Authorization Bypass Through User-Controlled Key
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-639: Authorization Bypass Through User-Controlled Key |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User-controlled input (like params or cookies) is being passed directly to model find methods without scoping to the current user. This allows attackers to access records they shouldn’t be able to see by simply changing the record ID.
Impact#
If exploited, an attacker could read or manipulate sensitive records belonging to other users by guessing or iterating through IDs. This could expose personal, financial, or confidential information, leading to data breaches and loss of user trust.