Authorization: its not just for access control any more. The paper and code for "Using the OWASP Top Ten to Upgrade your Authorization Services" that Srijith Nair and I wrote is available at Axiomatics. The exercise was a new and fun one to work on. Instead of extending access control models that make decisions based on user, privileges, permissions, and attributes to see what a user is allowed to do. We turned the model on its head and show how authorization services are in a great position in the architecture to block attacks like Forced Browsing, JSON Injection, Direct Object Reference, Parameter Tampering and more.
Instead of access control rules for what your users can do, which is the classic access control scheme, we looked at how ABAC can close out vulnerabilities. We tried to stay with the spirit of WebGoat, using it as a learning lab. Its a fundamentally different approach from how authorization is usually used, but I think its worthwhile to consider because the ABAC PEP and PDP are in the right place to rule things out (vulns/vectors).
To close out vulnerabilities, you need the right location (the PEP isn't bypassable). You need access to the right attributes along with the ability to code and enforce logic based on policy. The XACML/ABAC PDP has both of these. There is a lot to be said for leveraging security improvements near at hand. The location and granularity available in ABAC and XACML means that these are underutilized tools in application security. We just scratch the surface on what they can do to block attacks and hope to hear more from the app sec community on other attack types that can benefit form this dual mode (access enabler/attack blocker) approach. We will contribute some more ideas in an OWASP cheat sheet soon
Lastly, we'd like to thank Jeff Williams, Sherif Koussa, and the other WebGoat authors for making a great lab environment to build on.
Comments