SlideShare a Scribd company logo

Access Control Pitfalls v2

Download as PPTX, PDF
Jim Manico
Jim Manico

Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms. In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

TechnologyBusiness
1 of 26
Access Control Pitfalls and Best Practices © 2013 WhiteHat Security, Inc.
Access Control Best Practices • Build a centralized AuthZ mechanism • Code to the ACTIVITY, not the role • Design AuthZ as a filter • Deny by default, fail securely • Server-side trusted data should drive AuthZ • Be able to change entitlements in real time • Design standardized data contextual AuthZ • Build grouping for users and permissions © 2013 WhiteHat Security, Inc.
Access Control Anti-Patterns • • • • • Hard-coded role checks in application code Lack of centralized access control logic Untrusted data driving access control decisions Access control that is “open by default” Lack of addressing horizontal access control in a standardized way (if at all) • Access control logic that needs to be manually added to every endpoint in code • Access Control that is “sticky” per session • Access Control that requires per-user policy © 2013 WhiteHat Security, Inc
General Access Control Model Action Authentication © 2013 WhiteHat Security, Inc Guard Principal Protected system Authorization
What is Access Control? Authorization is the process where a system determines if a specific user has access to a resource • Feature/Activity: Represents app behavior only • Entitlement/Permission: What a user is actually allowed to do and what data they can access • Principle/User: Who/what you are entitling • Implicit Role: Named permission, user associated – if (user.isRole(“Manager”)); • Explicit Role: Named permission, resource associated – if (user.isAuthorized(“report:view:3324”); © 2013 WhiteHat Security, Inc.
Access Controls Impact • Loss of accountability – Attackers maliciously execute actions as other users – Attackers maliciously execute higher level actions • Disclosure of confidential data – Compromising admin-level accounts often results in access to user’s confidential data • Data tampering – Privilege levels do not distinguish users who can only view data and users permitted to modify data © 2013 WhiteHat Security, Inc.
Attacks on Access Control • Vertical Access Control Attacks – A standard user accessing administration functionality • Horizontal Access Control Attacks – Same role, but accessing another user's private data • Business Logic Access Control Attacks – Abuse of one or more linked activities that collectively realize a business objective © 2013 WhiteHat Security, Inc.
Hard-coded roles © 2013 WhiteHat Security, Inc.
Hard-Coded Roles void editProfile(User u, EditUser eu) { if (u.isManager()) { editUser(eu) } } How do you change the policy of this code? © 2013 WhiteHat Security, Inc. 9
Hard-Coded Roles if ((user.isManager() || user.isAdministrator() || user.isEditor()) && user.id() != 1132)) { //execute action } © 2013 WhiteHat Security, Inc. 10
Hard-Coded Roles • Makes “proving” the policy of an application difficult for audit or Q/A purposes • Any time access control policy needs to change, new code need to be pushed • RBAC is often not granular enough • Fragile, easy to make mistakes © 2013 WhiteHat Security, Inc. & BCC Risk Advisory Ltd 11
Order-Specific Operations 12
Order- Specific Operations Imagine the following parameters http://example.com/buy?action=chooseDataPackag e http://example.com/buy?action=customizePackage http://example.com/buy?action=makePayment http://example.com/buy?action=downloadData Can an attacker control the sequence? Can an attacker abuse this with concurrency? © 2013 WhiteHat Security, Inc. 13
Rarely Depend on Untrusted Data • Avoid trusting request data for access control decisions • Never make access control decisions in JavaScript • Never make authorization decisions based solely on: – hidden fields – cookie values – form parameters – URL parameters – anything else from the request • Never depend on the order of values sent from the client © 2013 WhiteHat Security, Inc. 14
Best practice © 2013 WhiteHat Security, Inc. 15
Best Practice: Centralized AuthZ • Define a centralized access controller – ACLService.isAuthorized(PERMISSION_CONSTANT) – ACLService.assertAuthorized(PERMISSION_CONSTANT) • Access control decisions go through these simple API’s • Centralized logic to drive policy behavior and persistence • May contain data-driven access control policy information © 2013 WhiteHat Security, Inc. 16
Best Practice: Code to the Activity int articleId = request.getInt(“articleId”); if (AC.hasAccess(“article:edit:” + articleId)) { //execute activity } • Code it once, never needs to change again • Implies policy is centralized in some way • Implies policy is persisted in some way • Requires more design/work up front to get right © 2013 WhiteHat Security, Inc. 17
Using a Centralized Access Controller In Presentation Layer if (isAuthorized(Permission.VIEW_LOG_PANEL)) { <h2>Here are the logs</h2> <%=Encoder.forHTMLContent(getRawLogData());%/ > } © 2013 WhiteHat Security, Inc. 18
Using a Centralized Access Controller In Controller try { assertAuthorized(Permission.DELETE_USER); deleteUser(); } catch (Exception e) { //SOUND THE ALARM } © 2013 WhiteHat Security, Inc. 19
SQL Integrated Access Control • Example Feature http://mail.example.com/viewMessage?msgid=2356342 • This SQL would be vulnerable to tampering select * from messages where messageid = 2356342 • Ensure the owner is referenced in the query! select * from messages where messageid = 2356342 AND messages.message_owner = <userid_from_session> © 2013 WhiteHat Security, Inc. & BCC Risk Advisory Ltd 20
Data Contextual Access Control Data Contextual / Horizontal Access Control API examples: ACLService.isAuthorized(“car:view:321”) ACLService.assertAuthorized(“car:edit:321”) Long form: Is Authorized(user, Perm.EDIT_CAR, Car.class, 321) • Check if the user has the right role in the context of a specific object • Protecting data at the lowest level! © 2013 WhiteHat Security, Inc. & BCC Risk Advisory Ltd 21
Apache SHIRO http://shiro.apache.org/ • Apache Shiro is a powerful and easy to use Java security framework. • Offers developers an intuitive yet comprehensive solution to authentication, authorization, cryptography, and session management. • Built on sound interface-driven design and OO principles. • Enables custom behavior. • Sensible and secure defaults for everything.
Solving Real World Access Control Problems with the Apache Shiro The Problem Web Application needs secure access control mechanism The Solution if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely."); } else { log.info("Sorry, lightsaber rings are for schwartz masters only."); }
Solving Real World Access Control Problems with the Apache Shiro The Problem Web Application needs to secure access to a specific object The Solution if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId ) ) { log.info("You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'. Here are the keys - have fun!"); } else { log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!"); }
Data Contextual Access Control Activity / Feature User User ID Activity ID User Name Data Type Data ID Activity Name Role Data Name Role ID Role Name Entitlement / Privilege User ID Activity ID Role ID Data Type ID Data Instance Id
Please steal and plagiarize this presentation! GET THE WORD OUT jim@owasp.org slideshare.net/jimmanico

Recommended

Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 

Recommended

Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Spring Security
Spring SecuritySpring Security
Spring SecurityManish Sharma
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Cm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controlCm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controldcervigni
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 

More Related Content

What's hot

Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 

What's hot (20)

Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring Security
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 

Similar to Access Control Pitfalls v2

Cm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controlCm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controldcervigni
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
Injection techniques conversys
Injection techniques conversysInjection techniques conversys
Injection techniques conversysKrishnendu Paul
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure ArchitectureKarthikeyan VK
 
Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1Senturus
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Techcello
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Techcello
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NETSupriya G
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...kanimozhin
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshopkanimozhin
 
Centrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptxCentrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptxjohncenafls
 
web application security
web application security web application security
web application security ahmed sami
 
Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Derek Banks
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessHelpSystems
 

Similar to Access Control Pitfalls v2 (20)

Cm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_controlCm3 secure code_training_1day_access_control
Cm3 secure code_training_1day_access_control
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
Injection techniques conversys
Injection techniques conversysInjection techniques conversys
Injection techniques conversys
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure Architecture
 
Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1Admin Features Upgraded in Cognos 11.1
Admin Features Upgraded in Cognos 11.1
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NET
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshop
 
Alliance Compant Presentation
Alliance Compant PresentationAlliance Compant Presentation
Alliance Compant Presentation
 
Centrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptxCentrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptx
 
web application security
web application security web application security
web application security
 
Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC Access
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 

Access Control Pitfalls v2

  • 1. Access Control Pitfalls and Best Practices © 2013 WhiteHat Security, Inc.
  • 2. Access Control Best Practices • Build a centralized AuthZ mechanism • Code to the ACTIVITY, not the role • Design AuthZ as a filter • Deny by default, fail securely • Server-side trusted data should drive AuthZ • Be able to change entitlements in real time • Design standardized data contextual AuthZ • Build grouping for users and permissions © 2013 WhiteHat Security, Inc.
  • 3. Access Control Anti-Patterns • • • • • Hard-coded role checks in application code Lack of centralized access control logic Untrusted data driving access control decisions Access control that is “open by default” Lack of addressing horizontal access control in a standardized way (if at all) • Access control logic that needs to be manually added to every endpoint in code • Access Control that is “sticky” per session • Access Control that requires per-user policy © 2013 WhiteHat Security, Inc
  • 4. General Access Control Model Action Authentication © 2013 WhiteHat Security, Inc Guard Principal Protected system Authorization
  • 5. What is Access Control? Authorization is the process where a system determines if a specific user has access to a resource • Feature/Activity: Represents app behavior only • Entitlement/Permission: What a user is actually allowed to do and what data they can access • Principle/User: Who/what you are entitling • Implicit Role: Named permission, user associated – if (user.isRole(“Manager”)); • Explicit Role: Named permission, resource associated – if (user.isAuthorized(“report:view:3324”); © 2013 WhiteHat Security, Inc.
  • 6. Access Controls Impact • Loss of accountability – Attackers maliciously execute actions as other users – Attackers maliciously execute higher level actions • Disclosure of confidential data – Compromising admin-level accounts often results in access to user’s confidential data • Data tampering – Privilege levels do not distinguish users who can only view data and users permitted to modify data © 2013 WhiteHat Security, Inc.
  • 7. Attacks on Access Control • Vertical Access Control Attacks – A standard user accessing administration functionality • Horizontal Access Control Attacks – Same role, but accessing another user's private data • Business Logic Access Control Attacks – Abuse of one or more linked activities that collectively realize a business objective © 2013 WhiteHat Security, Inc.
  • 8. Hard-coded roles © 2013 WhiteHat Security, Inc.
  • 9. Hard-Coded Roles void editProfile(User u, EditUser eu) { if (u.isManager()) { editUser(eu) } } How do you change the policy of this code? © 2013 WhiteHat Security, Inc. 9
  • 10. Hard-Coded Roles if ((user.isManager() || user.isAdministrator() || user.isEditor()) && user.id() != 1132)) { //execute action } © 2013 WhiteHat Security, Inc. 10
  • 11. Hard-Coded Roles • Makes “proving” the policy of an application difficult for audit or Q/A purposes • Any time access control policy needs to change, new code need to be pushed • RBAC is often not granular enough • Fragile, easy to make mistakes © 2013 WhiteHat Security, Inc. & BCC Risk Advisory Ltd 11
  • 13. Order- Specific Operations Imagine the following parameters http://example.com/buy?action=chooseDataPackag e http://example.com/buy?action=customizePackage http://example.com/buy?action=makePayment http://example.com/buy?action=downloadData Can an attacker control the sequence? Can an attacker abuse this with concurrency? © 2013 WhiteHat Security, Inc. 13
  • 14. Rarely Depend on Untrusted Data • Avoid trusting request data for access control decisions • Never make access control decisions in JavaScript • Never make authorization decisions based solely on: – hidden fields – cookie values – form parameters – URL parameters – anything else from the request • Never depend on the order of values sent from the client © 2013 WhiteHat Security, Inc. 14
  • 15. Best practice © 2013 WhiteHat Security, Inc. 15
  • 16. Best Practice: Centralized AuthZ • Define a centralized access controller – ACLService.isAuthorized(PERMISSION_CONSTANT) – ACLService.assertAuthorized(PERMISSION_CONSTANT) • Access control decisions go through these simple API’s • Centralized logic to drive policy behavior and persistence • May contain data-driven access control policy information © 2013 WhiteHat Security, Inc. 16
  • 17. Best Practice: Code to the Activity int articleId = request.getInt(“articleId”); if (AC.hasAccess(“article:edit:” + articleId)) { //execute activity } • Code it once, never needs to change again • Implies policy is centralized in some way • Implies policy is persisted in some way • Requires more design/work up front to get right © 2013 WhiteHat Security, Inc. 17
  • 18. Using a Centralized Access Controller In Presentation Layer if (isAuthorized(Permission.VIEW_LOG_PANEL)) { <h2>Here are the logs</h2> <%=Encoder.forHTMLContent(getRawLogData());%/ > } © 2013 WhiteHat Security, Inc. 18
  • 19. Using a Centralized Access Controller In Controller try { assertAuthorized(Permission.DELETE_USER); deleteUser(); } catch (Exception e) { //SOUND THE ALARM } © 2013 WhiteHat Security, Inc. 19
  • 20. SQL Integrated Access Control • Example Feature http://mail.example.com/viewMessage?msgid=2356342 • This SQL would be vulnerable to tampering select * from messages where messageid = 2356342 • Ensure the owner is referenced in the query! select * from messages where messageid = 2356342 AND messages.message_owner = <userid_from_session> © 2013 WhiteHat Security, Inc. & BCC Risk Advisory Ltd 20
  • 21. Data Contextual Access Control Data Contextual / Horizontal Access Control API examples: ACLService.isAuthorized(“car:view:321”) ACLService.assertAuthorized(“car:edit:321”) Long form: Is Authorized(user, Perm.EDIT_CAR, Car.class, 321) • Check if the user has the right role in the context of a specific object • Protecting data at the lowest level! © 2013 WhiteHat Security, Inc. & BCC Risk Advisory Ltd 21
  • 22. Apache SHIRO http://shiro.apache.org/ • Apache Shiro is a powerful and easy to use Java security framework. • Offers developers an intuitive yet comprehensive solution to authentication, authorization, cryptography, and session management. • Built on sound interface-driven design and OO principles. • Enables custom behavior. • Sensible and secure defaults for everything.
  • 23. Solving Real World Access Control Problems with the Apache Shiro The Problem Web Application needs secure access control mechanism The Solution if ( currentUser.isPermitted( "lightsaber:wield" ) ) { log.info("You may use a lightsaber ring. Use it wisely."); } else { log.info("Sorry, lightsaber rings are for schwartz masters only."); }
  • 24. Solving Real World Access Control Problems with the Apache Shiro The Problem Web Application needs to secure access to a specific object The Solution if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId ) ) { log.info("You are permitted to 'drive' the 'winnebago' with license plate (id) 'eagle5'. Here are the keys - have fun!"); } else { log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!"); }
  • 25. Data Contextual Access Control Activity / Feature User User ID Activity ID User Name Data Type Data ID Activity Name Role Data Name Role ID Role Name Entitlement / Privilege User ID Activity ID Role ID Data Type ID Data Instance Id
  • 26. Please steal and plagiarize this presentation! GET THE WORD OUT jim@owasp.org slideshare.net/jimmanico

Editor's Notes

  1. Frank Piessens
  2. User Joe can execute ViewReport as a manager specific to DataSet 2314