AD02 Broken Access Control
| Context | Someone interacts with a cloud application |
| Problem | No access control, broken (weak) access control, and the authorization issues of the cloud application |
| Solution | Follow the principle of least privilege; Apply Authorization; Apply Audit; Apply Mandatory Access Control (MAC); Apply Discretionary Access Control (DAC); Apply Role-Based Access Control (RBAC); Apply management of user sessions; Secure user IDs and tokens; Ensure proper file permissions; Avoid Path Traversal; |
| References | Broken Access Control [OWASP10] |
| Type | ns:type_ThreatPattern |
| Victim | su:comp_CloudApplication |
| Aggressor | su:comp_CloudApplication; su:comp_ExternalService; su:comp_RemoteUser |
| Aggr. role | ns:role_Client |
| STRIDE | ns:STRIDE_Elevation_of_Privilege |
| Threat | ns:threat_txUnauthorizedAccess; ns:threat_txInvokingUnauthorizedOperations; ns:threat_txBypassingControls; ns:threat_txLeveragingAuthorizationModel |