O'Reilly logo

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws by Marcus Pinto, Dafydd Stuttard

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 8. Attacking Access Controls

Within the application's core security mechanisms, access controls are logically built upon authentication and session management. So far, you have seen how an application can first verify a user's identity and then confirm that a particular sequence of requests that it receives originated from the same user. The primary reason that the application needs to do these things, in terms of security at least, is because it needs a way of deciding whether it should permit a given request to perform its attempted action or access the resources that it is requesting. Access controls are a critical defense mechanism within the application because they are responsible for making these key decisions. When they are defective, an attacker can often compromise the entire application, taking control of administrative functionality and accessing sensitive data belonging to every other user.

As we noted in Chapter 1, broken access controls are among the most commonly encountered categories of web application vulnerability, affecting a massive 78% of the applications recently tested by the authors. Somewhat incredibly, it is extremely common to encounter applications that go to all the trouble of implementing robust mechanisms for authentication and session management, only to squander that investment by neglecting to build any effective access controls upon them.

Access control vulnerabilities are conceptually very simple: the application is letting you do something ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required