Testing for Authorization - Revision history

Andrew Muller at 12:27, 8 August 2014

2014-08-08T12:27:16Z

2014-08-05T13:22:56Z

Amend Authorization links

2014-05-14T18:34:15Z

Final edit

2014-03-07T17:12:08Z

2008-12-13T20:06:12Z

2008-12-07T17:45:06Z

2008-12-07T17:42:11Z

2008-12-07T17:36:56Z

2008-11-01T23:06:31Z

2008-08-22T13:25:32Z

@@ Line 8: / Line 8: @@
-[[Testing for Path Traversal  (OTG-AUTHZ-002)|4.6.1 Testing Directory traversal/file include (OTG-AUTHZ-002)]]
+[[Testing for Path Traversal  (OTG-AUTHZ-001)|4.6.1 Testing Directory traversal/file include (OTG-AUTHZ-001)]]
-[[Testing for Bypassing Authorization Schema  (OTG-AUTHZ-003)|4.6.2 Testing for bypassing authorization schema (OTG-AUTHZ-003)]]
+[[Testing for Bypassing Authorization Schema  (OTG-AUTHZ-002)|4.6.2 Testing for bypassing authorization schema (OTG-AUTHZ-002)]]
-[[Testing for Privilege escalation  (OTG-AUTHZ-004)|4.6.3 Testing for Privilege Escalation (OTG-AUTHZ-004)]]
+[[Testing for Privilege escalation  (OTG-AUTHZ-003)|4.6.3 Testing for Privilege Escalation (OTG-AUTHZ-003)]]
-[[Testing for Insecure Direct Object References (OTG-AUTHZ-005)|4.6.4 Testing for Insecure Direct Object References (OTG-AUTHZ-005)]]
+[[Testing for Insecure Direct Object References (OTG-AUTHZ-004)|4.6.4 Testing for Insecure Direct Object References (OTG-AUTHZ-004)]]

@@ Line 8: / Line 8: @@
-[[Testing for Path Traversal  (OWASP-AZ-001)|4.6.1 Testing Directory traversal/file include (OTG-AUTHZ-002)]]
+[[Testing for Path Traversal  (OTG-AUTHZ-002)|4.6.1 Testing Directory traversal/file include (OTG-AUTHZ-002)]]
-[[Testing for Bypassing Authorization Schema  (OWASP-AZ-002)|4.6.2 Testing for bypassing authorization schema (OTG-AUTHZ-003)]]
+[[Testing for Bypassing Authorization Schema  (OTG-AUTHZ-003)|4.6.2 Testing for bypassing authorization schema (OTG-AUTHZ-003)]]
-[[Testing for Privilege escalation  (OWASP-AZ-003)|4.6.3 Testing for Privilege Escalation (OTG-AUTHZ-004)]]
+[[Testing for Privilege escalation  (OTG-AUTHZ-004)|4.6.3 Testing for Privilege Escalation (OTG-AUTHZ-004)]]
-[[Testing for Insecure Direct Object References (OWASP-AZ-004)|4.6.4 Testing for Insecure Direct Object References (OTG-AUTHZ-005)]]
+[[Testing for Insecure Direct Object References (OTG-AUTHZ-005)|4.6.4 Testing for Insecure Direct Object References (OTG-AUTHZ-005)]]

@@ Line 4: / Line 4: @@
 ----
-Authorization is the concept of allowing access to resources only to those permitted to use them. Testing for Authorization means understanding how the authorization process works, and using that information to circumvent the authorization mechanism.<br>
+Authorization is the concept of allowing access to resources only to those permitted to use them. Testing for Authorization means understanding how the authorization process works, and using that information to circumvent the authorization mechanism.<br><br>
 Authorization is a process that comes after a successful authentication, so the tester will verify this point after he holds valid credentials, associated with a well-defined set of roles and privileges. During this kind of assessment, it should be verified if it is possible to bypass the authorization schema, find a path traversal vulnerability, or find ways to escalate the privileges assigned to the tester.
 [[Testing for Path Traversal  (OWASP-AZ-001)|4.6.1 Testing Directory traversal/file include (OTG-AUTHZ-002)]]

@@ Line 7: / Line 7: @@
 Authorization is a process that comes after a successful authentication, so the tester will verify this point after he holds valid credentials, associated with a well-defined set of roles and privileges. During this kind of assessment, it should be verified if it is possible to bypass the authorization schema, find a path traversal vulnerability, or find ways to escalate the privileges assigned to the tester.
-[[Testing for Path Traversal  (OWASP-AZ-001)|4.6.1 Testing for Path Traversal  (OWASP-AZ-001)]]<br>
+[[Testing for Path Traversal  (OWASP-AZ-001)|4.6.1 Testing Directory traversal/file include (OTG-AUTHZ-002)]]
-[[Testing_for_Bypassing_Authorization_Schema  (OWASP-AZ-002)|4.6.2 Testing for bypassing authorization schema  (OWASP-AZ-002)]]<br>
+[[Testing for Bypassing Authorization Schema  (OWASP-AZ-002)|4.6.2 Testing for bypassing authorization schema (OTG-AUTHZ-003)]]
-[[Testing_for_Privilege_escalation (OWASP-AZ-003)|4.6.3 Testing for Privilege Escalation  (OWASP-AZ-003)]]<br>
+[[Testing for Privilege escalation  (OWASP-AZ-003)|4.6.3 Testing for Privilege Escalation (OTG-AUTHZ-004)]]
-During this phase, the tester should verify that it is not possible for a user to modify his or her privileges/roles inside the application in ways that could allow privilege escalation attacks.

@@ Line 4: / Line 4: @@
 ----
-Authorization is the concept of allowing access to resources only to those permitted to use them. Testing for Authorization means understanding how the authorization process works and using that information to circumvent the authorization mechanism.<br>
+Authorization is the concept of allowing access to resources only to those permitted to use them. Testing for Authorization means understanding how the authorization process works, and using that information to circumvent the authorization mechanism.<br>
 Authorization is a process that comes after a successful authentication, so the tester will verify this point after he holds valid credentials, associated with a well-defined set of roles and privileges. During this kind of assessment, it should be verified if it is possible to bypass the authorization schema, find a path traversal vulnerability, or find ways to escalate the privileges assigned to the tester.

@@ Line 13: / Line 13: @@
 This kind of test focuses on verifying how the authorization schema has been implemented for each role/privilege to get access to reserved functions/resources.
-[[Testing_for_Privilege_escalation|4.6.3 Testing for Privilege Escalation]]<br>
+[[Testing_for_Privilege_escalation (OWASP-AZ-003)|4.6.3 Testing for Privilege Escalation  (OWASP-AZ-003)]]<br>
 During this phase, the tester should verify that it is not possible for a user to modify his or her privileges/roles inside the application in ways that could allow privilege escalation attacks.

@@ Line 5: / Line 5: @@
 Authorization is the concept of allowing access to resources only to those permitted to use them. Testing for Authorization means understanding how the authorization process works and using that information to circumvent the authorization mechanism.<br>
-Authorization is a process that comes after a successfull authentication, so the tester will verify this point after he holds valid credentials, associated with a well-defined set of roles and privileges. During this kind of assessment, it should be verified if it is possible to bypass the authorization schema, find a path traversal vulnerability, or find ways to escalate the privileges assigned to the tester.
+Authorization is a process that comes after a successful authentication, so the tester will verify this point after he holds valid credentials, associated with a well-defined set of roles and privileges. During this kind of assessment, it should be verified if it is possible to bypass the authorization schema, find a path traversal vulnerability, or find ways to escalate the privileges assigned to the tester.
 [[Testing for Path Traversal|4.6.1 Testing for Path Traversal]]<br>

@@ Line 1: / Line 1: @@
 {{Template:OWASP Testing Guide v3}}
-''' Authorization Testing '''
+''' 4.6 Authorization Testing '''
 ----