SCP05 Access Control

What this means

SiteShadow flagged access control/authorization patterns that appear missing, inconsistent, or bypassable. Authorization is "is this user allowed to do this action on this resource?" (not just "are they logged in?").

Why it matters

Unauthorized access can lead to data leakage or privilege escalation.

IDOR/data leaks: users can access other users' objects by changing IDs (see CWE-286 / CWE-863).
Privilege escalation: normal users can call admin-only actions.
Integrity loss: unauthorized edits and deletes.

Safer examples

1) Enforce object-level authorization (Python)

doc = get_doc(doc_id)
if doc.owner_id != current_user.id:
    raise PermissionError("Forbidden")

2) Centralize authorization

Use shared middleware/policies so every route is protected consistently.

3) Add negative tests for access control

Tests should assert "User A cannot access User B's data" and that admin-only endpoints reject normal users.

How SiteShadow detects it (high level)

Detects request-derived IDs used to load objects and checks for nearby permission checks.
Flags sensitive operations that lack authorization gates.

References

OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/

---

← Back to Vulnerability Library

Request access View coverage