SlideShare a Scribd company logo

05 application security fundamentals - part 2 - security mechanisms - authorization

A
appsec

The document discusses authorization concepts and best practices. It emphasizes that every function must verify authorization to access and context, and that client/server applications must verify security on the server. It provides examples of real-world issues that occurred when these principles were not followed, such as information exposures and arbitrary code execution. Verifying authorization and access context properly is important to prevent unauthorized access and exploitation.

Technology
1 of 9
1
2
3
4
5
6
7
8
9
AUTHORIZATION Security Mechanism: Authentication Authorization Session Management Data Validation Error Handling Logging Encryption
Authorization Core Concepts Is the user allowed to perform this action, within this context? 1st 2nd Should the user be allowed this function at all? Should the user have only limited context access?
Authorization Words to Live By  Every function (page) must verify authorization to access  Every function (page) must verify the access context  Any client/server application must verify security on server
Authorization Words to Live By: #1  The problem – When access control checks are not applied consistently (or not at all) users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution. Every function (page) must verify authorization to access
Real World Example – CuteFlow Exploit
Authorization Words to Live By: #2  The problem – The system's access control functionality does not prevent one user from gaining access to another user's records by modifying the key value identifying the record. Every function (page) must verify access context
Real World Example – Fidelity Canada Usually, when users can directly access a PDF or other non-code file from the web server, (e.g., resource is located in the web root) there is no opportunity for authorization code to execute. With a predictable structure to the filename, it only takes minutes to create a script capable of retrieving all of the statements/reports on the site! Sullivan, B. (2002, May 30). Glitch at Fidelity Canada exposes customer info. Retrieved June 3, 2010, from http://www.itworldcanada.com/news/glitch-at-fidelity-canada-exposes-customer-info/124086
Authorization Words to Live By: #3  The problem – The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. An attacker can modify the client-side behavior to bypass the protection mechanisms. Any client/server application must verify security on the server
Real World Example – PayPal & Vendor Issue

More Related Content

PDF
Broken access control
Priyanshu Gandhi
 
PDF
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
PDF
Web application sec_3
vhimsikal
 
PPTX
Data base security and injection
A. Shamel
 
PPTX
06 application security fundamentals - part 2 - security mechanisms - sessi...
appsec
 
PPTX
Security Testing for Web Application
Precise Testing Solution
 
PPT
Security Software
bennybigbang
 
PDF
E capture movie (PDF version)
Stijn Van Loo
 
Broken access control
Priyanshu Gandhi
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Web application sec_3
vhimsikal
 
Data base security and injection
A. Shamel
 
06 application security fundamentals - part 2 - security mechanisms - sessi...
appsec
 
Security Testing for Web Application
Precise Testing Solution
 
Security Software
bennybigbang
 
E capture movie (PDF version)
Stijn Van Loo
 

What's hot (20)

PPTX
e-capture.net feature tour
Stijn Van Loo
 
PPTX
Mobile security and drozer tool demo
Gowthamraj Palani
 
PPTX
E capture movie (updated)
Stijn Van Loo
 
PPTX
Security vulnerability
A. Shamel
 
PDF
OWASP Top 10 Overview
PiTechnologies
 
PPTX
Android application security unveiled
Jan Hodermarsky
 
PDF
Pertemuan 14 keamanan sistem operasi
newbie2019
 
PPTX
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
PPT
Security Testing
ISsoft
 
PDF
Client /server security overview
Mohamed Sayed
 
PDF
Android security
Krazy Koder
 
PPTX
Network security
Ashish Gaurkhede
 
PDF
Fighting The Top 7 Threats to Cloud Cybersecurity
David Zaizar
 
DOC
Cracking
leighrlong
 
PPTX
Secure Code Warrior - Logging
Secure Code Warrior
 
PPT
Web Application Security
Colin English
 
PDF
Security-testing presentation
Ezhilan Elangovan (Eril)
 
PPT
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
Dawn Yankeelov
 
PPTX
Content filters presentation
kdore
 
PPTX
Security testing
Khizra Sammad
 
e-capture.net feature tour
Stijn Van Loo
 
Mobile security and drozer tool demo
Gowthamraj Palani
 
E capture movie (updated)
Stijn Van Loo
 
Security vulnerability
A. Shamel
 
OWASP Top 10 Overview
PiTechnologies
 
Android application security unveiled
Jan Hodermarsky
 
Pertemuan 14 keamanan sistem operasi
newbie2019
 
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
Security Testing
ISsoft
 
Client /server security overview
Mohamed Sayed
 
Android security
Krazy Koder
 
Network security
Ashish Gaurkhede
 
Fighting The Top 7 Threats to Cloud Cybersecurity
David Zaizar
 
Cracking
leighrlong
 
Secure Code Warrior - Logging
Secure Code Warrior
 
Web Application Security
Colin English
 
Security-testing presentation
Ezhilan Elangovan (Eril)
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
Dawn Yankeelov
 
Content filters presentation
kdore
 
Security testing
Khizra Sammad
 
Ad

Viewers also liked (6)

PPTX
Date security security principles
Leo Mark Villar
 
PPT
Info hiding
Muna AlKhayat
 
PPTX
Data security authorization and access control
Leo Mark Villar
 
PPT
OPSEC Vulnerabilities And Indicators
Department of Defense
 
PPT
6. Integrity and Security in DBMS
koolkampus
 
PPTX
Security in E-commerce
m8817
 
Date security security principles
Leo Mark Villar
 
Info hiding
Muna AlKhayat
 
Data security authorization and access control
Leo Mark Villar
 
OPSEC Vulnerabilities And Indicators
Department of Defense
 
6. Integrity and Security in DBMS
koolkampus
 
Security in E-commerce
m8817
 
Ad

Similar to 05 application security fundamentals - part 2 - security mechanisms - authorization (20)

PPTX
Broken Authentication and Authorization(1).pptx
Manahari Darshika Pemarathna
 
PPTX
04 application security fundamentals - part 2 - security mechanisms - authe...
appsec
 
PPT
1 security goals
drewz lin
 
PDF
Session4-Authentication
zakieh alizadeh
 
PDF
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
PPT
Application Security
Reggie Niccolo Santos
 
PPTX
Authentication and session v4
skimil
 
PDF
What is Authentication vs Authorization Difference? | INTROSERV
SaqifKhan3
 
PDF
Securing Internet Payment Systems
Domenico Catalano
 
PPSX
Broken Authentication & authorization
Sarwar Jahan M
 
PDF
network security.pdf
KIYALIBAN1
 
PDF
CyberSecurity101.pdf
DhananjaySingh23178
 
PPTX
AusCERT 2018
Sarwar Jahan M
 
PPT
Security audit
Nicholas Davis
 
PPT
Security Audit
Nicholas Davis
 
DOCX
ISOL536Security Architecture and DesignWeek 6Web Threa.docx
vrickens
 
PPTX
Access Control authentication and authorization .pptx
birhanugirmay559
 
PPTX
Secure Code Warrior - Authentication
Secure Code Warrior
 
PPTX
2 security concepts
LimenihMuluneh1
 
PPTX
iovation's Dynamic Authentication Suite
Michael Thelander
 
Broken Authentication and Authorization(1).pptx
Manahari Darshika Pemarathna
 
04 application security fundamentals - part 2 - security mechanisms - authe...
appsec
 
1 security goals
drewz lin
 
Session4-Authentication
zakieh alizadeh
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
Application Security
Reggie Niccolo Santos
 
Authentication and session v4
skimil
 
What is Authentication vs Authorization Difference? | INTROSERV
SaqifKhan3
 
Securing Internet Payment Systems
Domenico Catalano
 
Broken Authentication & authorization
Sarwar Jahan M
 
network security.pdf
KIYALIBAN1
 
CyberSecurity101.pdf
DhananjaySingh23178
 
AusCERT 2018
Sarwar Jahan M
 
Security audit
Nicholas Davis
 
Security Audit
Nicholas Davis
 
ISOL536Security Architecture and DesignWeek 6Web Threa.docx
vrickens
 
Access Control authentication and authorization .pptx
birhanugirmay559
 
Secure Code Warrior - Authentication
Secure Code Warrior
 
2 security concepts
LimenihMuluneh1
 
iovation's Dynamic Authentication Suite
Michael Thelander
 

More from appsec (10)

PPTX
23 owasp top 10 - resources
appsec
 
PPTX
15 owasp top 10 - a3-xss
appsec
 
PPTX
12 owasp top 10 - introduction
appsec
 
PPTX
10 application security fundamentals - part 2 - security mechanisms - encry...
appsec
 
PPTX
11 application security fundamentals - part 2 - security mechanisms - summary
appsec
 
PPTX
09 application security fundamentals - part 2 - security mechanisms - logging
appsec
 
PPTX
08 application security fundamentals - part 2 - security mechanisms - error...
appsec
 
PPTX
07 application security fundamentals - part 2 - security mechanisms - data ...
appsec
 
PPTX
02 application security fundamentals - part 1 - security priciples
appsec
 
PPTX
01 Application Security Fundamentals - part 1 - introduction and goals
appsec
 
23 owasp top 10 - resources
appsec
 
15 owasp top 10 - a3-xss
appsec
 
12 owasp top 10 - introduction
appsec
 
10 application security fundamentals - part 2 - security mechanisms - encry...
appsec
 
11 application security fundamentals - part 2 - security mechanisms - summary
appsec
 
09 application security fundamentals - part 2 - security mechanisms - logging
appsec
 
08 application security fundamentals - part 2 - security mechanisms - error...
appsec
 
07 application security fundamentals - part 2 - security mechanisms - data ...
appsec
 
02 application security fundamentals - part 1 - security priciples
appsec
 
01 Application Security Fundamentals - part 1 - introduction and goals
appsec
 

Recently uploaded (20)

PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Cloud computing and distributed systems.
kkkkkhan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 

05 application security fundamentals - part 2 - security mechanisms - authorization

  • 2. Authorization Core Concepts Is the user allowed to perform this action, within this context? 1st 2nd Should the user be allowed this function at all? Should the user have only limited context access?
  • 3. Authorization Words to Live By  Every function (page) must verify authorization to access  Every function (page) must verify the access context  Any client/server application must verify security on server
  • 4. Authorization Words to Live By: #1  The problem – When access control checks are not applied consistently (or not at all) users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution. Every function (page) must verify authorization to access
  • 5. Real World Example – CuteFlow Exploit
  • 6. Authorization Words to Live By: #2  The problem – The system's access control functionality does not prevent one user from gaining access to another user's records by modifying the key value identifying the record. Every function (page) must verify access context
  • 7. Real World Example – Fidelity Canada Usually, when users can directly access a PDF or other non-code file from the web server, (e.g., resource is located in the web root) there is no opportunity for authorization code to execute. With a predictable structure to the filename, it only takes minutes to create a script capable of retrieving all of the statements/reports on the site! Sullivan, B. (2002, May 30). Glitch at Fidelity Canada exposes customer info. Retrieved June 3, 2010, from http://www.itworldcanada.com/news/glitch-at-fidelity-canada-exposes-customer-info/124086
  • 8. Authorization Words to Live By: #3  The problem – The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. An attacker can modify the client-side behavior to bypass the protection mechanisms. Any client/server application must verify security on the server
  • 9. Real World Example – PayPal & Vendor Issue