CWE-285: Improper Authorization

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application failed to enforce proper authorization boundaries, allowing authenticated users to perform actions beyond their privilege level. Evidence includes successful execution of administrative functions by non-admin users, horizontal privilege escalation (accessing other users' data), or vertical privilege escalation (gaining elevated permissions). Responses show successful state changes (DELETE, PUT operations) or data access that should be restricted.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings commonly show that authenticated users can invoke privileged or state-changing actions without the required per-action or per-object authorization checks.

When reviewing your security scan results, you'll see:

HTTP Request Details

URL and endpoint that triggered the finding
HTTP method (GET, POST, etc.)
Query parameters or form data with test payloads
Request headers and body content

HTTP Response Evidence

Response showing the vulnerability manifestation
Evidence of missing or incorrect action-level authorization
Runtime behavior indicators

Attack Vector

Which parameter or input is vulnerable
Type of exploitation possible
Context where the vulnerability appears

Mapping DAST Findings to Source Code

Find the Vulnerable Endpoint

Use the HTTP request URL to locate the code:

# Search for privileged operations
grep -r "/api/delete" src/
grep -r "/api/update" src/
grep -r "/api/approve" src/
grep -r "@PostMapping" src/

Locate Authorization Checks

Common patterns to search for:

Python Flask/Django: Authorization decorators, permission checks
Node.js Express: Middleware authorization
Java Spring: Method security, @PreAuthorize
ASP.NET: Action filters, policy-based authorization
PHP: Role/permission checks before actions

Find Action Authorization

Search for privilege checks:

# Find authorization logic
grep -r "can_delete" src/
grep -r "is_owner" src/
grep -r "hasPermission" src/
grep -r "authorize" src/

Trace to Vulnerable Operation

Look for missing authorization on:

State-changing operations: DELETE, PUT, POST without ownership checks
Privilege escalation: Users performing admin actions
Business logic bypass: Approving own requests, changing order status
Mass assignment: Modifying fields that should be read-only
Forced browsing: Accessing functions by guessing URLs

Remediation

Core Principle: Never infer authorization from authentication, role, or prior checks; every security-sensitive action must be explicitly authorized against the specific resource and operation being performed.

Authorization must be evaluated at the point of action execution, not assumed from route access
Authorization checks must bind actor, action, and resource together
Authorization decisions must not be reusable across different operations

→ For comprehensive remediation guidance, see Static CWE-285 Guidance

Language-Specific Guidance

The static guidance provides detailed remediation steps for many languages. If you need language-specific examples:

C#

Verification and Follow-Up Testing

After applying the fix:

Reproduce the Vulnerability

# Test unauthorized actions
curl -X DELETE "http://localhost:3000/api/users/1"
curl -X POST "http://localhost:3000/api/approve/123"

# Test with low-privilege user
curl -H "Authorization: Bearer user_token" -X DELETE "/admin/delete/999"

Verify the Fix

Confirm all state-changing operations check authorization
Verify ownership validation for modifications
Check role/permission requirements enforced
Ensure business logic controls cannot be bypassed
Test horizontal privilege escalation prevented

Test Edge Cases

# Delete/modify without authorization
DELETE /api/users/123
PUT /api/orders/456/status?status=shipped

# Privilege escalation
POST /api/users/1/promote  # Make self admin
POST /api/approve/own-request

# Mass assignment
PUT /api/profile?role=admin&is_active=true

# Function-level access control
/admin/deleteUser
/api/internalOnly

# Or use browser DevTools Network tab to copy as cURL

Re-run DAST Scanner

Run your dynamic scanner again on the fixed endpoint to confirm remediation.