Weakness reference
CWE-306

Missing Authentication for Critical Function

Missing authentication for critical functions allows anyone—authenticated user or complete stranger—to perform sensitive operations without proving their…

01Summary

Missing authentication for critical functions allows anyone—authenticated user or complete stranger—to perform sensitive operations without proving their identity. This weakness exposes administrative actions, resource-intensive operations, or data modifications to unauthorized access. It is one of the most direct paths to account takeover, data destruction, or service abuse.

02How It Happens

Critical functions are those that modify state, consume resources, or expose sensitive data: password resets, account deletion, payment processing, report generation, or administrative configuration changes. When a developer builds such a function but forgets to check whether the user is logged in or authorized, the function becomes accessible to anyone who can craft the right request—whether they know a valid username, session token, or any other credential. The absence of an authentication check means the application trusts the request implicitly.

This often occurs when: - A function is built for internal use and later exposed to the web without adding access controls. - Authentication is checked at the routing layer but bypassed for certain endpoints. - A developer assumes "security through obscurity"—that a hidden URL or parameter won't be discovered. - Legacy code lacks centralized authentication enforcement.

03Real-World Impact

An attacker can reset any user's password, delete accounts, trigger expensive operations (report generation, data exports), modify configuration, or perform financial transactions without any credentials. In multi-tenant systems, one tenant may access or modify another's data. Administrative functions become fully public. The impact ranges from data loss and service disruption to complete account takeover and financial fraud.

04Vulnerable & Fixed Patterns

Vulnerable pattern
from flask import Flask, request

app = Flask(__name__)

@app.route('/admin/reset-password', methods=['POST'])
def reset_password():
    username = request.form.get('username')
    new_password = request.form.get('new_password')
    # No authentication check — anyone can reset any password
    user = db.query(User).filter_by(username=username).first()
    user.password_hash = hash_password(new_password)
    db.commit()
    return "Password reset successful"

Why it's vulnerable:
The endpoint accepts a username and new password from any request without verifying that the requester is logged in or authorized. An attacker can reset any user's password by simply sending a POST request.

Fixed pattern
from flask import Flask, request, session
from functools import wraps

app = Flask(__name__)

def require_auth(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        if 'user_id' not in session:
            return "Unauthorized", 401
        return f(*args, **kwargs)
    return decorated

@app.route('/admin/reset-password', methods=['POST'])
@require_auth
def reset_password():
    username = request.form.get('username')
    new_password = request.form.get('new_password')
    user = db.query(User).filter_by(username=username).first()
    user.password_hash = hash_password(new_password)
    db.commit()
    return "Password reset successful"
Vulnerable pattern
<?php
// No session check — anyone can trigger this
if ($_POST['action'] === 'delete_user') {
    $user_id = $_POST['user_id'];
    $wpdb->query("DELETE FROM users WHERE ID = $user_id");
    echo "User deleted";
}
?>

Why it's vulnerable:
The script processes a delete request without checking is_user_logged_in() or verifying the user's role. Any visitor can delete any user account.

Fixed pattern
<?php
if ($_POST['action'] === 'delete_user') {
    // Check authentication and authorization
    if (!is_user_logged_in()) {
        wp_die('Unauthorized', 'Unauthorized', ['response' => 401]);
    }
    if (!current_user_can('manage_options')) {
        wp_die('Insufficient permissions', 'Forbidden', ['response' => 403]);
    }
    $user_id = intval($_POST['user_id']);
    wp_delete_user($user_id);
    echo "User deleted";
}
?>

05Prevention Checklist

Identify critical functions:
List all endpoints, actions, or operations that modify data, delete records, reset credentials, or consume significant resources.
Enforce authentication at entry:
Check session validity or token presence before executing any critical function; use a centralized middleware or decorator.
Verify authorization, not just identity:
Confirm the authenticated user has the role or permission required for that specific action (e.g., only admins can delete users).
Test unauthenticated access:
Attempt to call each critical endpoint without a valid session or token; it should return 401 or 403, never execute.
Use framework-provided guards:
Leverage built-in authentication decorators, middleware, or permission checks rather than rolling your own.
Log and monitor:
Record all attempts to access critical functions, including failures; alert on repeated unauthorized attempts.

06Signs You May Already Be Affected

Check your application logs for requests to sensitive endpoints (password reset, user deletion, configuration changes) that lack a valid session or authentication token. Look for unexpected changes to user accounts, configuration, or data that you did not authorize. If you can access administrative functions without logging in, or if you can modify another user's account by guessing their ID, you are affected.

07Related Recent Vulnerabilities