Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Insufficient Authentication/Authorization"

From OWASP
Jump to: navigation, search
(initial page setup)
 
m
(2 intermediate revisions by one user not shown)
Line 17: Line 17:
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
  
Use an authentication framework.<br>
+
Use a generic, proven authentication framework.<br>
 +
Deny all access by default, and explicitly grant access per item.
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
 
+
Implement authorization checks to prevent anonymous access to sensitive data and functions.<br>
Apply least-privilege principle to all transactions, requiring authentication and authorization where applicable.  
+
Generate easy configurable role-based authentication and authorization policies.<br>
 +
Apply least-privilege principle to all transactions, requiring authentication and authorization wherever applicable. <br>
 +
Generate sensitive content on the fly instead of saving sensitive content whenever possible.<br>
 +
Use random filenames whenever possible and regularly clean up temporary files.<br>
 +
Store sensitive data outside of webroots.
  
 
=== Custom Code Solution ===
 
=== Custom Code Solution ===
Line 29: Line 34:
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===
  
<discussion / controversy tracking here>
 
  
 
=== References ===
 
=== References ===
 
+
[https://www.owasp.org/index.php/Guide_to_Authorization Guide to Authorization (OWASP)]<br>
 +
[https://www.owasp.org/index.php/Top_10_2010-A8-Failure_to_Restrict_URL_Access Failure to Restrict URL Access (OWASP)]<br>
 
[http://projects.webappsec.org/w/page/13246939/Insufficient%20Authentication Insufficient Authentication (WASC)]
 
[http://projects.webappsec.org/w/page/13246939/Insufficient%20Authentication Insufficient Authentication (WASC)]

Revision as of 04:55, 16 May 2013

Return to Periodic Table Working View

Contents

Insufficient Authentication/Authorization

Root Cause Summary

Incorrect verification of identity and permissions can results to an attacker accessing sensitive data or functionality without properly being authenticated and/or authorized to do so.

Browser / Standards Solution

None

Perimeter Solution

Whenever possible, apply server-side Access Control Lists for those sections of sensitive data that should't be publicly accessible.

Generic Framework Solution

Use a generic, proven authentication framework.
Deny all access by default, and explicitly grant access per item.

Custom Framework Solution

Implement authorization checks to prevent anonymous access to sensitive data and functions.
Generate easy configurable role-based authentication and authorization policies.
Apply least-privilege principle to all transactions, requiring authentication and authorization wherever applicable.
Generate sensitive content on the fly instead of saving sensitive content whenever possible.
Use random filenames whenever possible and regularly clean up temporary files.
Store sensitive data outside of webroots.

Custom Code Solution

None

Discussion / Controversy

References

Guide to Authorization (OWASP)
Failure to Restrict URL Access (OWASP)
Insufficient Authentication (WASC)