Include a summation of why the code reveals vulnerabilities to broken access control
Try {
Switch ($_SESSION[“security-level”]{
Case “0”: // This code is insecure
$lEnableHTMLControls = False;
$lUseTokenizatization = False;
$lEncodeOutput = False;
$lProtectAgainstMethodTampering = False;
Break;
The above code reveals vulnerabilities to broken access control because the values set below all are set to False instead which should be set to True.
$lEnableHTMLControls = True;
If this is enabled then data would be formatted into HTML and those
would be isolated from invalid/unnecessary or malicious inputs to
be passed to system. This would avoid better output formatted and
direct access can be prevented.
$lUseTokenizatization = True;
This method also needs to be set to True to manage better access
control. Less vulnerabilities would be available as the input will
be passed in the form of tokens which could avoid direct access to
all objects and references. A set of token would be passed as input
to the application in encoded format and same will be accepted by
the end system if and only if it is in correct and expected format
as assured. Else it will be rejected as invalid token. This would
assure passage of input in secure way from the source to
destination and from destination to source system.
$lEncodeOutput = True;
This should be set to True as data returned should be formatted or
outputted to be HTML format. HTML output will use HTML encoding
because this will help in masking hiding data or misuse by someone
not intended will can be avoided.
$lProtectAgainstMethodTampering = True;
This needs to be set to True as protection has to be enabled for
avoiding or preventing unwanted execution of executable files or
any other bat files in unexpected way,inputs etc. To avoid
identification of the resources to the attacker those needs to be
masked and its original identity not to be revealed to the
unauthorized user or attacker.
Get Answers For Free
Most questions answered within 1 hours.