Category:WASS Check Authorization
Applications generally have numerous privileges, or roles, that a user can be granted. The application should not allow a user access to functionality he/she is not authorized for.
- Access to functionality should not be solely enforced by the user interface
- Whenever a page request is made to the application, the web application should check access control permissions against the user.
- Parameters should be checked for access control permission
- Users should be restricted to the information and functionality they see in the user interface. e.g. parameters that are used for menus should be verified to be “in range” for the currently logged in user before they are used.
- Protect against privilege levels from being disclosed outside of the application
- Users should only be identified by a single, hard to guess, identifier
- Privilege levels should be enforced on the web application only through the above identifier.
- All authorization decisions should be made on the server side based on the above identifier.
This category currently contains no pages or media.