Unvalidated Authorization Threats

B.

It is imperative that an application perform checks when each function or portion of the application is accessed, to ensure that the user is properly authorized to access it.

Without continual checks each time a function is accessed, an attacker could forge requests to access portions of the application where authorization has not been granted.

The correct answer is B. Missing function-level access control.

Missing function-level access control is a type of vulnerability that occurs when an application fails to properly enforce restrictions on what authenticated users are allowed to do. In other words, it allows users to perform unauthorized actions by exploiting the lack of proper authorization checks on specific functions or features within the application. This can lead to sensitive data exposure, unauthorized data modifications, and a host of other security risks.

For example, let's say a user logs into an online banking application with valid credentials. Once authenticated, the user should only be able to perform authorized actions, such as viewing their account balance or transferring money between their own accounts. However, if the application is vulnerable to missing function-level access control, the user may be able to perform unauthorized actions, such as transferring funds to another user's account or viewing another user's account information.

On the other hand, the other answer choices listed are also common web application vulnerabilities:

• Injection refers to attacks that exploit vulnerabilities in input validation to execute malicious code or inject malicious data into a system. Examples include SQL injection, LDAP injection, and XML injection.
• Cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. For example, a CSRF attack could cause a user to unknowingly submit a form or perform an action on a website that they did not intend to.
• Cross-site scripting (XSS) is an attack that injects malicious code into a web page viewed by other users. This can be used to steal sensitive information, such as session cookies or user credentials, or to perform other malicious actions on behalf of the user.

It is important for web developers and security professionals to be aware of all these types of vulnerabilities and implement appropriate measures to mitigate them.