This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cornucopia - Ecommerce Website - AZ 5

From OWASP
Jump to: navigation, search
Cornucopia - Ecommerce Website AZ 5.png

Suit: Authorization

Card/Value: 5

Description:

Chad can access resources (including services, processes, AJAX, Flash, video, images, documents, temporary files, session data, system properties, configuration data, registry settings, logs) he should not be able to due to missing authorization, or due to excessive privileges (e.g. not using the principle of least privilege).

Technical Note:

Define access controls for each and every resource and system component. Enforce authorization controls on every request, regardless of resource type.

NB: the key concept for this card is applying authorization controls to all resource types. See AZ 6 for data controls, and AZ 7 for function/object/property controls.

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
70 4.1 ACE1 75 8
81 4.2 ACE2 87 10
83 4.3 ACE3 95 11
84 4.4 ACE4 126 13
87 4.9 HT2 149
89 10.7 155
99 15.7 203
117 213
131 264
132 265
142
154
170
179


« Previous Card | Authorization | Next Card »