R265. Restrict access to critical processes


The system must restrict access to system functions that execute critical business processes, it will only allow authorized users.


Systems must enforce access controls on trusted enforcement points. They must also have a clear definition of user privileges and roles. Functions that execute critical business processes should only be available for authenticated users with roles with enough privileges.


  1. CAPEC-13: Subverting Environment Variable Values. The attacker directly or indirectly modifies environment variables used by or controlling the target software.

  2. CWE-269: Improper Privilege Management The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

  3. CWE-284: Improper Access Control The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

  4. CWE-285: Improper Authorization The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

  5. CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

  6. CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  7. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least ensure that personal data can be accessed only by authorized personnel for legally authorized purposes.

  8. NIST 800-53 IA-2 Identification and authentication: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

  9. OWASP Top 10 A5:2017-Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.

  10. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.3) Verify enforcement of the principle of least privilege in functions, data files, URLs, controllers, services, and other resources. This implies protection against spoofing and elevation of privilege.

  11. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.4) Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths.

  12. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.5) Verify that attribute or feature-based access control is used whereby the code checks the user’s authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles.

  13. PCI DSS v3.2.1 - Requirement 6.5.8 Address common coding vulnerabilities in software-development processes including improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).

  14. PCI DSS v3.2.1 - Requirement 8.7 Restrict access to any database so that only database administrators have the ability to directly access or query databases.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy