LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the testing and operational best practices for access control?

Five operational areas: exhaustive role × endpoint testing, logging access decisions, rate limiting, disabling directory listing, and cleaning leftover files from the web root.

Area Actions Why
Extensive testing Test all role × endpoint combinations. Use SAST/DAST tools. Pen-test. Authorization bugs are logic bugs — hard to find without systematic testing
Logging & reporting Log all access decisions. Alert on denied-access spikes. Audit trail. Detect attacks in progress, prove compliance
Rate limiting Limit requests per user/IP. Progressive delays. Prevent brute-force IDOR enumeration
No directory listing Disable auto-indexing on web servers Prevents discovery of hidden endpoints/files
Clean web root Remove .bak, .old, config files, source code Attackers scan for leftover files (e.g., config.php.bak)

From Quiz: SPRG / Authorization | Updated: Jul 14, 2026