Authorization

From Guidance Share

Revision as of 20:41, 1 December 2007; JD (Talk | contribs)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
Jump to: navigation, search

Contents

Description

Based on user identity and role membership, authorization to a particular resource or service is either allowed or denied.


Vulnerabilities

  • Poor authorization control
  • Poor or predictable session identifiers


Attacks

  • Forceful Browsing
  • Session Hijacking


Countermeasures

Countermeasures to prevent Authorization attacks include:

  • Every object needs to have an authorization control that authorizes access based on the identity of the authenticated principle requesting access
  • Use strong random numbers for session identifiers (e.g., GUIDs)


Done

Personal tools