Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
When privileges are not properly managed, users may gain access to resources or functionality they should not have. This includes privilege escalation and improper role assignment.
普遍性
高
频繁被利用
影响
高
2 条严重级别为高的规则
预防
已记录
2 个修复示例
2 预防
2 预防
如何修复此漏洞
Python
查看全部 Python 详情 →
Default Privilege Assignment in User Creation
HIGH
Create users with least-privilege defaults and require explicit admin action for privilege elevation
def register(request): data = request.get_json() - user = User.objects.create( - username=data['username'], - email=data['email'], - is_staff=True, + user = User.objects.create_user( + username=data['username'], + email=data['email'], + password=data['password'], ) return {'status': 'created'}
Missing Role/Permission Checks
HIGH
Use permission decorators to verify user roles before any privilege modification
- from django.http import JsonResponse - from django.contrib.auth.models import User - + from django.contrib.auth.decorators import permission_required + from django.http import JsonResponse + from django.contrib.auth.models import User + + @permission_required('auth.change_user', raise_exception=True) def promote_user(request, user_id): user = User.objects.get(id=user_id) user.is_staff = True user.save() return JsonResponse({'status': 'promoted'})
3 检测
3 检测
查找代码中的漏洞
使用Shoulder扫描代码中的Improper Privilege Management模式。 2 规则.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=269 # Or scan entire project npx @shoulderdev/cli trust .
4 警告信号
4 警告信号
代码审查中需要关注的内容
这些模式表明潜在的Improper Privilege Management漏洞。在代码审查和安全审计中注意查找。
user creation flows that assign elevated privileges by default
python-default-privilege-assignment
privileged operations like role modification without verifying user permissions
python-privilege-escalation