The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

the application and different types of functionality. An application might sup-

port numerous different user roles, each involving different combinations of

specific privileges. Individual users may be permitted to access a subset of the

total data held within the application. Specific functions may implement trans-

action limits and other checks, all of which need to be properly enforced based

on the user’s identity.

Figure 2-3: An application enforcing access control

Because of the complex nature of typical access control requirements, this

mechanism is a frequent source of security vulnerabilities that enable an

attacker to gain unauthorized access to data and functionality. Developers

very often make flawed assumptions about how users will interact with the

application, and frequently make oversights by omitting access control checks

from some application functions. Probing for these vulnerabilities is often

laborious because essentially the same checks need to be repeated for each

item of functionality. Because of the prevalence of access control flaws, how-

ever, this effort is always a worthwhile investment when you are attacking a

web application.

Download 5,76 Mb.

Do'stlaringiz bilan baham: