The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

flawed assumptions about the kinds of requests that users will make and

against which the application needs to defend itself:

■■

Do not rely on users’ ignorance of application URLs or the identifiers

used to specify application resources, such as account numbers and

document IDs. Explicitly assume that users know every application

URL and identifier, and ensure that the application’s access controls

alone are sufficient to prevent unauthorized access.

■■

Do not trust any user-submitted parameters to signify access rights

(such as 

admin=true

).

■■

Do not assume that users will access application pages in the intended

sequence. Do not assume that because users cannot access the Edit

Users page, they will not be able to reach the Edit User X page that is

linked from it.

■■

Do not trust the user not to tamper with any data that is transmitted via

the client. If some user-submitted data has been validated and is then

transmitted via the client, do not rely upon the retransmitted value

without revalidation.

The following represents a best-practice approach to implementing effective

access controls within web applications:

■■

Explicitly evaluate and document the access control requirements for

every unit of application functionality. This needs to include both who

can legitimately use the function and what resources individual users

may access via the function.

■■

Drive all access control decisions from the user’s session.

■■

Use a central application component to check access controls.

■■

Process every single client request via this component, to validate that

the user making the request is permitted to access the functionality and

resources being requested.

■■

Use programmatic techniques to ensure that there are no exceptions to

the previous point. An effective approach is to mandate that every

application page must implement an interface that is queried by the

central access control mechanism. By forcing developers to explicitly

code access control logic into every page, there can be no excuse for

omissions.

■■

For particularly sensitive functionality, such as administrative pages,

you can further restrict access by IP address, to ensure that only users

from a specific network range are able to access the functionality,

regardless of their login status.

Download 5,76 Mb.

Do'stlaringiz bilan baham: