[WEB SECURITY] Broken Authentication and Failure to restrict URL access
leviathan at darktech.org
Wed Jun 6 14:23:26 EDT 2012
> Confused between Broken Authentication (OWASP A2) and Failure
> to restrict URL access (OWASP A7)?
> Can aynone tell me actually what is the difference between them?
The first would be authentication or session management that can be
easily bypassed. For example, a website that simply sets a cookie
with a member ID to validate a session. An attacker can simply inject
a cookie into their browser with whatever member ID they want and
become any user on the site to bypass authentication. Mitigation
would include using complex/random session identifiers that change
each time the user is authenticated and are passed as secure cookies
over SSL to prevent session hijacking.
The second would be resources such as an administrative control panel
that sit behind an authentication system of some kind, but do not
actually verify that the user is authenticated. For example, a login
page redirects to an admin panel which can be bookmarked or shared and
anyone with the URL can access it without going through
authentication. Mitigation would include ensuring that all pages
which require security actually check for the session token and verify
that the token is valid before allowing access.
More information about the websecurity