OWASP Periodic Table of Vulnerabilities - Insufficient Authentication/Authorization

Revision as of 04:39, 16 May 2013 by Peter Mosmans (talk | contribs)

Jump to: navigation, search

Return to Periodic Table Working View

Insufficient Authentication/Authorization

Root Cause Summary

Incorrect verification of identity and permissions can results to an attacker accessing sensitive data or functionality without properly being authenticated and/or authorized to do so.

Browser / Standards Solution


Perimeter Solution

Whenever possible, apply server-side Access Control Lists for those sections of sensitive data that should't be publicly accessible.

Generic Framework Solution

Use an authentication framework.
Deny all access by default, and explicitly grant access per item.

Custom Framework Solution

Generate easy configurable role-based authentication and authorization policies.
Apply least-privilege principle to all transactions, requiring authentication and authorization wherever applicable.

Custom Code Solution


Discussion / Controversy


Insufficient Authentication (WASC)