The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

The application uses restricted database

accounts when accessing the database. It employs different accounts 

for different groups of users, with each account having the least level of

privilege necessary for carrying out the actions which that group is per-

mitted to perform. Declarative controls of this kind are declared from

outside the application. This is a very useful application of defense-in-

depth principles, because privileges are being imposed on the applica-

tion by a different component. Even if a user finds a means of breaching

the access controls implemented within the application tier, so as to 

perform a sensitive action such as adding a new user, they will be pre-

vented from doing so because the database account that they are using

does not have the required privileges within the database.

A different means of applying declarative access control exists at the

application server level, via deployment descriptor files, which are

applied during application deployment. However, these can be rela-

tively blunt instruments and do not always scale well to manage fine-

grained privileges in a large application.

HACK STEPS