Missing Function Level Access Control badge Missing Function Level Access Control


Function level access control vulnerabilities could result from insufficient protection of sensitive request handlers within an application. An application may simply hide access to sensitive actions, fail to enforce sufficient authorization for certain actions, or inadvertently expose an action through a user-controlled request parameter. These vulnerabilities could be much more complex and be the result of subtle edge-cases in the underlying application logic.

On GitHub.com we utilize a number of approaches to protect against function level access control vulnerabilities. These include things such as controller level access control checks using Rails’ filter chain as well as per-action access control checks where appropriate.

More about function level access vulnerabilities from OWASP’s Top 10:

Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget.

Recently collected Missing Function Level Access Control bounties:

1 kamilhism 5000 pts Kamil Hismatullin Bypass OAuth access policy on GraphQL API
2 kamilhism 1000 pts Kamil Hismatullin Insufficient authorization check when previewing non-code files
3 not-an-aardvark 2000 pts Teddy Katz Insufficient token scope checks for Gist access via Git
4 Cache-Money 10000 pts Tanner Repository administrator privilege escalation via GitHub App installation
5 Abss0x7tbh 5000 pts Abss Claiming an organization invite without proving ownership of the invited email address