176 – Restrict system objects

Summary

The system must restrict access to system objects that have sensitive content. It should only allow access to authorized users.

Description

Applications usually handle personal and confidential information, such as personal identifications, social security numbers, credentials and health histories. This data should be protected as a fundamental right, and therefore be stored and transmitted using secure mechanisms that prevent access to it by unauthorized actors. Furthermore, the access control model and role assignment policy must be implemented taking these restrictions into consideration.

Supported In

Essential: True

Advanced: True

References

• CIS-3_3. Configure data access control lists
• CWE-284. Improper access control
• CWE-548. Exposure of information through directory listing
• CWE-639. Authorization bypass through user-controlled key
• EPRIVACY-4_1a. Security of processing
• GDPR-32_4. Security of processing
• GDPR-R6. Ensuring a high level of data protection despite the increased exchange of data
• NERCCIP-003-8_3_1. Electronic access controls
• OWASP10-A1. Broken access control
• OWASP10-A2. Cryptographic failures
• OWASP10-A7. Identification and authentication failures
• CPRA-1798_104. Compliance with right to know and disclosure requirements
• GLBA-501_A. Privacy obligation policy
• NYSHIELD-5575_B_2. Personal and private information
• MITRE-M1022. Restrict file and directory permissions
• MITRE-M1029. Remote data storage
• PADSS-2_5_7. Prevention of unauthorized substitution of cryptographic keys
• PADSS-5_2_8. Improper access controls
• PADSS-10_2_3. Remote access to customer's payment applications must be implemented securely
• PADSS-11_1. Use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission
• PDPA-9B_48D. Unauthorized disclosure of personal data
• POPIA-3A_19. Security measures on integrity and confidentiality of personal information
• POPIA-9_72. Transfers of personal information outside Republic
• PDPO-S1_4. Security of personal data
• CMMC-AC_L1-3_1_1. Authorized access control
• CMMC-AC_L1-3_1_2. Transaction & function control
• CMMC-CM_L2-3_4_5. Access restrictions for change
• CMMC-MP_L2-3_8_2. Media access
• CMMC-SC_L2-3_13_4. Shared resource control
• HITRUST-01_h. Clear desk and clear screen policy
• HITRUST-01_v. Information access restriction
• HITRUST-06_d. Data protection and privacy of covered information
• HITRUST-09_c. Segregation of duties
• HITRUST-09_r. Security of system documentation
• FEDRAMP-MP-2. Media access
• FEDRAMP-SC-8. Transmission confidentiality and integrity
• FEDRAMP-SC-28. Protection of information at rest
• ISO27002-8_4. Access to source code
• ISO27002-8_26. Application security requirements
• IEC62443-IAC-1_2. Software process and device identification and authentication
• IEC62443-DC-4_1. Information confidentiality
• WASSEC-6_2_2_2. Authorization - Insufficient authorization
• WASSEC-6_2_2_5. Authorization - Session weaknesses
• WASSEC-6_2_4_9. Command execution - Local file includes
• OSSTMM3-11_11_1. Data networks security - Privacy containment mapping
• OSSTMM3-11_11_2. Data networks security (segregation review) - Disclosure
• WASC-A_12. Content spoofing
• WASC-W_16. Directory indexing
• WASC-W_17. Improper filesystem permissions
• WASC-W_13. Information leakage
• WASC-W_02. Insufficient authorization
• ISSAF-K_9_1. Network security - Storage Area Network SAN (practices for the data-at-rest)
• ISSAF-P_6_15. Host security - Linux security (local attacks)
• ISSAF-Q_16_20. Host security - Windows security (local attacks)
• ISSAF-T_12_2. Web application assessment - Browsable directories check
• ISSAF-T_16_3. Web application assessment - Input Validation (PHP insertion)
• ISSAF-U_11. Web application SQL injections - Get control on host
• ISSAF-V_6_1. Application security - Source code auditing (authentication)
• PTES-5_2_3_2. Vulnerability analysis - Web application scanners (directory listing or brute forcing)
• PTES-7_2_1. Post exploitation - Rules of engagement (protect the client)
• OWASPRISKS-P1. Web application vulnerabilities
• OWASPRISKS-P2. Operator-sided data leakage
• OWASPRISKS-P7. Insufficient data quality
• OWASPSCP-5. Access control
• OWASPSCP-10. System configuration
• OWASPSCP-12. File management
• BSAFSS-SM_3-1. Supply chain data is protected
• BSAFSS-SM_6-1. Deployment procedures ensure that the usages of software are established
• ASVS-5_2_5. Sanitization and sandboxing
• ASVS-13_4_1. GraphQL
• C2M2-9_5_a. Implement data security for cybersecurity architecture
• C2M2-9_5_b. Implement data security for cybersecurity architecture
• PCI-1_4_3. Implement anti-spoofing measures
• PCI-1_4_4. Network connections between trusted and untrusted networks are controlled
• PCI-3_7_7. Prevention of unauthorized substitution of cryptographic keys
• PCI-7_2_5. Access to system components and data is defined and assigned
• PCI-8_2_3. User identification for users and administrators are strictly managed
• ASVS-4_2_1. Operation level access control
• ASVS-4_3_1. Other access control considerations
• ASVS-9_2_3. Server communication security
• ASVS-12_3_2. File execution
• OWASPAPI-API1. Broken Object Level Authorization
• OWASPAPI-API3. Broken Object Property Level Authorization
• OWASPAPI-API5. Broken Function Level Authorization
• CAPEC-680. Exploitation of Improperly Controlled Registers
• CAPEC-690. Metadata Spoofing
• CAPEC-691. Spoof Open-Source Software Metadata
• CAPEC-692. Spoof Version Control System Commit Metadata
• ISO27001-8_4. Access to source code
• ISO27001-8_26. Application security requirements
• CASA-1_14_1. Configuration Architecture
• CASA-4_3_1. Other Access Control Considerations
• CASA-4_3_2. Other Access Control Considerations
• CASA-4_3_3. Other Access Control Considerations
• CASA-5_2_5. Sanitization and Sandboxing
• RESOLSB-Art_26_11_d. Information Security
• OWASPMASVS-PRIVACY-1. The app minimizes access to sensitive data and resources
• CWE25-269. Improper Privilege Management
• CWE25-863. Incorrect Authorization
• SANS25-22. Improper Privilege Management
• SANS25-24. Incorrect Authorization
• NIST-PR_DS-01. The confidentiality, integrity, and availability of data-at-rest are protected
• OWASPLLM-LLM02:2025. Sensitive Information Disclosure
• OWASPLLM-LLM07:2025. System Prompt Leakage
• OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses
• OWASPLLM-LLM10:2025. Unbounded Consumption

Weaknesses

• 116 – XS-Leaks
• 123 – Local file inclusion
• 125 – Directory listing
• 201 – Unauthorized access to files
• 202 – Unauthorized access to files - Debug APK
• 203 – Unauthorized access to files - Cloud Storage Services
• 204 – Insufficient data authenticity validation
• 213 – Business information leak - JWT
• 214 – Business information leak - Credentials
• 215 – Business information leak - Repository
• 216 – Business information leak - Source Code
• 217 – Business information leak - Credit Cards
• 218 – Business information leak - Network Unit
• 219 – Business information leak - Redis
• 220 – Business information leak - Token
• 221 – Business information leak - Users
• 222 – Business information leak - DB
• 223 – Business information leak - JFROG
• 224 – Business information leak - AWS
• 225 – Business information leak - Azure
• 226 – Business information leak - Personal Information
• 227 – Business information leak - NAC
• 228 – Business information leak - Analytics
• 229 – Business information leak - Power BI
• 230 – Business information leak - Firestore
• 232 – Technical information leak - Angular
• 234 – Technical information leak - Stacktrace
• 235 – Technical information leak - Headers
• 236 – Technical information leak - SourceMap
• 237 – Technical information leak - Print Functions
• 238 – Technical information leak - API
• 239 – Technical information leak - Errors
• 286 – Insecure object reference - Personal information
• 287 – Insecure object reference - Corporate information
• 288 – Insecure object reference - Financial information
• 289 – Technical information leak - Logs
• 290 – Technical information leak - IPs
• 291 – Business information leak - Financial Information
• 306 – Insecure object reference - Files
• 307 – Insecure object reference - Data
• 328 – Insecure object reference - Session management
• 336 – Business information leak - Corporate information
• 342 – Technical information leak - Alert
• 349 – Technical information leak - Credentials
• 362 – Technical information leak - Content response
• 369 – Insecure object reference - User deletion
• 405 – Excessive privileges - Access Mode
• 422 – Server side template injection
• 434 – Client-side template injection
• 443 – Insecure service configuration - Business logic
• 013 – Insecure object reference
• 032 – Spoofing
• 037 – Technical information leak
• 038 – Business information leak
• 039 – Improper authorization control for web services
• 040 – Exposed web services
• 066 – Technical information leak - Console functions
• 073 – Improper authorization control for web services - RDS
• 075 – Unauthorized access to files - APK Content Provider
• 080 – Business information leak - Customers or providers

Last updated

2025/06/17