Professional Documents
Culture Documents
Wa0019.
Wa0019.
Explained
1. Broken access control
Access controls define how users interact with data and resources including what they can read or
edit. A broken access control vulnerability exists when a user has the ability to interact with data in
a way that they don’t need. For example, if a user should only be able to read payment details but
can actually edit them, this is a broken access control. Malicious actors use this vulnerability to gain
unauthorized access to systems, networks, and software. They can then escalate the privileges, give
the user ID additional access within the ecosystem, to negatively impact data confidentiality,
integrity, or availability.
2. Broken authentication
Broken authentication vulnerabilities also focus on user access. However, in this case, malicious
actors compromise the information that confirms a user’s identity, such as by stealing passwords,
keys, or session tokens. The malicious actor gains unauthorized access to the systems, networks,
and software because the company failed to adequately set appropriate identity and access
management controls.
7. Credentials management
User credentials consist of a user ID and password. To gain access to an application, the user must
input both pieces of information into the login page. The application compares this data to that
stored in its database. If both pieces match, then it grants the user access. However, databases often
store this information in plaintext or use weak encryption. Poor credentials management makes it
easy for attackers to steal credentials and use them to gain access to web applications.