_notes/ACLs don't.md at archivetrim · bmann.ca/bmannconsulting.com

The bmannconsulting.com website

bmannconsulting.com / _notes / ACLs don't.md

at archivetrim 1.0 kB view raw view rendered

 1---
 2tags:
 3  - paper
 4  - ACL
 5link: http://waterken.sourceforge.net/aclsdont
 6excerpt: The ACL model is unable to make correct access decisions for interactions involving more than two principals, since required information is not retained across message sends. Though this deficiency has long been documented in the published literature, it is not widely understood. This logic error in the ACL model is exploited by both the clickjacking and Cross- Site Request Forgery attacks that affect many Web applications.
 7---
 8Tyler Close, Hewlett-Packard Labs
 9
10## Abstract
11
12The ACL model is unable to make correct access decisions for interactions involving more than two principals, since required information is not retained across message sends. Though this deficiency has long been documented in the published literature, it is not widely understood. This logic error in the ACL model is exploited by both the clickjacking and Cross- Site Request Forgery attacks that affect many Web applications.
13
14![PDF - ACLs don't](/assets/2024/acls-dont.pdf)