Blog

OWASP #5 Broken Access Control

19 Oct 2021 | By Jason Lu

 

To avoid incidents of broken access control, it is essential to choose and stick to one access control model for your application throughout development and to continuously test it to ensure few points of failure. The four standard access control models include Mandatory Access Control (MAC), Role-Based Access Control (RBAC), Discretionary Access Control (DAC), and Rule-Based Access Control (RBAC or RB-RBAC). Each model has positives and negatives and must be selected carefully for your system design and purpose.

EXAMPLE OF AN ATTACK.

Partially checking access controls (black-list mode) is risky. In case the developer adds some other pages but forgets to update the access control logic, there could be a viable breach where users without proper access rights could still visit those pages and perform malicious actions.

Previous OWASP article: OWASP #4 XML EXTERNAL ENTITIES (XXE)

Click here to learn more about the OWASP Top Ten, and how Xcalscan can help you identify and resolve them.

You might be interested in

Empowering Customers the Xcalibyte Way – An Interview with Gavin Bu

14 Oct 2021 | By Gavin Bu

From smart-locks at homes to self-driving vehicles on the road, new technologies such as artificial intelligence, blockchain, and 5G continue to promote the...

read the story

The Customer First Philosophy!

14 Sep 2021 | By Yanwen Lu

Yanwen Lu, Product Manager at Xcalibyte, shares her insights for how we have had to tailor our technical capabilities for very specific client requirements...

read the story

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy