From 04b2ce96d51e7d56965648a6c3474ac044966ead Mon Sep 17 00:00:00 2001 From: sydseter Date: Wed, 2 Jul 2025 17:03:58 +0200 Subject: [PATCH 1/2] Fixes #123 Adding SCP [85, 86, 89, 90, 91, 93, 100] Cornucopia - Access Control --- .../02-web-app-checklist/07-access-controls.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/en/04-design/02-web-app-checklist/07-access-controls.md b/docs/en/04-design/02-web-app-checklist/07-access-controls.md index 63b9107c..6348f6fc 100644 --- a/docs/en/04-design/02-web-app-checklist/07-access-controls.md +++ b/docs/en/04-design/02-web-app-checklist/07-access-controls.md @@ -12,6 +12,11 @@ and use the list below as suggestions for a checklist that has been tailored for 3. Deny by default; if a request is not specifically allowed then it is denied 4. Apply least privilege, providing the least access as is necessary 5. Log all authorization events +6. Create unit and integration test to document and verify an application's business rules, data types and access + authorization criteria and/or processes so that access can be properly provisioned and controlled for restricting + function-level, data-specific, and field-level access based on consumer permissions and resource attributes +7. Access Control criteria and/or processes not testable through automated tests should be documented so that they + can be manually tested #### 2. Access control @@ -26,6 +31,17 @@ and use the list below as suggestions for a checklist that has been tailored for 8. If long authenticated sessions are allowed, periodically re-validate a user's authorization 9. Implement account auditing and enforce the disabling of unused accounts 10. The application must support termination of sessions when authorization ceases +11. Restrict function-level access to consumers with explicit permissions +12. Restrict direct object references to only authorized users with explicit permissions to specific data items + to mitigate insecure direct object reference (IDOR) and broken object level authorization (BOLA) +13. Restrict access to user and data attributes to consumers with explicit permissions to specific fields to mitigate broken + object property level authorization (BOPLA) +14. Restrict access security-relevant configuration information to only authorized users who have been allowed access through + multiple layers of security, including continuous consumer identity verification, device security posture assessment, and + contextual risk analysis +15. Server side implementation and presentation layer representations of access control rules should not differ in such a way + that they allow for business functionality and rules to be compromised +16. Enforce application logic flows to comply with business rules #### References From 3f19cfb2c7a74f1651e0d7d596f2a503cb8e0042 Mon Sep 17 00:00:00 2001 From: sydseter Date: Wed, 2 Jul 2025 17:09:51 +0200 Subject: [PATCH 2/2] Fixes #123 Adding words to wordlist --- .wordlist-en.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.wordlist-en.txt b/.wordlist-en.txt index 2a388aa6..6db16963 100644 --- a/.wordlist-en.txt +++ b/.wordlist-en.txt @@ -530,3 +530,5 @@ Amauri Bizerra Ebihara Yuuki +BOPLA +BOLA