Chapter 7  ■ Attacking Session Management

Within the application’s core security mechanisms, access controls are logi-

cally built upon authentication and session management. So far, you have seen

how an application can first verify a user’s identity and then confirm that a

particular sequence of requests that it receives originated from the same user.

The primary reason that the application needs to do these things, in terms of

security at least, is because it needs a way of deciding whether it should per-

mit a given request to perform its attempted action or access the resources that

it is requesting. Access controls are a critical defense mechanism within the

application because they are responsible for making these key decisions.

When they are defective, an attacker can often compromise the entire applica-

tion, taking control of administrative functionality and accessing sensitive

data belonging to every other user.

As we noted in Chapter 1, broken access controls are among the most com-

monly encountered categories of web application vulnerability, affecting a

massive 78% of the applications recently tested by the authors. Somewhat

incredibly, it is extremely common to encounter applications that go to all the

trouble of implementing robust mechanisms for authentication and session

management, only to squander that investment by neglecting to build any

effective access controls upon them.

Access control vulnerabilities are conceptually very simple: the application

is letting you do something you shouldn’t be able to. The differences between

separate flaws really come down to the different ways in which this core defect