Background
The most common web-application flaw. About whether the website properly enforces who can do what once someone's logged in. A flaw means customer A can sometimes view customer B's records by changing a URL, or that “admin” pages exist that any logged-in user can reach.
Questions to ask yourself
- Have we tested ‘logged in as customer A, view customer B's data’?
- Are admin URLs publicly guessable?
- Did the same person who wrote the front-end check the back-end permissions?
- Have we ever had a third party test this specifically?
For owners — questions to ask your developer
Questions to ask your developer
Access control is the #1 web-app flaw. None of these need you to write code — they need you to ask, commission, and decide.
- 01“Show me the access-control matrix for our customer portal — who can see what, who can do what. If you can't produce one, that's the answer.”
- 02“When the portal was built, did you specifically test ‘logged in as one customer, try to view another customer's data’?”
- 03Decision: For anything that handles money or personal data, commission an external penetration test before launch and annually after.