# Missing Authorization (CWE-862)

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

**Stack:** JavaScript

- Prevalence: Hoch Häufig ausgenutzt
- Impact: Hoch 3 Regeln mit hohem Schweregrad
- Prevention: Dokumentiert 3 Fix-Beispiele

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource. When authorization checks are completely missing, any authenticated user can access protected resources.

## Prevention

Präventionsstrategien für Missing Authorization basierend auf 1 Shoulder-Erkennungsregeln.

### JavaScript

Require human approval for sensitive operations and limit agent loop iterations

## Warning Signs

- [HIGH] Excessive LLM agency detected: ...
- [HIGH] LLM implementations with excessive autonomy that can lead to unintended
consequences

## Consequences

- Anwendungsdaten lesen
- Anwendungsdaten ändern
- Privilegien erlangen

## Mitigations

- Autorisierungsprüfungen für alle geschützten Ressourcen umsetzen
- Einen zentralisierten Autorisierungsmechanismus verwenden
- Dem Prinzip 'Deny by default' folgen

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy that can lead to unintended
consequences. OWASP LLM08 - Excessive Agency.

Excessive agency occurs when LLMs are granted:
- Ability to perform destructive operations without confirmation
- Auto-execution of LLM-generated code or commands
- Direct database modifications without approval
- Financial transactions without human oversight
- Email/communication sending without review

This rule detects:
- Auto-execution of tool calls without human ap
  - Remediation: Require human approval for sensitive operations and set iteration limits on agent loops.

```javascript
if (SENSITIVE_OPERATIONS.has(toolName)) {
  await queueForApproval(toolCall);
} else {
  await executeSafeToolCall(toolCall);
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-862/llm-excessive-agency

### Typescript (1 rules)

- **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy that can lead to unintended
consequences. OWASP LLM08 - Excessive Agency.

Excessive agency occurs when LLMs are granted:
- Ability to perform destructive operations without confirmation
- Auto-execution of LLM-generated code or commands
- Direct database modifications without approval
- Financial transactions without human oversight
- Email/communication sending without review

This rule detects:
- Auto-execution of tool calls without human ap
  - Remediation: Require human approval for sensitive operations and set iteration limits on agent loops.

```javascript
if (SENSITIVE_OPERATIONS.has(toolName)) {
  await queueForApproval(toolCall);
} else {
  await executeSafeToolCall(toolCall);
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-862/llm-excessive-agency