0

This question is with reference to the OWASP standard (Access control rules on the presentation layer are enforced on the server side - OWASP ASVS 3.0 - 4.9)

I'm trying to deeply understand what it means so that I can communicate it to a less-technical colleague.

I have considered one example - if the control isn't enforced then a web page that won't allow a user to change a password but does allow sending a php string which will force the change password functionality as the page is coded to change passwords.

I think that's a little tricky to understand and I don't think it is the best example.

Any suggestions on how best to interpret this? Any examples of not adhering to this standard?

ellefc
  • 499
  • 2
  • 6
  • 14

2 Answers2

1

It is simply reiterating the most basic rule of internet security - never trust anything from the client (aka presentation layer, aka browser, etc...). Since the "presentation layer" operates on an external system (i.e. the computer of the person browsing your website) the server/website has no control over what happens over there, and therefore can't trust anything it says. As a result, it must re-verify everything itself. An example should help.

Imagine you have a user portal, and there is an admin portal that is only for users that have been given permission. The presentation layer "enforces" this access restriction by simply not showing a link to the admin section if you are not an administrator. This, by itself, is not a sufficient access control. The server itself has to enforce that access control and deny access to the admin system to anyone who is not an admin. If it doesn't then any user can access the admin system by simply typing its location in their browser, and automatically gain access to the admin system. This is a simple example, but also the most common:

  • Presentation layer: don't show links to areas the user doesn't have access to
  • Server side: Reject a request to an area that the user doesn't have access to

If you only do the former you have a problem.

So that's the short summary. The server cannot trust anything the browser says because an attacker has full control over what the browser says (in fact they may not even be using a browser, but may simply be pretending to be one). Therefore, the server has to verify everything itself.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
0

An example would be where the server sends more data to the client than the client is intended to display to the user. Because the client can be manipulated in ways the server can't, you must assume anything sent to the client could be seen by the user.

Let's say that John Smith goes to Amazon and clicks on "My Orders". If the server sent a JSON response containing orders for every user with the last name "Smith", and the javascript running in the web browser was responsible for filtering it and only showing "John"'s items, then this is a case where the presentation layer is enforced on the client side. The security issue is that the user can manipulate the client software (either alter the javascript, or use a MITM proxy) in order to see all the data, and not just what the client presentation code was intended to reveal.

I have seen small examples over the years but none large enough to be documented for reference. This is the type of error more commonly found in small, less professional software packages.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198