[WEB SECURITY] Broken Authentication and Failure to restrict URL access

[webpentest]

On 06.06.2012 11:47, dhirajsmahajan at gmail.com wrote:
> Hi,
>
> Confused between Broken Authentication (OWASP A2) and Failure to
> restrict URL access (OWASP A7)?
>
> Can aynone tell me actually what is the difference between them?
The difference is the same as the difference between authentication and
authorization (authC and authZ).
In brief, authC ensures that you're really the guy who you say you are
(think about checking your passport and seeing if its not fake and that
the photo actually matches your face). As HTTP is stateless, web
applications use special tokens to do authentiaction. If the token could
be forged and you can trick web app to thinking you're not the one you
really are (e.g. admin instead of plain user), this is an example of
broken authC.

AuthZ (access control), on the other hand, happens after authentication
and verifies that you actually have the rights to do what you requested.
In lots of cases the access is not properly restricted: you can issue a
successful direct request for the privileged operation. In OWASP Top 10
there are 2 issues concerning AuthZ: A8 and A4, which is somewhat
confusing because the difference between them is merely technical.

The explaination is rather simplified, but I hope it helps.