Resource Authorization

  • This application demonstrates one of the top 10 IEEE software security design flaws.

  • The IEEE Computer Society Center for Secure Design organized a workshop in 2014, where participants came up with a list of the top security design flaws (link).

  • One of these design flaws deals with authentication and authorization, i.e. the validation of a user's identity and deciding whether to allow or disallow the user access to a certain resource.

  • In particular it is necessary to code software to prevent users from bypassing the authentication mechanism by directly navigating to the restricted URL or by using a previously authentication session.

  • In this particular demonstration, we will provide you with a container serving a simple webpage, which has certain resources that are restricted to administrative accounts.

  • However, the webpage has certain design flaws that allow users to bypass an authorization check and access these restricted resources if they know the URL to these resources.

  • You will be given an opportunity to look at the code for the website and also a proposed fix and verify that the fix indeed solves the authorization loophole.

  • Ready to go? Try It !
  • Note: You will have around 20 minutes to test this application.