05 application security fundamentals - part 2 - security mechanisms - authorization

•

0 likes•331 views

appsec

application security fundamentals - part 2 - security mechanisms - authorization

Technology

AUTHORIZATION
Security Mechanism:
Authentication
Authorization
Session Management
Data Validation
Error Handling
Logging
Encryption

Authorization Core Concepts
Is the user allowed to perform this action, within this context?
1st
2nd
Should the user be allowed this function at all?
Should the user have only limited context access?

Authorization Words to Live By
 Every function (page) must verify authorization to access
 Every function (page) must verify the access context
 Any client/server application must verify security on server

Authorization Words to Live By: #1
 The problem
– When access control checks are not applied consistently (or not at
all) users are able to access data or perform actions that they should
not be allowed to perform. This can lead to a wide range of
problems, including information exposures, denial of service, and
arbitrary code execution.
Every function (page) must verify authorization to access

Authorization Words to Live By: #2
 The problem
– The system's access control functionality does not prevent one user
from gaining access to another user's records by modifying the key
value identifying the record.
Every function (page) must verify access context

Real World Example – Fidelity Canada
Usually, when users can directly access a PDF or other non-code file from the
web server, (e.g., resource is located in the web root) there is no opportunity for
authorization code to execute.
With a predictable structure to the filename, it only takes minutes to create a
script capable of retrieving all of the statements/reports on the site!
Sullivan, B. (2002, May 30). Glitch at Fidelity Canada exposes customer info. Retrieved June 3, 2010, from
http://www.itworldcanada.com/news/glitch-at-fidelity-canada-exposes-customer-info/124086

Authorization Words to Live By: #3
 The problem
– The software is composed of a server that relies on the client to
implement a mechanism that is intended to protect the server. An
attacker can modify the client-side behavior to bypass the protection
mechanisms.
Any client/server application must verify security on the server

Real World Example – PayPal & Vendor Issue

What's hot

e-capture.net feature tourStijn Van Loo

Mobile security and drozer tool demoGowthamraj Palani

E capture movie (updated)Stijn Van Loo

Security vulnerabilityA. Shamel

OWASP Top 10 OverviewPiTechnologies

Android application security unveiledJan Hodermarsky

Pertemuan 14 keamanan sistem operasinewbie2019

Secure Code Warrior - Defense in depthSecure Code Warrior

Security TestingISsoft

Client /server security overviewMohamed Sayed

Android securityKrazy Koder

Network securityAshish Gaurkhede

Fighting The Top 7 Threats to Cloud CybersecurityDavid Zaizar

Crackingleighrlong

Secure Code Warrior - LoggingSecure Code Warrior

Web Application SecurityColin English

Security-testing presentationEzhilan Elangovan (Eril)

TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentDawn Yankeelov

Content filters presentationkdore

Security testingKhizra Sammad

What's hot (20)

e-capture.net feature tour

Mobile security and drozer tool demo

E capture movie (updated)

Security vulnerability

OWASP Top 10 Overview

Android application security unveiled

Pertemuan 14 keamanan sistem operasi

Secure Code Warrior - Defense in depth

Security Testing

Client /server security overview

Android security

Network security

Fighting The Top 7 Threats to Cloud Cybersecurity

Cracking

Secure Code Warrior - Logging

Web Application Security

Security-testing presentation

TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment

Content filters presentation

Security testing

Viewers also liked

Date security security principlesLeo Mark Villar

Info hidingMuna AlKhayat

Data security authorization and access controlLeo Mark Villar

OPSEC Vulnerabilities And IndicatorsDepartment of Defense

6. Integrity and Security in DBMSkoolkampus

Security in E-commercem8817

Viewers also liked (6)

Date security security principles

Info hiding

Data security authorization and access control

OPSEC Vulnerabilities And Indicators

6. Integrity and Security in DBMS

Security in E-commerce

Similar to 05 application security fundamentals - part 2 - security mechanisms - authorization

Security Testing Training With ExamplesAlwin Thayyil

Bank One App Sec TrainingMike Spaulding

Secure coding guidelinesZakaria SMAHI

Solvit identity is the new perimeterS.E. CTS CERT-GOV-MD

Core defense mechanisms against security attacks on web applicationsKaran Nagrecha

IRJET- Survey on Web Application VulnerabilitiesIRJET Journal

Stop the Evil, Protect the EndpointBeyondTrust

Internet Security AgentInternational Journal of Engineering Inventions www.ijeijournal.com

H04025057International Journal of Engineering Inventions www.ijeijournal.com

The 5 Layers of Security Testing by Alan KochQA or the Highway

Module 12 (web application vulnerabilities)Wail Hassan

Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo

International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com

Owasp web securityPankaj Kumar Sharma

Two Aspect Endorsement Access Control for web Based Cloud Computing IRJET Journal

Web applications security conference slidesBassam Al-Khatib

Access Control, Authentication, and Public Key Infrastructure .docxdaniahendric

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security

Access Control, Authentication, and Public Key Infrastructure.docxdaniahendric

Similar to 05 application security fundamentals - part 2 - security mechanisms - authorization (20)

Security Testing Training With Examples

Bank One App Sec Training

Secure coding guidelines

Solvit identity is the new perimeter

Core defense mechanisms against security attacks on web applications

IRJET- Survey on Web Application Vulnerabilities

Stop the Evil, Protect the Endpoint

Internet Security Agent

H04025057

The 5 Layers of Security Testing by Alan Koch

Module 12 (web application vulnerabilities)

Application Security Testing for Software Engineers: An approach to build sof...

International Journal of Engineering Inventions (IJEI)

Owasp web security

Two Aspect Endorsement Access Control for web Based Cloud Computing

Web applications security conference slides

Access Control, Authentication, and Public Key Infrastructure .docx

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...

Access Control, Authentication, and Public Key Infrastructure.docx

Recently uploaded

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community

Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida

Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes

My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer

Pigging Solutions Piggable Sweeping ElbowsPigging Solutions

Key Features Of Token Development (1).pptxLBM Solutions

Install Stable Diffusion in windows machinePadma Pradeep

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays

DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre

SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren

Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada

Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar

Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited

Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren

My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar

costume and set research powerpoint presentationphoebematthew05

"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays

Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software

Recently uploaded (20)

Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx

Science&tech:THE INFORMATION AGE STS.pdf

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners

My INSURER PTE LTD - Insurtech Innovation Award 2024

Pigging Solutions Piggable Sweeping Elbows

Key Features Of Token Development (1).pptx

Install Stable Diffusion in windows machine

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...

DMCC Future of Trade Web3 - Special Edition

SQL Database Design For Developers at php[tek] 2024

Streamlining Python Development: A Guide to a Modern Project Setup

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024

Unleash Your Potential - Namagunga Girls Coding Club

Unlocking the Potential of the Cloud for IBM Power Systems

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365

Advanced Test Driven-Development @ php[tek] 2024

My Hashitalk Indonesia April 2024 Presentation

costume and set research powerpoint presentation

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation

05 application security fundamentals - part 2 - security mechanisms - authorization

1. AUTHORIZATION Security Mechanism: Authentication Authorization Session Management Data Validation Error Handling Logging Encryption

2. Authorization Core Concepts Is the user allowed to perform this action, within this context? 1st 2nd Should the user be allowed this function at all? Should the user have only limited context access?

3. Authorization Words to Live By  Every function (page) must verify authorization to access  Every function (page) must verify the access context  Any client/server application must verify security on server

4. Authorization Words to Live By: #1  The problem – When access control checks are not applied consistently (or not at all) users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution. Every function (page) must verify authorization to access

5. Real World Example – CuteFlow Exploit

6. Authorization Words to Live By: #2  The problem – The system's access control functionality does not prevent one user from gaining access to another user's records by modifying the key value identifying the record. Every function (page) must verify access context

7. Real World Example – Fidelity Canada Usually, when users can directly access a PDF or other non-code file from the web server, (e.g., resource is located in the web root) there is no opportunity for authorization code to execute. With a predictable structure to the filename, it only takes minutes to create a script capable of retrieving all of the statements/reports on the site! Sullivan, B. (2002, May 30). Glitch at Fidelity Canada exposes customer info. Retrieved June 3, 2010, from http://www.itworldcanada.com/news/glitch-at-fidelity-canada-exposes-customer-info/124086

8. Authorization Words to Live By: #3  The problem – The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. An attacker can modify the client-side behavior to bypass the protection mechanisms. Any client/server application must verify security on the server

9. Real World Example – PayPal & Vendor Issue

05 application security fundamentals - part 2 - security mechanisms - authorization

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to 05 application security fundamentals - part 2 - security mechanisms - authorization

Similar to 05 application security fundamentals - part 2 - security mechanisms - authorization (20)

More from appsec

More from appsec (11)

Recently uploaded

Recently uploaded (20)

05 application security fundamentals - part 2 - security mechanisms - authorization