CCSP Exam: Understanding Unvalidated Authorization in Applications

Unvalidated Authorization in Applications

Question

Which of the following threat types involves an application that does not validate authorization for portions of itself beyond when the user first enters it?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

B.

It is imperative that applications do checks when each function or portion of the application is accessed to ensure that the user is properly authorized.

Without continual checks each time a function is accessed, an attacker could forge requests to access portions of the application where authorization has not been granted.

An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries.

Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.

Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials.

The correct answer is B. Missing function-level access control.

Missing function-level access control is a type of security vulnerability where an application does not validate a user's authorization for portions of the application beyond the initial point of entry. This means that once a user gains access to a particular function within the application, they may be able to perform other unauthorized actions within the application that they should not have access to.

For example, consider an online shopping application where users can view their order history, change their shipping address, and view their payment details. If the application does not properly validate a user's authorization for each of these functions, a user who gains access to the order history page may also be able to change their payment details or shipping address, even if they are not authorized to do so.

On the other hand, cross-site request forgery (A) is a type of attack where an attacker tricks a user into performing an unintended action on a web application on behalf of the attacker. Injection (C) refers to vulnerabilities that allow an attacker to inject malicious code into an application to manipulate or access sensitive data. Cross-site scripting (D) involves an attacker injecting malicious code into a website to steal user data or gain unauthorized access to the website. These threat types do not directly relate to the issue of missing function-level access control.