Cornucopia - Ecommerce Website - AZ 6
Eduardo can access data he does not have permission to, even though he has permission to the form/page/URL/entry point.
Even though a user may be permitted access to a particular page, the contents of that page should also verify access control privileges. For example, a user should be able to edit their own profile text, but not that for another user. Implement least privilege, and restrict users to only the data and system information that are required to perform their tasks.
|OWASP SCP||OWASP ASVS||OWASP AppSensor||CAPEC||SAFECODE|