Access Control and Authentication in Web Applications

Input Validation = A mechanism that regulates access to data or functionality Attack Surface Reduction = Verifying the identity of a user through a username and password Access Control = Preventing malicious data from entering a system Authentication = Limiting the number of potential vulnerabilities in a system

Subject = Something or person that is receiving the action Target Object = Something or person that is doing the action Authentication = The process of determining whether the validated identity has the rights to do what they want to do Authorization = A mechanism that regulates access to data or functionality

Identification = The process of verifying the identity of a user Authentication = The process of claiming an identity Authorization = The process of determining whether the validated identity has the rights to do what they want to do Access Control = The process of regulating access to data or functionality

Authentication = To prevent unauthorized access to resources Authorization = To validate the identity of a user Access Control = To manage permissions and access to resources Input Validation = To prevent malicious data from entering a system

Authentication Factor = A piece of information used to verify an identity, such as a password Permission = A right or privilege granted to a user or role Access Control System = A mechanism that regulates access to data or functionality Authorization Check = A process of verifying the identity of a user

Authentication = To grant access to resources based on a user's identity Authorization = To verify the identity of a user Access Control = To manage and enforce permissions and access to resources Input Validation = To prevent unauthorized access to resources

At least one uppercase = Enforce minimum password complexity Rotate passwords = Disable accounts after a certain number of incorrect attempts Password cannot equal username = Ensure password uniqueness Properly store passwords = Store passwords in plaintext

Providing a username and password = Initial login Authenticating with cookies = Subsequent HTTP requests Session ID validation = With every request in your code Authorization = After initial login

Access Control = Restricting access to resources based on user identity Authorization = Granting permissions to access resources Authentication = Verifying user identity Permissions Management = Managing user roles and privileges

Username = Something you know Password = Something you have Biometric data = Something you are Session ID = Somewhere you are

When and where to perform authentication = Determining the optimal authentication points Securing web authentication mechanisms = Protecting against authentication attacks Session ID validation = Verifying the authenticity of session IDs Disable accounts = Temporarily or permanently disabling user accounts

Input validation = Verifying user input against expected formats Output encoding = Encoding output to prevent injection attacks Error handling = Handling errors securely to prevent information disclosure Output validation = Verifying output against expected formats

Re-authentication = To verify the user's identity before performing a sensitive action Account lockout = To prevent brute-force attacks Increasing time out values = To slow down brute-force attacks SSL/TLS = To secure the transmission of authentication data

Allowing account lockout = Preventing administrators from being locked out Using CAPTCHA = Slowing down brute-force attacks Disabling default accounts = Reducing the attack surface Implementing remember me = Improving user experience

Username and password = Can be generated by the system Two-factor authentication = Uses a combination of two authentication methods Biometric authentication = Uses unique physical characteristics Single-factor authentication = Uses a single authentication method

When a user's access level or rights change = Re-authentication When accessing an outside or third-party resource = Authentication When a request is made to access a protected resource = Access control After a certain number of failed attempts = Account lockout

Discretionary access control = Allows users to set access permissions Mandatory access control = Uses a set of rules to determine access Role-based access control = Assigns access based on user roles Attribute-based access control = Evaluates a user's attributes to determine access

Least privilege = To grant users only the necessary permissions Separation of duties = To divide responsibilities among multiple users Privilege escalation = To grant temporary elevated privileges Privilege reduction = To reduce privileges for a specific task