This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - AZ 5
Suit: Authorization
Card/Value: 5
Description:
Chad can access resources (including services, processes, AJAX, Flash, video, images, documents, temporary files, session data, system properties, configuration data, registry settings, logs) he should not be able to due to missing authorization, or due to excessive privileges (e.g. not using the principle of least privilege).
Technical Note:
Define access controls for each and every resource and system component. Enforce authorization controls on every request, regardless of resource type.
NB: the key concept for this card is applying authorization controls to all resource types. See AZ 6 for data controls, and AZ 7 for function/object/property controls.
References:
| OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
|---|---|---|---|---|
| 70 | 4.1 | ACE1 | 75 | 8 |
| 81 | 4.2 | ACE2 | 87 | 10 |
| 83 | 4.3 | ACE3 | 95 | 11 |
| 84 | 4.4 | ACE4 | 126 | 13 |
| 87 | 4.9 | HT2 | 149 | |
| 89 | 10.7 | 155 | ||
| 99 | 15.7 | 203 | ||
| 117 | 213 | |||
| 131 | 264 | |||
| 132 | 265 | |||
| 142 | ||||
| 154 | ||||
| 170 | ||||
| 179 |
