Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Insufficient Authentication/Authorization"

From OWASP
Jump to: navigation, search
m
m
 
(One intermediate revision by one user not shown)
Line 5: Line 5:
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
  
Incorrect verification of identity and permissions can results to an attacker accessing sensitive data or functionality without properly being authenticated and/or authorized to do so.
+
Incorrect verification of identity and permissions can result in an unauthorized attacker accessing sensitive data or functionality.
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
Line 13: Line 13:
 
=== Perimeter Solution ===
 
=== Perimeter Solution ===
  
Whenever possible, apply server-side Access Control Lists for those sections of sensitive data that should't be publicly accessible.
+
None
  
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
  
Use a generic, proven authentication framework.<br>
+
Enforce a proven authentication and authorization framework scheme which emphasizes policy-based configuration files over hard-coded authentication/authorization checks wherever possible.
Deny all access by default, and explicitly grant access per item.
+
 
 +
Deny all access by default, and explicitly grant access per resource.
 +
 
 +
Enforce data storage outside of web roots to prevent requests which bypass the application's access control policy.
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
Implement authorization checks to prevent anonymous access to sensitive data and functions.<br>
+
 
Generate easy configurable role-based authentication and authorization policies.<br>
+
None
Apply least-privilege principle to all transactions, requiring authentication and authorization wherever applicable. <br>
+
Generate sensitive content on the fly instead of saving sensitive content whenever possible.<br>
+
Use random filenames whenever possible and regularly clean up temporary files.<br>
+
Store sensitive data outside of webroots.
+
  
 
=== Custom Code Solution ===
 
=== Custom Code Solution ===
  
None
+
Always apply least-privilege principle to all transactions and data access. Define access control matrix for all features and implement policy before implementing the feature.
  
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===
  
 +
None
  
 
=== References ===
 
=== References ===

Latest revision as of 16:48, 20 July 2013

Return to Periodic Table Working View

Contents

Insufficient Authentication/Authorization

Root Cause Summary

Incorrect verification of identity and permissions can result in an unauthorized attacker accessing sensitive data or functionality.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

Enforce a proven authentication and authorization framework scheme which emphasizes policy-based configuration files over hard-coded authentication/authorization checks wherever possible.

Deny all access by default, and explicitly grant access per resource.

Enforce data storage outside of web roots to prevent requests which bypass the application's access control policy.

Custom Framework Solution

None

Custom Code Solution

Always apply least-privilege principle to all transactions and data access. Define access control matrix for all features and implement policy before implementing the feature.

Discussion / Controversy

None

References

Guide to Authorization (OWASP)
Failure to Restrict URL Access (OWASP)
Insufficient Authentication (WASC)