A7 – Missing Function-level Access Control
This feature has to do with authorization, as it happened with other previous features. The problem here is accessing some parts of the application for which the user is not authorized, for instance, a non-administrator user accessing the private wage records of the rest of the company). As usual, the official documentation states the problem precisely:
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
The symptoms can vary: the UI showing links to unauthorized functionality, authentication, and/or authorization checks missing in the server or even the server not checking the identity of requests, and so on.
OWASP exemplifies this type of attack...
