Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Broken Authentication and Failure to restrict URL access

D
dhirajsmahajan@gmail.com
Wed, Jun 6, 2012 7:47 AM

Hi,

Confused between Broken Authentication (OWASP A2) and Failure to restrict
URL access (OWASP A7)?

Can aynone tell me actually what is the difference between them?

--
Thanks & Regards,

Dhiraj S Mahajan,
Information Security Analyst,

Hi, Confused between Broken Authentication (OWASP A2) and Failure to restrict URL access (OWASP A7)? Can aynone tell me actually what is the difference between them? -- Thanks & Regards, Dhiraj S Mahajan, Information Security Analyst,
PS
Prasad Shenoy
Wed, Jun 6, 2012 6:01 PM

Are you reading OWASP Top 10 2007? Just curious since you list the index
numbers for these topics that do not match the 2010 list.

Anyways, in simple terms,

A3 Broken Authentication and Session Mgmt - Authentication exists but can
be easily circumvented to gain access to a protected resource
A8 Failure to Restrict URL Access - No Authentication present, anonymous
users can gain access to the resources w/o being challenged.

Please refer to the most updated list.

[ ~ Prasad |  @prasadshenoy  ~]

On Wed, Jun 6, 2012 at 3:47 AM, dhirajsmahajan@gmail.com <
dhirajsmahajan@gmail.com> wrote:

Hi,

Confused between Broken Authentication (OWASP A2) and Failure to restrict
URL access (OWASP A7)?

Can aynone tell me actually what is the difference between them?

--
Thanks & Regards,

Dhiraj S Mahajan,
Information Security Analyst,

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Are you reading OWASP Top 10 2007? Just curious since you list the index numbers for these topics that do not match the 2010 list. Anyways, in simple terms, A3 Broken Authentication and Session Mgmt - Authentication exists but can be easily circumvented to gain access to a protected resource A8 Failure to Restrict URL Access - No Authentication present, anonymous users can gain access to the resources w/o being challenged. Please refer to the most updated list. [ ~ Prasad | @prasadshenoy ~] On Wed, Jun 6, 2012 at 3:47 AM, dhirajsmahajan@gmail.com < dhirajsmahajan@gmail.com> wrote: > Hi, > > Confused between Broken Authentication (OWASP A2) and Failure to restrict > URL access (OWASP A7)? > > Can aynone tell me actually what is the difference between them? > > -- > Thanks & Regards, > > Dhiraj S Mahajan, > Information Security Analyst, > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >
JS
Justin Scott
Wed, Jun 6, 2012 6:23 PM

Confused between Broken Authentication (OWASP A2) and Failure
to restrict URL access (OWASP A7)?
Can aynone tell me actually what is the difference between them?

The first would be authentication or session management that can be
easily bypassed.  For example, a website that simply sets a cookie
with a member ID to validate a session.  An attacker can simply inject
a cookie into their browser with whatever member ID they want and
become any user on the site to bypass authentication.  Mitigation
would include using complex/random session identifiers that change
each time the user is authenticated and are passed as secure cookies
over SSL to prevent session hijacking.

The second would be resources such as an administrative control panel
that sit behind an authentication system of some kind, but do not
actually verify that the user is authenticated.  For example, a login
page redirects to an admin panel which can be bookmarked or shared and
anyone with the URL can access it without going through
authentication.  Mitigation would include ensuring that all pages
which require security actually check for the session token and verify
that the token is valid before allowing access.

-Justin

> Confused between Broken Authentication (OWASP A2) and Failure > to restrict URL access (OWASP A7)? > Can aynone tell me actually what is the difference between them? The first would be authentication or session management that can be easily bypassed. For example, a website that simply sets a cookie with a member ID to validate a session. An attacker can simply inject a cookie into their browser with whatever member ID they want and become any user on the site to bypass authentication. Mitigation would include using complex/random session identifiers that change each time the user is authenticated and are passed as secure cookies over SSL to prevent session hijacking. The second would be resources such as an administrative control panel that sit behind an authentication system of some kind, but do not actually verify that the user is authenticated. For example, a login page redirects to an admin panel which can be bookmarked or shared and anyone with the URL can access it without going through authentication. Mitigation would include ensuring that all pages which require security actually check for the session token and verify that the token is valid before allowing access. -Justin
W
webpentest
Thu, Jun 7, 2012 6:43 AM

On 06.06.2012 11:47, dhirajsmahajan@gmail.com wrote:

Hi,

Confused between Broken Authentication (OWASP A2) and Failure to
restrict URL access (OWASP A7)?

Can aynone tell me actually what is the difference between them?

The difference is the same as the difference between authentication and
authorization (authC and authZ).
In brief, authC ensures that you're really the guy who you say you are
(think about checking your passport and seeing if its not fake and that
the photo actually matches your face). As HTTP is stateless, web
applications use special tokens to do authentiaction. If the token could
be forged and you can trick web app to thinking you're not the one you
really are (e.g. admin instead of plain user), this is an example of
broken authC.

AuthZ (access control), on the other hand, happens after authentication
and verifies that you actually have the rights to do what you requested.
In lots of cases the access is not properly restricted: you can issue a
successful direct request for the privileged operation. In OWASP Top 10
there are 2 issues concerning AuthZ: A8 and A4, which is somewhat
confusing because the difference between them is merely technical.

The explaination is rather simplified, but I hope it helps.

On 06.06.2012 11:47, dhirajsmahajan@gmail.com wrote: > Hi, > > Confused between Broken Authentication (OWASP A2) and Failure to > restrict URL access (OWASP A7)? > > Can aynone tell me actually what is the difference between them? The difference is the same as the difference between authentication and authorization (authC and authZ). In brief, authC ensures that you're really the guy who you say you are (think about checking your passport and seeing if its not fake and that the photo actually matches your face). As HTTP is stateless, web applications use special tokens to do authentiaction. If the token could be forged and you can trick web app to thinking you're not the one you really are (e.g. admin instead of plain user), this is an example of broken authC. AuthZ (access control), on the other hand, happens after authentication and verifies that you actually have the rights to do what you requested. In lots of cases the access is not properly restricted: you can issue a successful direct request for the privileged operation. In OWASP Top 10 there are 2 issues concerning AuthZ: A8 and A4, which is somewhat confusing because the difference between them is merely technical. The explaination is rather simplified, but I hope it helps.
Empathy v1.0   2024 ©Harmonylists.com