1. Authentication
- Brute Force
- Insufficient Authentication
- Weak Password Recovery Validation
2. Authorization
- Credential/Session Prediction
- Insufficient Authorization
- Insufficient Session Expiration
- Session Fixation
3. Client-side Attacks
- Content Spoofing
- Cross-site Scripting
4. Command Execution
- Buffer Overflow
- Format String Attack
- LDAP Injection
- OS Commanding
- SQL Injection
- SSI Injection
- XPath Injection
5. Information Disclosure
- Directory Indexing
- Information Leakage
- Path Traversal
- Predictable Resource Location
6. Logical Attacks
- Abuse of Functionality
- Denial of Service
- Insufficient Anti-automation
- Insufficient Process Validation
|
|
Insufficient Authorization
Insufficient Authorization is when a web site permits access to
sensitive content or functionality that should require increased access
control restrictions. When a user is authenticated to a web site, it
does not necessarily mean that he should have full access to all
content and that functionality should be granted arbitrarily.
Authorization procedures are performed after authentication,
enforcing what a user, service or application is permitted to do.
Thoughtful restrictions should govern particular web site activity
according to policy. Sensitive portions of a web site may need to be
restricted to everyone expect to perhaps an administrator.
Example
In the past, many web sites have stored administrative content and/or
functionality the in hidden directories such as /admin or /logs. If an
attacker was to directly request these directories, he would be
allowed access. He may thus be able to reconfigure the web server,
access sensitive information or compromise the web site.
References
"Brute Force Attack", Imperva Glossary
http://www.imperva.com/application_defense_center/glossary/brute_force.html
"iDefense: Brute-Force Exploitation of Web Application Session ID's", By David Endler - iDEFENSE Labs
http://www.cgisecurity.com/lib/SessionIDs.pdf
To receive your Free Application
Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second Insufficient Authorization attack vulnerability test.
|