Regular users can access admin functions by directly accessing URL endpoints.
Impact: Privilege Escalation, Data Theft, Admin Access
🔍 Detection
Common admin endpoints to test:
/admin
/admin/dashboard
/api/admin/users
/manage
/moderator
/settings/delete
🛡️ Mitigation
✅ Implement role-based access control (RBAC)
✅ Deny by default - require explicit permission
✅ Verify authorization on every server-side request
✅ Log all access control failures
✅ Deny by default - require explicit permission
✅ Verify authorization on every server-side request
✅ Log all access control failures