This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Cornucopia - Ecommerce Website - AZ 10"

From OWASP
Jump to: navigation, search
 
Line 11: Line 11:
 
=== Technical Note: ===
 
=== Technical Note: ===
  
Centralized authorization routines are a good programming practice, but like other routines, developers need to understand how they work, how to use them and any limitations. Such routines can be tested independently of other code and not only provide assurance on the quality, but it make refactorization an easy task and eliminate code duplicates and bad interpretations.
+
Centralized authorization routines are a good programming practice, but like other routines, developers need to understand how they work, how to use them and any limitations. Such routines can be tested independently of other code and not only provide assurance on the quality, but also make refactorization an easy task and eliminate code duplicates and bad interpretations.
  
 
Server side implementation and presentation layer representations of access control rules must match.
 
Server side implementation and presentation layer representations of access control rules must match.

Latest revision as of 20:32, 29 March 2016

Cornucopia - Ecommerce Website AZ 10.png

Suit: Authorization

Card/Value: 10

Description:

Richard can bypass the centralized authorization controls since they are not being used comprehensively on all interactions.

Technical Note:

Centralized authorization routines are a good programming practice, but like other routines, developers need to understand how they work, how to use them and any limitations. Such routines can be tested independently of other code and not only provide assurance on the quality, but also make refactorization an easy task and eliminate code duplicates and bad interpretations.

Server side implementation and presentation layer representations of access control rules must match.

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
78 4.1 ACE1 36 8
91 4.12 ACE2 95 10
ACE3 121 11
ACE4 179


« Previous Card | Authorization | Next Card »