[WEB SECURITY] Secure Web UI Design

Stephen de Vries stephendv at gmail.com
Tue Feb 5 03:02:46 EST 2013


On 5 Feb 2013, at 07:52, Bolger, Ken wrote:

> My first thoughts are that this  change violates the “minimise attack surface” and “separation of privilege” security
> principles. However, enforcement of these principles is performed on the server side regardless of whether the
> options are presented to the user.

Exactly.  Real security is implemented on the server side and doesn't depend on the options presented in the UI.  If that security control fails then you have a serious security vulnerability, whether or not the options are presented to the user.  Not presenting the options adds a layer of "security through obscurity" which is no security at all, so no real point implementing it.
> My other concern is the inability to differentiate between malicious attempts to escalate privileges, or a user
> attempting unauthorised actions by mistake or simply because the option is presented to them. This seems to be
> the only tangible security concern.

This depends on how the unauthorised actions are presented in the UI.  They should not be selectable in the UI, e.g. Buttons should be disabled, which would mean that an attacker would have to deliberately modify the HTML or intercept and modify the request in order to provoke the action.  
In my opinion, having UI elements that are selectable, but then deny access to the function is just bad UI design.


More information about the websecurity mailing list