AUTHORIZATION (AZ5)
Chad can access resources (including services, processes, AJAX, Flash, video, images, documents, temporary files, session data, system properties, configuration data, registry settings, logs) he should not be able to due to missing authorization, or due to excessive privileges (e.g. not using the principle of least privilege)
Chad can access resources (including services, processes, AJAX, Flash, video, images, documents, temporary files, session data, system properties, configuration data, registry settings, logs) he should not be able to due to missing authorization, or due to excessive privileges (e.g. not using the principle of least privilege)
OWASP SCP
70,81,83,84,87,88,89,99,117,131,132,142,154,170,179
OWASP ASVS
1.2.2,4.1.1,4.1.3,4.2.1
OWASP AppSensor
ACE1,ACE2,ACE3,ACE4,HT2
CAPEC
-
SAFECODE
8,10,11,13
Define access controls for each and every resource and system component. Enforce authorization controls on every request, regardless of resource type.
NB: the key concept for this card is applying authorization controls to all resource types. See AZ 6 for data controls, and AZ 7 for function/object/property controls.
Mappings
OWASP ASVS (4.0): 1.2.2 ,4.1.1 ,4.1.3 ,4.2.1
Capec: 75 ,87 ,95 ,126 ,149 ,155 ,203 ,213 ,264 ,265
OWASP SCP: 70,81,83,84,87,88,89,99,117,131,132,142,154,170,179
OWASP Appsensor: ACE1,ACE2,ACE3,ACE4,HT2
Safecode: 8,10,11,13
ASVS (4.0) Cheatsheetseries Index
ASVS V1.2 - Authentication Architectural Requirements
ASVS V4.1 - General Access Control Design
ASVS V4.2 - Operation Level Access Control
No suitable mappings were found.
