Access Control Issues
- Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges
- Authorization Logic often relies on Security by Obscurity (STO) by assuming:
- Users will not find unlinked or hidden paths or functionality
- Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)
- Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges
- Many administrative interfaces require only a password for authentication
- Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators
The importance of access control and how to successfully implement access
control to help organizations to moderate risk in
this tutorial.
Reference
Access Control: Models and Methods - InfoSec Institute. (2012, November 28). Retrieved May 27, 2015, from http://resources.infosecinstitute.com/access-control-models-and-methods/
Access Control Cheat Sheet. (n.d.). Retrieved May 28, 2015, from https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Implement access control systems successfully in your organization. (n.d.). Retrieved May 28, 2015, from http://searchitchannel.techtarget.com/feature/The-importance-of-access-control
No comments:
Post a Comment