- This application demonstrates one of the top 10 IEEE software security design flaws.
- The IEEE Computer Society Center for Secure Design organized a workshop in 2014, where participants came up with a list of the top security design flaws (link).
- One of these design flaws deals with authentication and authorization, i.e. the validation of a user's identity and deciding whether to allow or disallow
the user access to a certain resource.
- In particular it is necessary to code software to prevent users from bypassing the authentication mechanism by directly navigating to the restricted URL or by
using a previously authentication session.
- In this particular demonstration, we will provide you with a container serving a simple webpage, which has certain resources that are restricted to administrative accounts.
- However, the webpage has certain design flaws that allow users to bypass an authorization check and access these restricted resources if they know the URL to these resources.
- You will be given an opportunity to look at the code for the website and also a proposed fix and verify that the fix indeed solves the authorization loophole.
- Ready to go? Try It !
- Note: You will have around 20 minutes to test this application.