OWASP Top Ten Proactive Controls 2018: Enforce Access Controls
Learn about Access Control (or Authorization) - granting or denying specific requests. Designing types and principles to prevent unauthorized access.
Overview
Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process.
Description
Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process. Access control also involves the act of granting and revoking those privileges. There are several different types of access control design that should be considered, including Discretionary Access Control, Mandatory Access Control, Role Based Access Control, and Attribute Based Access Control. Key principles of access control design include designing access control thoroughly up front, forcing all requests to go through access control checks, denying by default, following the principle of least privilege, not hardcoding roles, and logging all access control events.
How to Prevent ?
To prevent unauthorized access, it is important to implement access control measures. This includes designing access control thoroughly up front, ensuring that all requests go through access control checks, following the deny by default principle, implementing the principle of least privilege, avoiding hardcoding roles, and logging all access control events.
Example Attack Scenarios:
OWASP Top 10 2017-A5-Broken Access Control: This attack scenario involves exploiting broken access controls to gain unauthorized access to resources or perform actions that are not permitted.
OWASP Mobile Top 10 2014-M5 Poor Authorization and Authentication: This attack scenario involves exploiting poor authorization and authentication mechanisms in mobile applications, leading to unauthorized access or actions.