Fluid Attacks logo
Login
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us
GET A DEMO

R035. Manage privilege modifications

This document details the security guidelines and requirements related to the administration of the system. The objective of this requirement is to define the importance of implementing measures to prevent system actors from increasing privileges for themselves.

Requirement

The system must not allow system actors to modify privileges for themselves.

Description

Systems should usually have a set of roles with different levels of privilege for accessing resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated. Furthermore, users should not be allowed to modify their own privileges, as this could be leveraged to access otherwise restricted functionalities and resources.

References

  1. CWE-267: Privilege Defined With Unsafe Actions A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.

  2. CWE-269: Improper Privilege Management The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

  3. OWASP-ASVS v4.0.1 V4.1 General Access Control Design.(4.2.3) Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege.


Service status - Terms of Use