This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cornucopia - Ecommerce Website - AZ 6"
(Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ 6</span>}} File:Cornucopia_-_Ecommerce_Website_AZ_6....") |
|||
Line 54: | Line 54: | ||
</tr> | </tr> | ||
</table> | </table> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_5|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_7|Next Card »]] </div> | <div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_5|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_7|Next Card »]] </div> |
Latest revision as of 16:24, 21 January 2016
Suit: Authorization
Card/Value: 6
Description:
Eduardo can access data he does not have permission to, even though he has permission to the form/page/URL/entry point.
Technical Note:
Even though a user may be permitted access to a particular page, the contents of that page should also verify access control privileges. For example, a user should be able to edit their own profile text, but not that for another user. Implement least privilege, and restrict users to only the data and system information that are required to perform their tasks.
NB: the key concept for this card is applying authorization controls at the data level. See AZ 5 for resource types controls, and AZ 7 for function/object/property controls.
References:
OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
---|---|---|---|---|
81 | 4.1 | ACE1 | 122 | 8 |
88 | 4.3 | ACE2 | 10 | |
131 | 4.4 | ACE3 | 11 | |
15.7 | ACE4 |