Some examples.

1. Providing a permission based check to prevent a user from accessing a specific UI page but then failing to secure the back-end API endpoint that supports the UI.

A developer implementing a user story reads the following acceptance criteria, "User without permission X cannot see page Y." and proceeds to prevent the UI page Y from rendering if the user doesn't have permission X. They completely ignore securing the back-end API endpoint as that's not a requirement. Now you have a back-end API endpoint that isn't doing any permission checks and anyone can call it even if they don't have permission X.

2. Allowing different values to be used when checking authorization and subsequently persisting data.

A user posts to a URL to add an item to an order.

URL:

  POST /app-web/orders/144/items

PAYLOAD:

  {
    "item_id":682,
    "order_id":555
  }


  @POST("/orders/{orderId}/items")
  public void addItem(@PathParam("orderId") Integer 
  orderId, OrderItem orderItem) {
    checkOwnsOrder(orderId);
    repo.create(orderItem);
  }

The application logic is written to check that the user has access to the order identified in the URL (144). But the payload has a different order id (555). The application allows the item to be added to the order but in this case the order being altered is order number 555 and not the order that the user originally had the ability to add items to, 144.