http://www.itsecurity.com/papers/iss9.htm

 A Guide to Web Authentication Alternatives , Jan Wolter

http://www.unixpapa.com/auth/homebuilt.html

2.2  Insufficient Authorization

Insufficient Authorization is when a web site permits access to

sensitive content or functionality that should require increased access

control restrictions. When a user is authenticated to a web site, it

does not necessarily mean that he should have full access to all

content and that functionality should be granted arbitrarily.

Authorization procedures are performed after authentication,

enforcing what a user, service or application is permitted to do.

Thoughtful restrictions should govern particular web site activity

according to policy. Sensitive portions of a web site may need to be

restricted to everyone expect to perhaps an administrator.

Example

In the past, many web sites have stored administrative content and/or

functionality the in hidden directories such as /admin or /logs. If an

attacker was to directly request these directories, he would be

allowed access. He may thus be able to reconfigure the web server,

access sensitive information or compromise the web site.

References

 Brute Force Attack , Imperva Glossary

http://www.imperva.com/application_defense_center/glossary/brute_f

orce.html

 iDefense: Brute Force Exploitation of Web Application Session ID's ,

By David Endler   iDEFENSE Labs

http://www.cgisecurity.com/lib/SessionIDs.pdf

16

Copyright 2004, Web Application Security Consortium. All rights reserved.