This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Insufficient Authentication/Authorization"
m |
m |
||
Line 17: | Line 17: | ||
=== Generic Framework Solution === | === Generic Framework Solution === | ||
− | Use | + | Use a generic, proven authentication framework.<br> |
Deny all access by default, and explicitly grant access per item. | Deny all access by default, and explicitly grant access per item. | ||
=== Custom Framework Solution === | === Custom Framework Solution === | ||
+ | Implement authorization checks to prevent anonymous access to sensitive data and functions.<br> | ||
Generate easy configurable role-based authentication and authorization policies.<br> | Generate easy configurable role-based authentication and authorization policies.<br> | ||
− | Apply least-privilege principle to all transactions, requiring authentication and authorization wherever applicable. | + | Apply least-privilege principle to all transactions, requiring authentication and authorization wherever applicable. <br> |
+ | Generate sensitive content on the fly instead of saving sensitive content whenever possible.<br> | ||
+ | Use random filenames whenever possible and regularly clean up temporary files.<br> | ||
+ | Store sensitive data outside of webroots. | ||
=== Custom Code Solution === | === Custom Code Solution === | ||
Line 32: | Line 36: | ||
=== References === | === References === | ||
− | + | [https://www.owasp.org/index.php/Guide_to_Authorization Guide to Authorization (OWASP)] | |
[http://projects.webappsec.org/w/page/13246939/Insufficient%20Authentication Insufficient Authentication (WASC)] | [http://projects.webappsec.org/w/page/13246939/Insufficient%20Authentication Insufficient Authentication (WASC)] |
Revision as of 09:54, 16 May 2013
Return to Periodic Table Working View
Insufficient Authentication/Authorization
Root Cause Summary
Incorrect verification of identity and permissions can results to an attacker accessing sensitive data or functionality without properly being authenticated and/or authorized to do so.
Browser / Standards Solution
None
Perimeter Solution
Whenever possible, apply server-side Access Control Lists for those sections of sensitive data that should't be publicly accessible.
Generic Framework Solution
Use a generic, proven authentication framework.
Deny all access by default, and explicitly grant access per item.
Custom Framework Solution
Implement authorization checks to prevent anonymous access to sensitive data and functions.
Generate easy configurable role-based authentication and authorization policies.
Apply least-privilege principle to all transactions, requiring authentication and authorization wherever applicable.
Generate sensitive content on the fly instead of saving sensitive content whenever possible.
Use random filenames whenever possible and regularly clean up temporary files.
Store sensitive data outside of webroots.
Custom Code Solution
None
Discussion / Controversy
References
Guide to Authorization (OWASP) Insufficient Authentication (WASC)