Auditing and Logging Vulnerabilities

From Guidance Share

(Difference between revisions)
Jump to: navigation, search

Revision as of 02:00, 30 October 2006

Contents

Description

Based on user identity and role membership, authorization to a particular resource or service is either allowed or denied.

Vulnerabilities

  • Poor authorization control
  • Poor or predictable session identifiers

Attacks

  • Forceful Browsing
  • Session Hijacking

Countermeasures

Countermeasures to prevent Authorization attacks include:

  • Every object needs to have an authorization control that authorizes access based on the identity of the authenticated principle requesting access
  • Use strong random numbers for session identifiers (e.g., GUIDs)
Personal tools