[Owasp-testing] Content for v4?

daniel cuthbert daniel.cuthbert at owasp.org
Tue Apr 12 09:25:32 EDT 2011


I'm with Jim, it does seem to me that they've decided to hide functionality
over implementing a more stringent access control solution. Sad that it
still happens today.

On 12 April 2011 15:00, Jim Manico <jim.manico at owasp.org> wrote:

> Rick,
>
> Thanks for posting this. I respectfully submit that this seems like poor
> server side enforcement of Access Control/Authorization policy.
>
> Ive seen similar situations where sensitive data was hidden with CSS
> visibility style, something that I consider to be poor presentation-layer
> access control policy.
>
> Fair?
>
> Jim Manico
>
> On Apr 12, 2011, at 2:52 PM, "rick.mitchell at bell.ca" <
> rick.mitchell at bell.ca> wrote:
>
> > Good morning everyone, I was browsing through v3 this morning and it
> occurred to me that an issue I've discovered in a number of apps recently
> isn't really covered by any part of v3 (please correct me if I've somehow
> simply missed the section).
> >
> > The issue would fall under Authorization, maybe privilege escalation
> testing. I usually put it under a heading such as "Enforcement of User
> Privileges by Elements within the User's Control" when I prepare reports.
> Basically it boils down to developers hiding things from users or simply
> marking visible controls/elements as disabled and not performing any check
> server side for exercise of functionality.
> >
> > In one example I had a ReadOnly account to an administrative interface
> where I could "setup" users. Since my account was ReadOnly the "Submit" or
> "Save" button on the user creation page was set as "Disabled". Using Firebug
> (or similar means) I simply removed the "Disabled" element on the button and
> was able to create new users since there was no check performed server side.
> The HTML in question was something like:
> >
> > <input id="btnSave" type="submit" disabled="disabled" value="Save"
> name="btnSave">
> >
> > I've also encountered similar situations where the following HTML was in
> play:
> >
> > <div style="display:none;">
> >
> > I'd be glad to write up some content for this when production of TG v4
> content starts.
> >
> > Rick
> >
> > --------------------------------
> > Rick Mitchell
> > Security Analyst, Security Testing and Incident Response Team
> > Bell Business Markets
> > Phone: 613-785-4019
> > Email: rick.mitchell at bell.ca
> >
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20110412/1aa4462c/attachment.html 


More information about the Owasp-testing mailing list