Missing Function Level Access Control

Function level access control vulnerabilities could result from insufficient protection of sensitive request handlers within an application. An application may simply hide access to sensitive actions, fail to enforce sufficient authorization for certain actions, or inadvertently expose an action through a user-controlled request parameter. These vulnerabilities could be much more complex and be the result of subtle edge-cases in the underlying application logic.

On GitHub.com we utilize a number of approaches to protect against function level access control vulnerabilities. These include things such as controller level access control checks using Rails’ filter chain as well as per-action access control checks where appropriate.

More about function level access vulnerabilities from OWASP’s Top 10:

Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget.