Skip to content

Authorization

This checklist is a guide for securing authorization on a website. It outlines a series of steps and best practices that should be taken to ensure that only authorized users can access sensitive information and perform certain actions on a website.

🪪 Authorization ID🔗

#️⃣ ✅Items ⚠️Severity ☠️Vulnerabilities 🔗Sources
1 Verify: Ensure role ID is not revealed in URL, cookies, session, local storage, and response header
Reason: An attacker can steal the ID and gain unauthorized access
High Credential Theft ACS, ASVS
2 Verify: If role ID is accessible to the user, ensure that it is validated before it is processed
Reason: Prevents malicious input by an attacker
High Injection ACS, ASVS
3 Verify: Rate limiting mechanisms exist on the role ID
Reason: Protection against guessing and Denial of Service (DoS) attacks
Medium Denial of Service, Brute Force
4 Verify: If role ID is accessible to the user, it is created using secure random function
Reason: The role ID is not guessable
Medium Brute Force ACS, ASVS
3 Verify: Authorization ID exchange takes place over TLS (HTTPS)
Reason: Encrypted channel that prevent eavesdropping
High Eavesdropping
10 Verify: Data related to Authorization is stored server side by using secure encryption and hashing algorithms
Reason: Provides additional security incase of a database compromise
High Credential Theft

📋 Authorization Policies🔗

#️⃣ ✅Items ⚠️Severity ☠️Vulnerabilities 🔗Sources
1 Verify: If a library is used for authorization, ensure it is not misconfigured
Reason: Default configurations or misconfigurations can grant unauthorized access to an attacker
High Misconfiguration ACS
2 Verify: Libraries used for authorization are not vulnerable
Reason: An attacker can use the vulnerable library to escalate their privileges
High Vulnerable Dependency ACS
3 Verify: Sensitive routes cannot be accessed without proper authorization
Reason: Prevent directory traversal
High Path Traversal ACS, ASVS
4 Verify: If location-based authorization is enabled, ensure that VPN, proxy, or changing browser geolocation cannot circumvent it
Reason: Prevent location spoofing
Medium Location Spoofing ACS
5 Verify: Unauthorized access isn't granted through Insecure Direct Object Reference (IDOR)
Reason: Prevent unauthorized access by IDOR
Medium Insecure Direct Object Reference ACS, ASVS
6 Verify: Authorization checks are enforced for each page on the frontend
Reason: Cannot steal statically typed information of frontend pages
Low Path Traversal ACS
7 Verify: Ensure that authorization is validated on client and server side
Reason: Prevent injection and Man-in-The-Middle (MiTM) attacks
Medium Man in the Middle, Injection ACS
8 Verify: Least privilege is enforced
Reason: Minimize attack surface incase someone has unauthorized access to someone's account
High Privilege Escalation ACS, ASVS
9 Verify: Deny by default when no authorization roles match
Reason: Attempts by unauthorized users to gain access are assumed to be harmful and are denied access
High Privilege Escalation ACS
10 Verify: Validate permissions on each request
Reason: Ensure all requests are coming from the right authority
Medium Impersonation ACS
11 Verify: Ensure appropriate logging for failed authorization attempts
Reason: Used for investigation in case of a breach or an attempt of a breach
High Insufficient Logging ACS
12 Verify: Proper error handling of insufficient privileges takes place
Reason: Terminate the request for unauthorized paths
High Privilege Escalation ACS

🔴 Authorization in Production🔗

#️⃣ ✅Items ⚠️Severity ☠️Vulnerabilities 🔗Sources
1 Verify: Authorization roles are regularly reviewed and updated
Reason: Ensure each person only has the access they need
High Privilege Escalation
2 Verify: Audit logs are monitored regularly for anomalies
Reason: Identify attacks that someone tried on a user
High Path Traversal
3 Verify: Third party software or libraries used for authorization are updated to the most recent version and are regularly patched
Reason: Vulnerability in a third party resource can grant an attacker unauthorized access
High Privilege Escalation, Path Traversal
4 Verify: Conduct regular security assessments, vulnerability scans, and penetration testing to identify vulnerabilities in custom and third-party code
Reason: Identify any security vulnerabilities that might have appeared in authorization implementation
High Most Vulnerabilities

🔗 Sources:

Open Web Application Security Project (OWASP):