CHAPTER 5 ATTACKING WEB AUTHORIZATION
We just saw in Chapter 4 how authentication determines if users can log into a web application. Authorization determines what parts of the application authenticated users can access, as well as what actions they can take within the application. Since the stateless HTTP protocol lacks even the most basic concept of discrete sessions for each authenticated user, web authorization is challenging to implement and consequently profitable to attack.
NOTE
We will sometimes abbreviate authentication as “authn,” and authorization as “authz.”
Authorization is classically implemented by providing the authenticated user’s session with an access token that uniquely identifies him or her to the application. The application ...
Get Hacking Exposed Web Applications, Third Edition, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.