This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Insufficient Authentication/Authorization"
m |
James Landis (talk | contribs) |
||
Line 5: | Line 5: | ||
=== Root Cause Summary === | === Root Cause Summary === | ||
− | Incorrect verification of identity and permissions can | + | Incorrect verification of identity and permissions can result in an unauthorized attacker accessing sensitive data or functionality. |
=== Browser / Standards Solution === | === Browser / Standards Solution === | ||
Line 13: | Line 13: | ||
=== Perimeter Solution === | === Perimeter Solution === | ||
− | + | None | |
=== Generic Framework Solution === | === Generic Framework Solution === | ||
− | + | Enforce a proven authentication and authorization framework scheme which emphasizes policy-based configuration files over hard-coded authentication/authorization checks wherever possible. | |
− | Deny all access by default, and explicitly grant access per | + | |
+ | Deny all access by default, and explicitly grant access per resource. | ||
+ | |||
+ | Enforce data storage outside of web roots to prevent requests which bypass the application's access control policy. | ||
=== Custom Framework Solution === | === Custom Framework Solution === | ||
− | + | ||
− | + | None | |
− | |||
− | |||
− | |||
− | |||
=== Custom Code Solution === | === Custom Code Solution === | ||
− | + | Always apply least-privilege principle to all transactions and data access. Define access control matrix for all features and implement policy before implementing the feature. | |
=== Discussion / Controversy === | === Discussion / Controversy === |
Revision as of 21:47, 20 July 2013
Return to Periodic Table Working View
Insufficient Authentication/Authorization
Root Cause Summary
Incorrect verification of identity and permissions can result in an unauthorized attacker accessing sensitive data or functionality.
Browser / Standards Solution
None
Perimeter Solution
None
Generic Framework Solution
Enforce a proven authentication and authorization framework scheme which emphasizes policy-based configuration files over hard-coded authentication/authorization checks wherever possible.
Deny all access by default, and explicitly grant access per resource.
Enforce data storage outside of web roots to prevent requests which bypass the application's access control policy.
Custom Framework Solution
None
Custom Code Solution
Always apply least-privilege principle to all transactions and data access. Define access control matrix for all features and implement policy before implementing the feature.
Discussion / Controversy
References
Guide to Authorization (OWASP)
Failure to Restrict URL Access (OWASP)
Insufficient Authentication (WASC)