ABSTRACT

Weak security constraints do not provide adequate protection for security-critical resources.

EXPLANATION




A single <security constraint> element suggests the program does not employ role-based access control, which is commonly accepted best practice for protecting sensitive operations in secure web applications. If the application provides access to sensitive operations or data, there might not be sufficient controls in place to prevent unauthorized users from gaining access. Furthermore, if there is a wildcard (*) in the <url-pattern>, it can be an indication that the pattern is overly broad.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A10 Failure to Restrict URL Access

[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A8 Failure to Restrict URL Access

[4] Standards Mapping - FIPS200 - (FISMA) AC

[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3470.1 CAT II, APP3470.4 CAT II

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 285

[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication

[8] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Porous Defenses - CWE ID 285

[9] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 285

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.5, Requirement 6.5.10, Requirement 7.2

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.2, Requirement 7.2

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8, Requirement 7.2