Authorization is a mechanism or a process in which someone gets rights or privileges to access certain resources. This is related to general information security and computer security, and in particular to access control. Read on to learn more about the most common authorization-related vulnerabilities, and check out our exercises to practice preventing them:
Authorization in IT security
In the IT world, resources can be things like files, computer programs, data, services, etc. Different levels of privileges exist to allow different users or clients to access certain system resources. Aside from granting privileges, denying and revoking them is also part of the authorization process.
Nowadays, web applications are everywhere. People can sign up for them and create their own profiles with the relevant privileges. To manage these “sign up” and “sign-in” procedures, most web applications use a two-step process. The first step is checking the user’s identity. This is called authentication, and it is absolutely necessary to prevent one user from logging in to another’s profile. The second step is authorization, which allows the user to access certain resources based on authentication.
The main authorization strategies
There are several different authorization strategies that computer systems can use. The main strategies are the Attribute-based access control (ABAC) and the Role-based access control (RBAC), but a few less significant ones exist as well.
Attribute-based access control (ABAC)
In the ABAC strategy, the authorization system makes sure the user has the proper privileges. These privileges are associated with different attributes. If the user profile does not satisfy the necessary attribute condition, the privilege will be not granted to the user.
Role-based access control (RBAC)
With the RBAC strategy, the users do not get privileges directly. RBAC defines several different roles which are assigned to users. These roles are basically just a group of certain privileges.
Most frequent authorization weaknesses
Authorization bypass through user-controlled key
This weakness occurs when one user is able to access another’s data by changing the key value which identifies the data, due to the system’s authorization functionality being unable to prevent it.
When someone attempts to access certain resources or perform some action, but the software doesn’t perform the authorization check correctly, it’s known as incorrect authorization.
Instead of performing the check incorrectly, the software doesn’t perform an authorization check at all.
A mix of the previous two – an authorization check is either not performed at all, or it’s performed incorrectly.
Real-life examples of authorization related vulnerabilities
Check out some of the authorization-related exercises on our platform in which you can learn about different attack vectors and how to fix them!
Get started with secure coding training today!
Reach out to our team and find out how we can help your company scale secure coding training efficiently.
Copyright © 2021 Avatao