Understanding Authorization

Questions and Answers

What is the primary difference between authentication and authorization?

• Authentication is used for external users, while authorization is for internal users.
• Authentication verifies access to resources, while authorization confirms identity.
• Authentication uses roles, while authorization uses attributes.
• Authentication confirms identity, while authorization verifies access to resources. (correct)

Why is broken access control a significant security concern for web applications?

• It is easily mitigated by strong authentication measures.
• It is difficult to detect and exploit.
• It can lead to unauthorized access to sensitive resources and actions. (correct)
• It primarily affects only static content.

What is horizontal privilege elevation, and why is it a common weakness?

• Bypassing authentication. It's common due to session management issues.
• Accessing system files. It's common due to misconfigurations.
• Gaining admin privileges. It's common due to weak passwords.
• Accessing another user's resources. It's common due to faulty authorization checks. (correct)

What does the principle of Least Privilege mean in the context of application security?

Assigning users the minimum privileges necessary to complete their job. (B)

What is the best approach to handle access requests in an application when no access control rules are explicitly matched?

Deny access by default for security purposes. (D)

Why is it important to validate permissions on every request, regardless of the source?

To ensure consistent enforcement of access control and prevent bypasses. (A)

What is a critical step when incorporating third-party libraries or frameworks into an application regarding authorization?

Thoroughly reviewing the authorization logic of the chosen tools and implementing custom logic if necessary. (C)

Why are Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC) often preferred over Role-Based Access Control (RBAC) in modern application development?

ABAC and ReBAC offer more flexibility, fine-grained control, and better support for dynamic attributes and relationships. (C)

What are the implications of exposing internal object identifiers in URLs or forms?

It can lead to authorization bypass and privilege escalation if not properly protected. (B)

Why is it important to enforce authorization checks on static resources?

Static resources may contain sensitive information and should be incorporated into access control policies. (A)

Where should authorization checks be performed to ensure effective security?

Exclusively server-side, at the gateway, or using serverless functions. (B)

What steps should be taken when an authorization check fails in an application?

Handle the failure securely, centralize the logic, and avoid exposing sensitive information in error messages. (C)

How can appropriate logging contribute to application security?

By detecting malicious activity, aiding post-incident investigations, troubleshooting access control problems, and facilitating security auditing. (D)

What is the role of unit and integration testing in the context of authorization logic?

To verify that the application performs as expected, consistently across changes, and to catch basic security flaws in access control logic. (B)

What is a key consideration when choosing between RBAC, ABAC and ReBAC?

The complexity of the application and the need for fine-grained control. (B)

What is the purpose of defining trust boundaries during the design phase of an application?

To delineate areas where data or processes are considered secure. (B)

What is 'privilege creep' and how can it be managed after an app has been deployed?

It is the gradual accumulation of unnecessary privileges by users; it can be managed by periodically reviewing permissions and ensuring they align with the design phase's definitions. (A)

Why should developers explicitly configure a deny-by-default strategy rather than relying on framework or library defaults?

The logic and defaults of third-party code may evolve over time without the developer's full knowledge, potentially impacting security. (A)

In the context of authorization, what is the risk of relying on 'security through obscurity' by masking or randomizing object identifiers?

It is not sufficient by itself, and the focus should be on controlling access to the underlying objects and/or identifiers. (A)

What is the importance of using consistent, well-defined formats for logging, and how does it relate to application security?

It allows logs to be readily parsed for analysis, aiding in the detection of malicious activity and troubleshooting of access control issues. (D)

What are the benefits of implementing Relationship-Based Access Control (ReBAC) in social network applications?

ReBAC allows users to limit access to their data (tweets or posts) to people they choose (friends, family, followers). (D)

What is the potential impact of neglecting to secure static resources in cloud storage?

It can lead to unauthorized access to sensitive information stored in those resources. (C)

What is the significance of synchronizing clocks and timezones across systems in the context of application security logging?

Accuracy is crucial in piecing together the sequence of an attack during and after incident response. (A)

Consider an application using RBAC where a user needs access to a resource only during working hours. How could ABAC meet this requirement more effectively?

ABAC can incorporate time of day as an environmental attribute, denying access outside of normal business hours. (C)

What is the best way to mitigate the risk of authorization bypass that could result from exposing internal object identifiers?

Avoid exposing identifiers to the user when possible and perform access control checks on every request. (B)

What is necessary to consider in securing cloud based services used to store static resources?

Services must be secured using the configuration options and tools provided by the cloud vendor. (C)

How can developers avoid having the capabilities of a library, platform, or framework guide their authorization requirements?

Authorization requirements should be decided first, and then the third-party components may be analyzed in light of these requirements. (B)

How does ABAC improve upon RBAC regarding supporting multi-tenancy and cross-organizational requests?

Attribute consistence in ABAC implementations allows access control decisions to be executed and administered in separate infrastructures, while maintaining security. (C)

How might you implement user/session specific indirect references and avoid exposing identifiers to the user?

Use a tool such as OWASP ESAPI to implement indirect references. (D)

What considerations should be made to ensure an adequate level of logging is implemented in an application, and determine the amount of information to log?

It should be determined according to the specific application environment and requirements. (A)

Why is it important to have processes for detecting and responding to vulnerable components?

Even the most robust and popular libraries and frameworks become subject to an authorization vulnerability. (B)

What is the most secure method for retrieving an objects details, such as account details?

Based solely on any currently authenticated user's identity and attributes. (B)

What are some reasons that thorough testing and auditing roles becomes more difficult as roles become more numerous?

Both testing and auditing, critical processes for establishing trust in one's codebase and logic, become more difficult. (C)

What may happen if logging isn't properly set up?

Authorization violations may go undetected or at least remain unattributable to a particular individual or group. (A)

What is a viable workaround to the speed constraints of RBAC's 'role explosion' problem?

Only send the user ID, and then the application retrieves the user's roles, but this will increase the latency of every request. (A)

What is the primary difference between authorization and authentication?

Authentication verifies an entity's identity, while authorization verifies if a requested action is approved for that entity. (D)

Authentication is always required for accessing resources in a web application.

False (B)

What is horizontal privilege elevation?

accessing another user's resources

According to the principle of ______, users should only be granted the minimum privileges necessary to complete their job.

least privileges

Match the following terms with their descriptions:

Authentication = Verifying an entity's identity Authorization = Verifying that a requested action is approved for a specific entity Least Privilege = Granting users only the minimum privileges necessary Deny by Default = Denying access unless explicitly permitted

What should an application do when no access control rules are explicitly matched for a request?

Deny the request by default for security purposes. (B)

It is sufficient to validate permissions correctly on the majority of requests, as long as critical functions are always secured.

False (B)

Developers should thoroughly review the authorization logic of chosen tools and technologies and implement ______ logic if necessary.

custom

Match the security term with its description:

Defense in Depth = Relying on multiple layers of security controls rather than a single one Misconfiguration = Improper or incomplete setup of security features in a component Dependency Check = A tool used to detect vulnerable components in a project SDLC = Software Development Life Cycle

Which of the following access control models should typically be preferred for application development over RBAC?

Attribute-Based Access Control (ABAC) (C)

RBAC is well-suited for multi-tenant environments and cross-organizational requests.

False (B)

What is 'role explosion' in the context of RBAC?

defining too many roles

In ABAC, access decisions are based on attributes of the subject, object, environment conditions, and a set of ______ specified in terms of those attributes.

policies

Match the following access control models with their descriptions:

RBAC = Access is granted based on the roles assigned to a user. ABAC = Access is granted based on attributes of the subject, object, and environment. ReBAC = Access is granted based on the relationship between resources.

What type of vulnerability is it when a user can access another user's transactions by changing the acct_id parameter in a URL?

Authorization Bypass Through User-Controlled Key (C)

Masking or randomizing object IDs is a sufficient mitigation for authorization bypass vulnerabilities.

False (B)

What does IDOR stand for?

insecure direct object reference

Applications should perform access control checks on every request for the specific ______ or functionality being accessed.

object

Match the mitigation strategies with the type of vulnerability they address:

Implement user specific indirect references = Insecure Direct Object References (IDOR) Perform access control checks on every request = Authorization Bypass Through User-Controlled Key

What is a common oversight in application security that can lead to vulnerabilities?

Securing databases while overlooking static resources. (A)

Client-side access control checks are sufficient for securing resources, as they improve user experience.

False (B)

Where should access control checks be performed to ensure they are not bypassed?

server-side

Developers must never rely on ______ access control checks, as they are often easy to bypass.

client-side

Match the following locations with where Authorization checks can be performed::

Server-Side = The most secure location for authorization checks Gateway = Another location where authorization checks can be performed Serverless Function = A modern approach to performing authorization checks

What can result from improper handling of failed access control checks?

The application being left in an unpredictable state. (A)

It is always best to try to "correct" a failed access control check rather than simply denying access.

False (B)

What type of information should be avoided in error messages to prevent increasing the attack surface?

sensitive

Centralize the logic for handling ______ access control checks to ensure consistency and reduce the risk of errors.

failed

Match the following recommendations with their explanations:

Handle all errors and exceptions = To prevent the application from being left in an unpredictable state Centralize logic for failed access control checks = To ensure consistency in error handling Avoid sensitive information in error messages = To prevent exposing system details to potential attackers

What is the purpose of logging in application security?

To detect malicious activity, troubleshoot problems, and aid in security auditing. (B)

Logging is only important during the post-incident investigation phase.

False (B)

Why is it important that clocks and timezones are synchronized across systems?

incident response

Application logs should be incorporated into a centralized log server or ______ for better analysis and monitoring.

siem

Match the logging challenges with their potential consequences:

Too little logging = Malicious activity goes undetected Too much logging = Strained resources and excessive false positives Inconsistent logging formats = Difficult analysis and integration

What is the primary benefit of creating unit and integration test cases for authorization logic?

They can help reduce the number of security flaws that make it into production. (B)

Unit and integration tests are a complete substitution for dedicated security tests and penetration tests.

False (B)

Unit and integration tests are good at catching the "low-hanging fruit" of security issues but not more ______ attack vectors.

sophisticated

Match the testing types with their descriptions:

Unit Testing = Testing individual components or functions in isolation Integration Testing = Testing the interaction between different components Security Testing = Testing for vulnerabilities and weaknesses in the application

Flashcards

Authorization

The process of verifying that a requested action is approved for a specific entity.

Authentication

The process of verifying an entity's identity.

Least Privileges

Assigning users only the minimum privileges necessary to complete their job.

Deny by Default

An application should be configured to deny access by default.

Validate Permissions on Every Request

Validate permissions on every request, regardless of the source.

Role-Based Access Control (RBAC)

A model of access control in which access is granted or denied based upon the roles assigned to a user.

Attribute-Based Access Control (ABAC)

An access control model where access is based on attributes of the subject, object, environment, and policies.

Relationship-Based Access Control (ReBAC)

An access control model that grants access based on the relationships between resources.

Exposing internal object identifiers

Applications often expose the internal object identifiers (such as an account number or Primary Key in a database) that are used to locate and reference an object.

Server-Side Authorization Checks

Access control checks must be performed server-side, at the gateway, or using serverless functions

Secure Static Resources

Although unprotected static resources are certainly a problem for websites and web applications of all forms, in recent years, poorly secured resources in cloud storage offerings (such as Amazon S3 Buckets) have risen to prominence.

Centralize Failed Check Logic

Centralise the logic for handling failed access control checks

Consistent Logging Formats

Log using consistent, well-defined formats that can be readily parsed for analysis.

Unit and Integration Testing

Unit and integration testing of access control logic can help reduce the number of security flaws that make it into production.

Impact of Authorization Flaws

The potential impact resulting from exploitation of authorization flaws is highly variable, both in form and severity.

Horizontal Privilege Elevation

Horizontal privilege elevation refers to being able to access another user's resources.

Risk of Not Enforcing Least Privilege

Failure to enforce least privilege can jeopardize the confidentiality of sensitive resources.

Reviewing Permissions

Review Permissions Periodically for 'Privilege Creep'

Explicit Configuration

Explicit configuration should be preferred over relying on framework or library defaults for access control.

Defense in Depth

Defense in depth: Do not depend on any single framework, library, technology, or control to be the sole thing enforcing proper access control.

Authorization First

Authorization requirements should be decided first and then the third-party components may be analyzed in light of these requirements.

Error Message Security

Misconfigured error messages can increase the attack surface of your application.

Balancing logging

Carefully determine the amount of information to log according to specific requirements.

Securing Static Resources

Ensure static resources are incorporated into access control policies.

Study Notes

• Authorization is verifying that a requested action or service is approved for a specific entity.
• Authentication is verifying an entity's identity, and is distinct from authorization.
• An authenticated user may not be authorized to access every system resource or perform every possible action.
• Authentication is unnecessary for accessing public resources, such as images or login pages, or even an entire web app.
• Authorization flaws are a major concern for web apps, with Broken Access Control being ranked as the most concerning web security vulnerability in OWASP's 2021 Top 10.
• Exploitation of authorization flaws can result in attackers reading, creating, modifying, or deleting protected resources.
• Both unauthenticated outsiders and authenticated users can exploit authorization weaknesses.
• Horizontal privilege elevation is a common weakness where users access other users' resources, so logging related to access control should be properly set-up to avoid undetected authorization violations.
• Honest mistakes or carelessness may enable authorization bypasses, malicious intent is typically required for access control threats to be fully realized.
• Faults related to authorization control can allow malicious insiders and outsiders alike to view, modify, or delete sensitive resources or perform actions that they should not be privileged to do.

Enforce Least Privileges

• Least Privileges assigns users only the minimum privileges necessary to complete their job, applying both horizontally and vertically within an organization.
• Failure to enforce least privileges can jeopardize the confidentiality of sensitive resources.
• During the design phase, define trust boundaries, enumerate user types and resources, and determine necessary operations for each user-resource combination to ensure all categories of attributes are considered.
• Testing should validate that the permissions mapped out in the design phase are being correctly enforced.
• Permissions should be periodically reviewed to avoid "privilege creep," where privileges exceed what was defined during the design phase.
• It is easier to grant users additional permissions than to revoke existing ones.

Deny by Default

• Applications should deny access by default when no access control rules are matched, ensuring security and preventing logic errors.
• A "deny-by-default" mentality should be adopted during initial development and when exposing new functionality or resources.
• Explicit configuration is preferred over relying on framework or library defaults because third-party code logic and defaults may evolve without developer's knowledge.

Validate the Permissions on Every Request

• Permissions should be validated on every request, regardless of the source (AJAX, server-side, etc.).
• Global, application-wide configuration should be used for permission checks, with technologies such as Java/Jakarta EE Filters, Django Middleware, .NET Core Filters, and Laravel PHP Framework Middleware being used.

Thoroughly Review the Authorization Logic of Chosen Tools and Technologies, Implementing Custom Logic if Necessary

• Developers need to responsibly use libraries, platforms, and frameworks, recognizing that misconfiguration or vulnerabilities within components can lead to broken authorization.
• Awareness of vulnerable components can be aided via tools like Dependency Check and data feeds from vendors or the NVD.
• Defense in depth to prevent dependencies on a single framework, library, technology, or control is needed to enforce proper access control.
• Thorough consideration of authorization is needed, realizing that prebuilt logic may be insufficient, with custom logic potentially being necessary to meet unique requirements.
• Authorization requirements and configurations should be tested.

Prefer Attribute and Relationship Based Access Control over RBAC

• Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Relationship-Based Access Control (ReBAC) are three basic forms of access control.
• RBAC grants or denies access based on assigned user roles, whereas ABAC grants or denies access based on attributes of the subject, object, environment, and policies.
• ReBAC is an access control model that grants access based on the relationships between resources
• ABAC and ReBAC are generally preferred over RBAC due to their support for fine-grained logic, robustness, support for multi-tenancy and cross-organizational requests, and ease of management.
• ABAC expands the number and type of characteristics considered, incorporating environmental and dynamic attributes beyond just roles.
• ReBAC grants access based on the relationships between resources and direct users (and not just a role), allowing for fine-grained permissions.

Ensure Lookup IDs are Not Accessible Even When Guessed or Cannot Be Tampered With

• Applications should avoid exposing internal object identifiers (lookup IDs) to users, as this can lead to authorization bypasses and privilege escalation.
• The focus should be on controlling access to the underlying objects and/or identifiers, not relying on security through obscurity.
• Identifiers should be avoided when possible and implement user/session specific indirect references can be used.
• Access control checks on every request for the specific object or functionality being accessed should be implemented.

Enforce Authorization Checks on Static Resources

• Static resources must be incorporated into access control policies, with protection varying based on the resource type and data exposed.
• Cloud-based services to store static resources should be secured using vendor-provided configuration options and tools.
• The same access control logic and mechanisms used to secure other application resources and functionality should be implemented to protect static resources.

Verify that Authorization Checks are Performed in the Right Location

• Client-side access control checks should be avoided, as they can easily be bypassed and should not be the deciding factor in granting or denying access to a resource.
• Access control checks must be performed server-side, at the gateway, or using serverless functions.

Exit Safely when Authorization Checks Fail

• Developers should plan for and securely handle failed access control checks to avoid leaving the application in an unpredictable state.
• Exceptions and failed access control checks should be handled, and logic for failed checks should be centralized.
• Handling of exception and authorization failures should be verified to ensure stability.
• Sensitive information should not be exposed in error messages.

Implement Appropriate Logging

• Logging is crucial for detecting malicious activity, post-incident investigations, troubleshooting, and security auditing.
• Logging should use consistent, well-defined formats, with careful consideration of the amount of information to log.
• Clocks and timezones should be synchronized across systems, and application logs should be incorporated into a centralized log server or SIEM.

Create Unit and Integration Test Cases for Authorization Logic

• Unit and integration tests are essential for verifying that an application performs as expected, especially for access control logic.
• Testing should incorporate concepts such as denying access by default, safe termination on failed checks, and proper enforcement of ABAC/ReBAC policies.
• Unit and integration testing of access control logic can help reduce the number of security flaws that make it into production, but not more sophisticated attack vectors.