Web Application
Security - The pitfalls
and the brick walls
A DEVELOPER’S PERSPECTIVE – INSECURE DIRECT OBJECT REFERENCES
What exactly is it about ?


Authentication and authorization



Insecure Direct Object References



Why does it happe...
Authentication - Who are you ?


Authentication is the process of identifying you.



It’s the first step in securing an...
Authorization – What are you ?


Authorization is the process of identifying what permissions the
authenticated user has ...
Insecure Direct Object References


It’s a design flaw, where the system designer/developer expects the
user to follow th...
Why does it happen ?


A thought process generally referred to as Security through obscurity



Fear of cost involved in...
How to fix this ?


Authorization checks for every request by the user



Using cryptographic hashes like MD5 to prevent...
Upcoming SlideShare
Loading in...5
×

Web Application Security | A developer's perspective - Insecure Direct Object References

1,160

Published on

null Bangalore Feb 2014 meet
Author: Vamsi Krishna

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,160
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Web Application Security | A developer's perspective - Insecure Direct Object References"

  1. 1. Web Application Security - The pitfalls and the brick walls A DEVELOPER’S PERSPECTIVE – INSECURE DIRECT OBJECT REFERENCES
  2. 2. What exactly is it about ?  Authentication and authorization  Insecure Direct Object References  Why does it happen ?  How to fix ?
  3. 3. Authentication - Who are you ?  Authentication is the process of identifying you.  It’s the first step in securing any application or a system.  Usual process follows by the user explicitly telling the system who he is by providing his login credentials
  4. 4. Authorization – What are you ?  Authorization is the process of identifying what permissions the authenticated user has in the current system  Obviously, it starts after authentication  Authorization is usually initiated by the system/application on behalf of a authenticated user, by fetching his permission set from a data store
  5. 5. Insecure Direct Object References  It’s a design flaw, where the system designer/developer expects the user to follow the rules set by the system, without any infrastructure to protect sensitive assets and data, when the user does not go by the rules  This vulnerability is usually exploited by an already authenticated user with some level of access to the system  An authenticated user may exploit a vulnerable system to access sensitive data by changing the parameters passed to the server, to the one’s he is trying to access
  6. 6. Why does it happen ?  A thought process generally referred to as Security through obscurity  Fear of cost involved in authorizing the user on every request  General lack of awareness and oversight
  7. 7. How to fix this ?  Authorization checks for every request by the user  Using cryptographic hashes like MD5 to prevent data manipulation by user
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×