Web application security - the fast guide 1.1 | 页面 19

Chapter 1 - information Security overview
P a g e | 19
Generally, the “WHO” information are mapped to a set of
privileges, where privileges set specify the access level for that
user on the specific resource.
Privileges are usually bundled in roles where each role, a role or
more can be assigned to a user or a group of users.
Access control robustness is a must because it can be a big source
of threat by malicious users that might try to elevate their
privileges or try to access resources or functionalities with
different roles.
1.6.2 Input:
With all the risk related to accessing data, handling the user input still the
biggest challenge because of freedom level you need to give to user to
fulfil the requirement of usable application which makes having defense
mechanism related to the user input a necessity.
a. Black listing and white listing: Covering issues related to input is
not very easy task especially when it is about entering free text or
when it is related to hidden information that is not part of user
direct interaction like hidden fields and cookie information.
Input handling is usually done by applying common approaches
depending on either accept only the good input based on known
patterns or by rejecting suspicious input based on common
blacklists.
Black List
Accept All;
Deny Malicious X;
Deny Malicious Y;
Deny Malicious …;
White List
Deny All;
Accept X;
Accept Y;
Accept …;
Figure 11: Black List & white list approaches
b. Sanitization: Even though that the whitelisting and blacklisting
seem to be very efficient, those approaches might sometime make
the application less user friendly and less usable which derive the
need to use other ways like sanitization.