Background
The most common web-application flaw. About whether the website properly enforces who can do what once someone's logged in.
Questions to ask yourself
- When the developer built our customer portal, did they specifically test ‘logged in as customer A, view customer B's data’?
- Are admin URLs publicly guessable?
- Did the same person who wrote the front-end check the back-end permissions?
- Have we ever had a third party test the portal for this?
What you can do today
Three checks
Easy to find, easy to forget to test.
- 01Ask your developer for the access-control matrix: who can see and do what.
- 02Run the “different user” test: log in as a regular customer, try
/adminor other customers' data. - 03For anything handling money or personal data, have an external pen test before launch and annually after.