1. Authorization ensure that proper privileges are given to authorized users
  2. Security in authorization mainly depends on these boundaries of privileges
  3. Common mistakes in authorization creep in while implementing the following security concepts like:
    – Principle of least privilege
    – Centralized authorization routines

Common Mistakes (Cont’d)

  • Methods to safeguard web applications against common mistakes that occur in authorization process are:
  • Principle of least privilege
    – Ensure development, testing and demonstration source code and environments be run at least privileges Principle of least privilege
    – Avoid web application servers running at privileged accounts such as administrator, root, sysman, sa, etc.
    – User accounts should have enough privileges according to their tasks
    – Enable web applications’ access to database through limited accounts only
    – Ensure database access through parameterized stored procedures
    – Evaluate and implement code access permissions
  • Protecting access to static resources on web server
    – Do not let content save on web server in cases of static content
    – Unauthorized access to static content on the web should be prevented
    – Save sensitive files with random names and clean temporary files
  • Reauthorize users or code for accessing high value activities or after idle out

Common Mistakes (Cont’d)

  • Authorization matrix
    – Ensure code uses built-in authorization framework or access check through centralized authorization facilities
  • Controlling access to protected resources
    – Avoid using custom authorized code
    – Use only framework authorization and built-in platform facilities
  • Never implement client-side authorization tokens
    – In case of a satisfactory authentication, associate session IDs with authorization tokens, state or flags
  • Time-based authorization should be implemented in sensitive web application
  • Be cautious of custom authorization controls
    – Write precise code
    – In case of custom code that performs authorization, ensure fail safe authentication mechanisms and exception handling capability
    – Ensure authorization framework controls cover in totality to the application