Information Security - Standards and Best Practices Owasp

The document discusses the OWASP top 10 vulnerability of broken access control. It provides details on what broken access control is, common vulnerabilities, how to prevent it, and different access control types. It also describes labs that show SQL injection vulnerabilities and tools for static and dynamic application security testing.

Uploaded by

Imad Boustany

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

63 views46 pages

Information Security - Standards and Best Practices Owasp

Uploaded by

Imad Boustany

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 46

Information Security –

Standards and Best

Practices

Presented by:
OWASP
Supervisor & Professor:
Imad Boustany
Jean-Michel Kaoukabani

INCI – M2: Information Security OWASP Page 1

Who is the OWASP foundation?

The Open Web Application Security Project® (OWASP)

is a nonprofit foundation that works to improve the
security of software.

INCI – M2: Information Security OWASP Page 2

TOP 10 VULNERABILITES

INCI – M2: Information Security OWASP Page 3

Broken Access Control
What is it?

Attackers access unauthorized functionalities in

order access other users accounts, view sensitive
files, etc…

INCI – M2: Information Security OWASP Page 4

Broken Access Control
Threat Agents / Attack Vectors

Exploitation of access control is a core skill of

attackers. SAST and DAST tools can detect the
absence of access control but cannot verify if it is
functional when it is present.

INCI – M2: Information Security OWASP Page 5

Broken Access Control
Security Weakness

Access control weaknesses are common due to the

lack of automated detection, and lack of effective
functional testing by application developers.

INCI – M2: Information Security OWASP Page 6

Broken Access Control
Impacts

The technical impact is attackers acting as users or

administrators, or users using privileged functions.

INCI – M2: Information Security OWASP Page 7

Broken Access Control
Common Access Control Vulnerabilities

• Modifying the URL.

• Elevation of privilege.
• Metadata manipulation.
• CORS misconfiguration allows unauthorized API
access.
• Force browsing to authenticated pages as an
unauthenticated user or to privileged pages as a
standard user.

INCI – M2: Information Security OWASP Page 8

Broken Access Control
How to prevent?

• With the exception of public resources, deny by

default.
• Implement access control mechanisms once and
re-use them throughout the application.
• Model access controls should enforce record
ownership.
• Log access control failures.
• Disable web server directory listing and ensure
file metadata are not present within web roots.

INCI – M2: Information Security OWASP Page 9

Broken Access Control
different types of access control

• Discretionary Access Control (DAC)

• Mandatory Access Control (MAC)
• Role Based Access Control (RBAC)
• Attribute Based Access Control (ABAC)