[WEB SECURITY] Secure Web UI Design

Bolger, Ken kbolger at tnsi.com
Tue Feb 5 01:52:20 EST 2013


I would appreciate some different views on changes to a web UI that I am uncomfortable with.

Our current web UI model only displays the set of options for which an authenticated user is allowed to perform.
If an attempt is made to perform an un-authorised action, the server quite rightly logs the user out as this would
require some form of 'forced browsing'.

A proposed change is to display all possible options and if a user selects one for which they are not authorised,
a message is simply displayed advising them that they are not authorised to perform this action.

This change seems intuitively insecure.

My first thoughts are that this  change violates the "minimise attack surface" and "separation of privilege" security
principles. However, enforcement of these principles is performed on the server side regardless of whether the
options are presented to the user.

My other concern is the inability to differentiate between malicious attempts to escalate privileges, or a user
attempting unauthorised actions by mistake or simply because the option is presented to them. This seems to be
the only tangible security concern.

Am I missing something obvious or am I correct in my analysis.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130205/ed78e918/attachment-0003.html>

More information about the websecurity mailing list