Missing Function Level Access Control
Description
Function level access control vulnerabilities could result from insufficient protection of sensitive request handlers within an application. An application may simply hide access to sensitive actions, fail to enforce sufficient authorization for certain actions, or inadvertently expose an action through a user-controlled request parameter. These vulnerabilities could be much more complex and be the result of subtle edge-cases in the underlying application logic.
On GitHub.com we utilize a number of approaches to protect against function level access control vulnerabilities. These include things such as controller level access control checks using Rails’ filter chain as well as per-action access control checks where appropriate.
More about function level access vulnerabilities from OWASP’s Top 10:
Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget.
Recently collected Missing Function Level Access Control bounties:
| 1 |  |
6000 pts Choongwoo Han Unauthorized branch access using fork collaboration |
| 2 |  |
500 pts Jay Patel Bypassing rate limits |
| 3 |  |
500 pts @Abhishek8298 Lack of rate limiting of current password check for password resets |
| 4 |  |
1000 pts Lukas Reschke Missing sudo authentication for managing organization membership |
| 5 |  |
7500 pts Blake Burkhart Mercurial remote code execution in Importer |