Chapter 7. Authentication and Authorization


Many web applications suffer from broken authentication and authorization mechanisms. This chapter discusses vulnerabilities related to these mechanisms and teaches practices that can help you avoid the most common mistakes. These practices are further illustrated with example code, but be careful not to copy an example blindly out of contextit is more important to understand the principles and practices being taught. Only then can you apply them correctly.

Authentication is the process by which a user's identity is proven. This typically involves a simple username and password check. Thus, a user who is logged in is an authenticated user.

Authorization, often called access control, is how you guard access to protected resources and determine whether a user is authorized to access a particular resource. For example, many web applications have resources that are available only to authenticated users, resources that are available only to administrators, and resources that are available to everyone.

A predominant cause of access control vulnerabilities is carelessnessless care and attention are given to the sections of a web application that are used the least. Administrative features and access control are often an afterthought, and they are written with an authorized user in mind, without considering what an attacker might try to do. An authorized user is trusted more than an anonymous user, but if your administrative features are available via a public URL, they are an inviting target to an attacker. In these cases, negligence is your primary foe.

As with security, access control needs to be integrated into your design. It is not something to be bolted onto an existing application. Although possible, this approach is very error-prone, and errors in your access control are necessarily security vulnerabilities.

Access control also requires a reliable identification mechanism. After all, if an attacker can impersonate a legitimate user, any access control based on the user's identity is useless. Therefore, you want to also be mindful of attacks, such as session hijacking. See Chapter 4 for more information about sessions and related attacks.


This chapter covers four common concerns related to authentication and authorization: brute force attacks , password sniffing, replay attacks, and persistent logins.




Essential PHP Security
Essential PHP Security
ISBN: 059600656X
EAN: 2147483647
Year: 2005
Pages: 110

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net