Issues relating to access apply not only to the web application itself but also to the other infrastructure tiers which lie beneath it — in particular, the application server, the database, and the operating system. Taking a defense-in-depth approach to security entails implementing access controls at each of these layers to create several layers of … Read more
Access controls are one of the easiest areas of web application security to understand, although a well-informed, thorough methodology must be carefully applied when implementing them. First, there are several obvious pitfalls to avoid. These usually arise from ignorance about the essential requirements of effective access control or flawed assumptions about the kinds of requests that … Read more
Before starting to probe the application to detect any actual access control vulnerabilities, you should take a moment to review the results of your application mapping exercises, to understand what the application’s actual requirements are in terms of access control, and therefore where it will probably be most fruitful to focus your attention. The easiest … Read more
Common Vulnerabilities Access controls can be divided into two broad categories: vertical and horizontal. Vertical access controls allow different types of users to access different parts of the application’s functionality. In the simplest case, this typically involves a division between ordinary users and administrators. In more complex cases, vertical access controls may involve fine-grained user … Read more