Missing Function-Level Access Controls in Your Code

The most common mistake people make when implementing access control is misplacing or poorly implementing validation in the code. That means you don’t have access control right before the action that requires it. In this situation, attackers can circumvent access control by figuring out how the application handles the access checks.

For example, path validation mismanagement occurs when private functionality is hidden from unauthorized users on the client side, but no corresponding check is performed on the server side. An attacker who knows the application well enough would be able to access restricted functionality.

This example consists of a web application that builds a menu based on the ...

Get Secure Your Node.js Web Application now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.