Insufficient Authorization is when a web site permits access to
sensitive content or functionality that should require increased access
control restrictions. When a user is authenticated to a web site, it
does not necessarily mean that he should have full access to all
content and that functionality should be granted arbitrarily.
Authorization procedures are performed after authentication,
enforcing what a user, service or application is permitted to do.
Thoughtful restrictions should govern particular web site activity
according to policy. Sensitive portions of a web site may need to be
restricted to everyone expect to perhaps an administrator.
In the past, many web sites have stored administrative content and/or
functionality the in hidden directories such as /admin or /logs. If an
attacker was to directly request these directories, he would be
allowed access. He may thus be able to reconfigure the web server,
access sensitive information or compromise the web site.
To receive your Free Application
Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second Insufficient Authorization attack vulnerability test.