Reviewing Code for Authorization Issues

From OWASP
Revision as of 05:20, 1 August 2007 by EoinKeary (Talk | contribs)

Jump to: navigation, search
OWASP Code Review Guide Table of Contents

Contents

Introduction

Authorization issues cover a wide array of layers in a web application; from the functional authorization of a user to gain access to a perticular funcation of the application is at the app layer to the Database access authorization and least privilege issues at the persistence layer. So what to look for whe performing a code review. From an attack perspective the most common issues are a result of curiousity and also exploitation of vulnerabilities such as SQL injection. Example: A Database account used by an application with system/admin access upon which the application was vulnerable to SQL injection would result in a higher degree of impact rather than the same vulnerable application with a least privilege database account.

How to locate the potentially vulnerable code

Vulnerable Patterns for Authorization issues

Good Patterns & procedures for Authorization