What is Access Control?

Access control is how a web app gives access to functionalities to some users and not others. These checks are performed after authentication, and govern what ‘authorized’ users are allowed to do.

Authentication x Authorization

Authorization is the process where requests to access a particular resource should be granted or denied. Authorization includes the execution rules that determines what functionality and data the user (or Principal) may access

Authentication is providing and validating identity.

Access Control Issues

• Insecure Id’s
• Forced Browsing Past Access Control Checks
• Path Traversal
• File Permissions
• Client Side Caching

Permissions

• Read
• Write
• Execute
• Create
• Delete

References

• https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
• https://www.owasp.org/index.php/Broken_Access_Control
• https://www.owasp.org/index.php/Category:Access_Control