To avoid incidents of broken access control, it is essential to choose and stick to one access control model for your application throughout development and to continuously test it to ensure few points of failure. The four standard access control models include Mandatory Access Control (MAC), Role-Based Access Control (RBAC), Discretionary Access Control (DAC), and Rule-Based Access Control (RBAC or RB-RBAC). Each model has positives and negatives and must be selected carefully for your system design and purpose.
EXAMPLE OF AN ATTACK.
Partially checking access controls (black-list mode) is risky. In case the developer adds some other pages but forgets to update the access control logic, there could be a viable breach where users without proper access rights could still visit those pages and perform malicious actions.
Previous OWASP article: OWASP #4 XML EXTERNAL ENTITIES (XXE)
Click here to learn more about the OWASP Top Ten, and how Xcalscan can help you identify and resolve them.
You might be interested in
seL4 Summit 2022 Recap
2022-11-01 | By Yuning Liang
As seL4 moves onto automotive applications, having industry standards will be a big step forward for mass adoption. Iso 26262 ASIL-D is well known...
read the story
Empowering Customers the Xcalibyte Way – An Interview with Gavin Bu
2021-10-14 | By Gavin Bu
From smart-locks at homes to self-driving vehicles on the road, new technologies such as artificial intelligence, blockchain, and 5G continue to promote the...
read the story