Home >> Taxonomy >> Asvs 4.0.3 >> 04 access control >> 01 general access control design

General Access Control Design

V4.1.1

Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed.

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 602

V4.1.2

Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 639

V4.1.3

Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. (C7)

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 285

V4.1.4

[DELETED, DUPLICATE OF 4.1.3]

Level 1 required: False

Level 2 required: False

Level 3 required: False

CWE:

V4.1.5

Verify that access controls fail securely including when an exception occurs. (C10)

Level 1 required: True

Level 2 required: True

Level 3 required: True

CWE: 285

Disclaimer:

Credit via OWASP ASVS. For more information visit The OWASP ASVS Project or Github respository.. OWASP ASVS is under the Creative Commons Attribution-Share Alike v3.0 license.

View source on GitHub

Loading comments 0%