You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Authorization is the concept of allowing access to resources only to those permitted to use them. Ensure that a verified application satisfies the following high level requirements:
Persons accessing resources hold valid credentials to do so.
Users are associated with a well-defined set of roles and privileges.
Role and permission metadata is protected from replay or tampering.
Security Verification Requirements
V4.1 General Access Control Design
#
Description
L1
L2
L3
CWE
4.1.1
Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed.
✓
✓
✓
602
4.1.2
Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.
✓
✓
✓
639
4.1.3
Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. (C7)
✓
✓
✓
285
4.1.4
[DELETED, DUPLICATE OF 4.1.3]
4.1.5
Verify that access controls fail securely including when an exception occurs. (C10)
✓
✓
✓
285
V4.2 Operation Level Access Control
#
Description
L1
L2
L3
CWE
4.2.1
Verify that sensitive data and APIs are protected against Insecure Direct Object Reference (IDOR) attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records.
✓
✓
✓
639
4.2.2
Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality.
✓
✓
✓
352
V4.3 Other Access Control Considerations
#
Description
L1
L2
L3
CWE
4.3.1
Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use.
✓
✓
✓
419
4.3.2
Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders.
✓
✓
✓
548
4.3.3
Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud.