The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws



Download 5,76 Mb.
Pdf ko'rish
bet415/875
Sana01.01.2022
Hajmi5,76 Mb.
#293004
1   ...   411   412   413   414   415   416   417   418   ...   875
Bog'liq
3794 1008 4334

230

Chapter 8 



Attacking Access Controls

70779c08v6.5.qxd  9/14/07  3:18 PM  Page 230


■■

It improves adaptability. Where new access control requirements arise,

these can be easily reflected within an existing API implemented by

each application page.

■■

It results in fewer mistakes and omissions than if access control code is



implemented piecemeal throughout the application.

A Multi-Layered Privilege Model

Issues relating to access apply not only to the web application itself but also to

the other infrastructure tiers which lie beneath it — in particular, the applica-

tion server, the database, and the operating system. Taking a defense-in-depth

approach to security entails implementing access controls at each of these lay-

ers to create several layers of protection. This provides greater assurance

against threats of unauthorized access, because if an attacker succeeds in com-

promising defenses at one layer, the attack may yet be blocked by defenses at

another layer.

In addition to implementing effective access controls within the web appli-

cation itself, as already described, a multi-layered approach can be applied in

various ways to the components which underlie the application, for example:

■■

The application server can be used to control access to entire URL



paths, on the basis of user roles that are defined at the application

server tier.

■■

The application can employ a different database account when carrying



out the actions of different users. For users who should only be query-

ing (and not updating) data, an account with read-only privileges

should be used.

■■

Fine-grained control over access to different database tables can be



implemented within the database itself, using a table of privileges.

■■

The operating system accounts used to run each component in the



infrastructure can be restricted to the least powerful privileges that the

component actually requires. 

In a complex security-critical application, layered defenses of this kind can

be devised with the help of a matrix defining the different user roles within the

application and the different privileges, at each tier, that should be assigned to

each role. Figure 8-1 is a partial example of a privilege matrix for a complex

application.


Download 5,76 Mb.

Do'stlaringiz bilan baham:
1   ...   411   412   413   414   415   416   417   418   ...   875



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish