Database Reference
In-Depth Information
The following are the suggested patterns to apply:
• Data Origin Authentication (digital signature)
• Data Confidentiality (encryption)
◦ Service Contract
◦ Service Messaging
• Resource Data Storage or similar resources
Missing function-level access control
Missing function-level access control vulnerability denotes insufficient authorization. It is
not enough to just check whether the user is valid; a system must guarantee that this user
will be allowed to call only permitted operations.
The Entitlement Server is an essential part of identity management, and for API manage-
ment, Oracle Enterprise Repository with Registry (UDDI) synchronization is highly im-
portant. In terms of authorization, all your policy definition points should be supplied with
connectivity to the IAM Rights/Entitlement store. Needless to say, any client-based valid-
ations for authorization do not make sense.
The following are the suggested patterns to apply:
• Service Perimeter Guard
• Service Contract (concurrent contract)
• Service Messaging
• MDM for all identity sources
Cross-site request forgery (CSRF)
This is a kind of manipulation, that is, when a legitimate client is forced to send a request
to the service on behalf of a forger. A request can include session-related information in-
cluding cookies.
Distributing session cookies is a common practice, for instance, in a multiscreen IP TV,
when a valid user wants to transmit active session data from the big screen to or her tablet
(or vice versa). This situation can be emulated by an attacker in order to catch and analyze
the session data.
The following is the suggested pattern to apply:
•
Service Perimeter Guard
Search WWH ::
Custom Search