[Owasp-testing] Content for v4?

Jim Manico jim.manico at owasp.org
Tue Apr 12 09:00:00 EDT 2011


Thanks for posting this. I respectfully submit that this seems like poor server side enforcement of Access Control/Authorization policy.

Ive seen similar situations where sensitive data was hidden with CSS visibility style, something that I consider to be poor presentation-layer access control policy.


Jim Manico

On Apr 12, 2011, at 2:52 PM, "rick.mitchell at bell.ca" <rick.mitchell at bell.ca> wrote:

> Good morning everyone, I was browsing through v3 this morning and it occurred to me that an issue I've discovered in a number of apps recently isn't really covered by any part of v3 (please correct me if I've somehow simply missed the section).
> The issue would fall under Authorization, maybe privilege escalation testing. I usually put it under a heading such as "Enforcement of User Privileges by Elements within the User's Control" when I prepare reports. Basically it boils down to developers hiding things from users or simply marking visible controls/elements as disabled and not performing any check server side for exercise of functionality.
> In one example I had a ReadOnly account to an administrative interface where I could "setup" users. Since my account was ReadOnly the "Submit" or "Save" button on the user creation page was set as "Disabled". Using Firebug (or similar means) I simply removed the "Disabled" element on the button and was able to create new users since there was no check performed server side. The HTML in question was something like:
> <input id="btnSave" type="submit" disabled="disabled" value="Save" name="btnSave">
> I've also encountered similar situations where the following HTML was in play:
> <div style="display:none;">
> I'd be glad to write up some content for this when production of TG v4 content starts.
> Rick
> --------------------------------
> Rick Mitchell 
> Security Analyst, Security Testing and Incident Response Team
> Bell Business Markets
> Phone: 613-785-4019
> Email: rick.mitchell at bell.ca
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

More information about the Owasp-testing mailing list