Web application security - the fast guide 1.1 | Page 19

Chapter 1 - information Security overview P a g e | 19 Generally, the “WHO” information are mapped to a set of privileges, where privileges set specify the access level for that user on the specific resource. Privileges are usually bundled in roles where each role, a role or more can be assigned to a user or a group of users. Access control robustness is a must because it can be a big source of threat by malicious users that might try to elevate their privileges or try to access resources or functionalities with different roles. 1.6.2 Input: With all the risk related to accessing data, handling the user input still the biggest challenge because of freedom level you need to give to user to fulfil the requirement of usable application which makes having defense mechanism related to the user input a necessity. a. Black listing and white listing: Covering issues related to input is not very easy task especially when it is about entering free text or when it is related to hidden information that is not part of user direct interaction like hidden fields and cookie information. Input handling is usually done by applying common approaches depending on either accept only the good input based on known patterns or by rejecting suspicious input based on common blacklists. Black List Accept All; Deny Malicious X; Deny Malicious Y; Deny Malicious …; White List Deny All; Accept X; Accept Y; Accept …; Figure 11: Black List & white list approaches b. Sanitization: Even though that the whitelisting and blacklisting seem to be very efficient, those approaches might sometime make the application less user friendly and less usable which derive the need to use other ways like sanitization.