Description

Goals

Documentation Uses

Overview

Background

Contributors

Classes of Attack

Contact

Appendix

License


Contributors
Robert Auger
Ryan Barnett
Yuval Ben-Itzhak
Erik Caso
Cesar Currudo
Sacha Faust
JD Glaser
Jeremiah Grossman
Sverre H. Huseby
Amit Klein
Mitja Kolsek
Aaron C. Newman
Steve Orrin
Bill Pennington
Ray Pompon
Mike Shema
Ory Segal
Caleb Sima



Insufficient Authorization
Insufficient Authorization is when a web site permits access to sensitive content or functionality that should require increased access control restrictions. When a user is authenticated to a web site, it does not necessarily mean that he should have full access to all content and that functionality should be granted arbitrarily.

Authorization procedures are performed after authentication, enforcing what a user, service or application is permitted to do. Thoughtful restrictions should govern particular web site activity according to policy. Sensitive portions of a web site may need to be restricted to everyone expect to perhaps an administrator.

Example
In the past, many web sites have stored administrative content and/or functionality the in hidden directories such as /admin or /logs. If an attacker was to directly request these directories, he would be allowed access. He may thus be able to reconfigure the web server, access sensitive information or compromise the web site.

References
"Brute Force Attack", Imperva Glossary
http://www.imperva.com/application_defense_center/glossary/brute_force.html

"iDefense: Brute-Force Exploitation of Web Application Session ID's", By David Endler - iDEFENSE Labs
http://www.cgisecurity.com/lib/SessionIDs.pdf

Search this site
Home :: About Us :: Projects :: Mailing Lists :: Library :: News :: Links :: Contact Us
© Copyright 2005, Web Application Security Consortium. All rights reserved.