Secure Resource Access
Securing access to your application resources has been touched on in several of the previous principles but we will look at specific issues that can arise now. The issue of authenticating and authorising users along with secure session management have been covered already but these can be undermined by poor design decisions.
If a design depends on the principle of security through obscurity it is almost certain to fail. A common approach to securing sensitive locations is to hide them from users by not publishing a link to them. This really fails to provide any level of security because automated tools will discover these locations and allow attackers to access them directly. If the location contains sensitive information (i.e. /backups) or functionality (i.e. /admin) you must provide strong access control mechanisms that ensure users accessing the location are authorised to do so. The authentication and authorisation checks must not be a one-time check; each step taken by a user using sensitive functions must be evaluated. A real world example of a failure in this kind of system would be the T-Mobile website hack (2005) which lead to Paris Hilton’s account being compromised. The password reset functionality of the T-Mobile website required a user to prove who they are by providing their phone number; the site would send them a unique token to enter into the site before they progressed to a password reset page. The problem with the site design was it assumed users would only ever access the password rest page if they had been authenticated. An attacker called Luckstr4w found that if you browsed directly to the password reset page you could reset the accounts password without providing any evidence of who you were. The rest, as they say, is history.
You have to assume that if your resource is accessible to any of your users it will be possible for anyone to access it. To understand how to enforce security on these resources please refer to principle number 4 (Authentication and Authorisation).