# Improper Privilege Management (CWE-269) The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. - Prevalence: High Frequently exploited - Impact: High 2 high-severity rules - Prevention: Documented 2 fix examples **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description When privileges are not properly managed, users may gain access to resources or functionality they should not have. This includes privilege escalation and improper role assignment. ## Prevention ### Python Create users with least-privilege defaults and require explicit admin action for privilege elevation Use permission decorators to verify user roles before any privilege modification ## Warning Signs - [HIGH] user creation flows that assign elevated privileges by default - [HIGH] privileged operations like role modification without verifying user permissions ## Consequences - Gain Privileges - Read Application Data - Modify Application Data ## Mitigations - Implement the principle of least privilege - Regularly audit user privileges - Use role-based access control (RBAC) ## Detection - Total rules: 2 - Languages: python ## Rules by Language ### Python (2 rules) - **Default Privilege Assignment in User Creation** [HIGH]: Detects user creation flows that assign elevated privileges by default. - Remediation: Default user creation to unprivileged (is_staff=False). ```python User.objects.create_user(username=data['username'], password=data['password']) ``` Learn more: https://shoulder.dev/learn/python/cwe-269/default-privilege-assignment - **Missing Role/Permission Checks** [HIGH]: Detects privileged operations like role modification without verifying user permissions. - Remediation: Use permission decorators to verify user roles before privileged operations. ```python @permission_required('auth.change_user', raise_exception=True) def promote_user(request, user_id): # Only users with permission reach here ``` Learn more: https://shoulder.dev/learn/python/cwe-269/privilege-escalation