Authorization

From Guidance Share

Jump to: navigation, search

Contents

Description

Based on user identity and role membership, authorization to a particular resource or service is either allowed or denied.


Vulnerabilities

  • Poor authorization control
  • Poor or predictable session identifiers


Attacks

  • Forceful Browsing
  • Session Hijacking


Countermeasures

Countermeasures to prevent Authorization attacks include:

  • Every object needs to have an authorization control that authorizes access based on the identity of the authenticated principle requesting access
  • Use strong random numbers for session identifiers (e.g., GUIDs)


Done

Personal tools