Missing Function Level Access Control vulnerability for Forgot Username navigation
Hi, Last week our security team did one vulnerability scan for one of our client faced applications. In the report for the hyperlink ‘Forgot Username’ on the log in page, they found one high risk vulnerability which reads ‘Missing Function Level Access Control, The remote web application fails to apply function level access control. This allows an low privileged or unprivileged user to access restricted functionality in the application. Authorization must be checked for all privileged functions in the application. The following URLs are unrestricted : /ForgotUserName’. This is configured in the deeplink having Admin, Guest and User access to that microflow. Any suggestion or idea to mitigate this would be greatly appreciated. Thanks, Soumya Bindhani
Soumya Ranjan Bindhani
Your security team might be wrong. Looking at the definition of their issue: ‘ ... to access restricted functionality in the application.’ A ForgotUserName link is, by definition, not ‘restricted functionality in the application’.