This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Category:WASS Check Authorization

Jump to: navigation, search

Ensure that authorization checks are enforced in the application.

Applications generally have numerous privileges, or roles, that a user can be granted. The application should not allow a user access to functionality he/she is not authorized for.

  1. Access to functionality should not be solely enforced by the user interface
    1. Whenever a page request is made to the application, the web application should check access control permissions against the user.
  2. Parameters should be checked for access control permission
    1. Users should be restricted to the information and functionality they see in the user interface. e.g. parameters that are used for menus should be verified to be “in range” for the currently logged in user before they are used.
  3. Protect against privilege levels from being disclosed outside of the application
    1. Users should only be identified by a single, hard to guess, identifier
    2. Privilege levels should be enforced on the web application only through the above identifier.
    3. All authorization decisions should be made on the server side based on the above identifier.

This category currently contains no pages or media.