Improper Privilege Management (CWE-269)

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

When privileges are not properly managed, users may gain access to resources or functionality they should not have. This includes privilege escalation and improper role assignment.

Prevalencia

Alta

Frecuentemente explotada

Impacto

Alto

2 reglas de severidad alta

Prevención

Documentada

2 ejemplos de corrección

2 Prevención

Cómo corregir esta vulnerabilidad

🐍 Python Ver todo Python detalles →

Default Privilege Assignment in User Creation HIGH

Create users with least-privilege defaults and require explicit admin action for privilege elevation

+4 -4 python

  def register(request):
      data = request.get_json()
-     user = User.objects.create(
-         username=data['username'],
-         email=data['email'],
-         is_staff=True,
+     user = User.objects.create_user(
+         username=data['username'],
+         email=data['email'],
+         password=data['password'],
      )
      return {'status': 'created'}

Missing Role/Permission Checks HIGH

Use permission decorators to verify user roles before any privilege modification

+5 -3 python

- from django.http import JsonResponse
- from django.contrib.auth.models import User
- 
+ from django.contrib.auth.decorators import permission_required
+ from django.http import JsonResponse
+ from django.contrib.auth.models import User
+ 
+ @permission_required('auth.change_user', raise_exception=True)
  def promote_user(request, user_id):
      user = User.objects.get(id=user_id)
      user.is_staff = True
      user.save()
      return JsonResponse({'status': 'promoted'})

3 Detección

Encuentra vulnerabilidades en tu código

Usa Shoulder para escanear tu código en busca de patrones Improper Privilege Management. 2 reglas.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=269

# Or scan entire project
npx @shoulderdev/cli trust .

Reglas de Detección (2)

🐍 Python 2 rules

Default Privilege Assignment in User Creation HIGH

Detects user creation flows that assign elevated privileges by default.

Missing Role/Permission Checks HIGH

Detects privileged operations like role modification without verifying user permissions.

4 Señales de Alerta

Qué buscar en las revisiones de código

Estos patrones indican vulnerabilidades potenciales de Improper Privilege Management. Búscalos durante las revisiones de código y auditorías de seguridad.

🟠

user creation flows that assign elevated privileges by default python-default-privilege-assignment

🟠

privileged operations like role modification without verifying user permissions python-privilege-escalation

🔍

Escanea tu base de código para Improper Privilege Management

Shoulder CLI encuentra patrones vulnerables en toda tu base de código.

npx shoulder trust Ver todas las reglas