This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Periodic Table of Vulnerabilities - Insufficient Authentication/Authorization

From OWASP
Jump to: navigation, search

Return to Periodic Table Working View

Insufficient Authentication/Authorization

Root Cause Summary

Incorrect verification of identity and permissions can result in an unauthorized attacker accessing sensitive data or functionality.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

Enforce a proven authentication and authorization framework scheme which emphasizes policy-based configuration files over hard-coded authentication/authorization checks wherever possible.

Deny all access by default, and explicitly grant access per resource.

Enforce data storage outside of web roots to prevent requests which bypass the application's access control policy.

Custom Framework Solution

None

Custom Code Solution

Always apply least-privilege principle to all transactions and data access. Define access control matrix for all features and implement policy before implementing the feature.

Discussion / Controversy

None

References

Guide to Authorization (OWASP)
Failure to Restrict URL Access (OWASP)
Insufficient Authentication (WASC)