HIGH CWE-862 Authentication & Authorization

CWE-862 in APIs

Scan for CWE-862

What is CWE-862?

CWE-862, officially titled "Missing Authorization," is a critical weakness where an application fails to perform authorization checks when a user requests access to a resource. This fundamental security flaw allows users to access data, functionality, or operations they should not be permitted to access, simply because the system never verifies whether they have the right to do so.

The weakness manifests when developers assume that authentication alone is sufficient for security. While authentication confirms who a user is, authorization determines what they can do. Without proper authorization checks, authenticated users can bypass business logic and access resources belonging to other users, administrative functions, or sensitive data.

In practice, CWE-862 appears as missing permission checks before database queries, unprotected administrative endpoints, or absent validation of user ownership over resources. The impact ranges from data leakage and privilege escalation to complete account takeover, making it one of the most dangerous API vulnerabilities.

CWE-862 in API Contexts

APIs are particularly vulnerable to CWE-862 due to their stateless nature and the way they handle resource identifiers. Unlike traditional web applications with complex navigation flows, APIs often expose direct resource access through predictable URL patterns and HTTP methods.

Common manifestations in APIs include:

  • Missing authorization in REST endpoints that retrieve user-specific data (GET /api/users/{id}/profile)
  • Unprotected administrative operations (POST /api/admin/disable-user)
  • Insufficient validation of resource ownership (PUT /api/orders/{orderId}/update)
  • Missing role-based access controls on business logic endpoints
  • Failure to verify user permissions for CRUD operations

API-specific risk factors include predictable resource identifiers (sequential IDs, UUIDs), lack of rate limiting enabling enumeration attacks, and the absence of UI-based access controls that might exist in web applications. Attackers can exploit these weaknesses by simply guessing valid resource identifiers or accessing endpoints directly without proper authentication context.

The distributed nature of modern API architectures also amplifies this risk. Microservices might implement authorization correctly in isolation, but missing cross-service authorization checks can create attack vectors where authenticated users traverse service boundaries to access unauthorized data.

Detection

Detecting CWE-862 requires systematic testing of authorization controls across all API endpoints. Manual testing involves attempting to access resources with different user accounts, including attempting to access other users' data, administrative functions with regular accounts, and protected operations without proper permissions.

Automated detection approaches include:

  • Authorization matrix testing: systematically testing each endpoint with accounts of varying privilege levels
  • Resource enumeration: attempting to access sequential or predictable resource identifiers across user accounts
  • Parameter manipulation: modifying request parameters to access unauthorized resources
  • Method-level testing: verifying that HTTP methods respect authorization (GET vs DELETE on same resource)

middleBrick's scanning approach specifically targets CWE-862 through its BOLA (Broken Object Level Authorization) and Privilege Escalation checks. The scanner tests authenticated endpoints with randomized user contexts to identify missing authorization controls. For example, when scanning an endpoint like GET /api/users/{userId}/orders, middleBrick will attempt to access orders belonging to different users to verify proper authorization.

The scanner's black-box approach tests the actual runtime behavior without requiring source code access. It identifies endpoints that return data without proper authorization verification, detects predictable resource identifiers that enable enumeration, and flags administrative endpoints accessible without elevated privileges. middleBrick's parallel scanning architecture tests all 12 security categories simultaneously, providing comprehensive coverage of authorization weaknesses alongside other API security concerns.

Additional detection techniques include static analysis of code to identify missing authorization checks, dynamic analysis with authorization fuzzing tools, and runtime monitoring for anomalous access patterns that might indicate authorization bypass attempts.

Remediation

Effective remediation of CWE-862 requires implementing defense-in-depth authorization controls throughout the API architecture. The foundation is a robust authorization framework that validates permissions before every sensitive operation.

Code-level remediation examples:

// INSECURE - Missing authorization check
app.get('/api/users/:userId/orders', async (req, res) => {
    const orders = await Order.find({ userId: req.params.userId });
    res.json(orders);
});

// SECURE - Proper authorization with resource ownership verification
app.get('/api/users/:userId/orders', async (req, res) => {
    // Verify user is accessing their own data or has admin privileges
    if (req.user.id !== req.params.userId && !req.user.isAdmin) {
        return res.status(403).json({ error: 'Forbidden' });
    }
    
    const orders = await Order.find({ userId: req.params.userId });
    res.json(orders);
});

// Using middleware for reusable authorization checks
const authorizeResource = (resourceType, resourceIdParam = 'id') => {
    return async (req, res, next) => {
        const resource = await getResourceById(
            resourceType, 
            req.params[resourceIdParam]
        );
        
        // Check ownership or role-based permissions
        if (resource.userId !== req.user.id && !req.user.permissions.includes(`manage:${resourceType}`)) {
            return res.status(403).json({ error: 'Insufficient permissions' });
        }
        
        next();
    };
};

// Apply authorization middleware to protected endpoints
app.get('/api/orders/:id', 
    authorizeResource('order'), 
    async (req, res) => {
        const order = await Order.findById(req.params.id);
        res.json(order);
    }
);

Best practices for authorization remediation:

  • Implement role-based access control (RBAC) or attribute-based access control (ABAC) consistently
  • Verify resource ownership for all user-specific data access
  • Protect administrative endpoints with multi-factor authorization
  • Implement the principle of least privilege throughout the system
  • Use middleware or decorators to centralize authorization logic
  • Log authorization failures for security monitoring
  • Regularly audit authorization controls as part of security testing

middleBrick's remediation guidance provides specific recommendations for each detected authorization weakness, including code examples and configuration changes tailored to your API's technology stack. The scanner's continuous monitoring capabilities in Pro plans help ensure that new endpoints don't reintroduce authorization vulnerabilities as your API evolves.

Detect CWE-862 in your APIs View all CWEs

Frequently Asked Questions

How does CWE-862 differ from authentication bypass vulnerabilities?
CWE-862 involves missing authorization checks even when authentication succeeds, while authentication bypass allows attackers to access the system without proper credentials. With CWE-862, attackers are already authenticated but lack proper permission verification to access specific resources or perform certain operations.
Can middleBrick detect all instances of CWE-862 in my API?
middleBrick's black-box scanning effectively identifies many CWE-862 instances through systematic testing of authenticated endpoints, but it cannot guarantee 100% coverage. Complex authorization logic involving business rules, external services, or contextual permissions may require additional manual testing and code review to fully validate authorization controls.