This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - AZ 3
Suit: Authorization
Card/Value: 3
Description:
Christian can access information, which they should not have permission to, through another mechanism that does have permission (e.g. search indexer, logger, reporting), or because it is cached, or kept for longer than necessary, or other information leakage.
Technical Note:
The attacker themselves is not permitted direct access, but has access to something, that had or has access to information. Consider all accounts/roles and what access privileges they have, and whether a user in one role can utilise another role. Create an Access Control Policy to document an application's business rules, data types and access authorization criteria and/or processes so that access can be properly provisioned and controlled. This includes identifying access requirements for both the data and system resources.
This card also includes considerations of access to residual information such as cached data, data stored temporarily, and the inadequate deletion of information that is no longer required (and has passed its required retention period).
References:
OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
---|---|---|---|---|
51 | 4.1 | - | 69 | 8 |
100 | 8.10 | 213 | 10 | |
135 | 9.1 | 11 | ||
139 | 9.2 | |||
140 | 9.3 | |||
141 | 9.4 | |||
150 | 9.5 | |||
9.6 | ||||
17.18 |