This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Reviewing Code for Authorization Issues"
| Line 1: | Line 1: | ||
[[OWASP Code Review Guide Table of Contents]]__TOC__ | [[OWASP Code Review Guide Table of Contents]]__TOC__ | ||
== Introduction == | == Introduction == | ||
| + | Authorization issues cover a wide array of lyers in a web application; from the functional authorization of a user to gain access to a perticular funcation of the application is at the app layer to the Database access authorization and least privilege issues at the persistence layer. | ||
| + | So what to look for whe performing a code review. From an attack perspective the most common issues are a result of curiousity and also exploitation of vulnerabilities such as SQL injection. | ||
| + | '''Example''': | ||
| + | A Database account used by an application with system/admin access upon which the application was vulnerable to SQL injection would result in a higher degree of impact rather than the same vulnerable application with a least privilege database account. | ||
==How to locate the potentially vulnerable code == | ==How to locate the potentially vulnerable code == | ||
Revision as of 10:12, 1 August 2007
OWASP Code Review Guide Table of ContentsIntroduction
Authorization issues cover a wide array of lyers in a web application; from the functional authorization of a user to gain access to a perticular funcation of the application is at the app layer to the Database access authorization and least privilege issues at the persistence layer. So what to look for whe performing a code review. From an attack perspective the most common issues are a result of curiousity and also exploitation of vulnerabilities such as SQL injection. Example: A Database account used by an application with system/admin access upon which the application was vulnerable to SQL injection would result in a higher degree of impact rather than the same vulnerable application with a least privilege database account.
