Collaborate Disseminate
Access control has become a main concern when it comes to developing secure web applications, and the NSA has a lot to say about it. Especially when it comes to the biggest access management pitfall developers make. In 2021 OWASP listed ‘Broken Access … Continue reading 5 steps to building NSA-level access control for your app
I’m developing a HTTP web server. I’ve used HTTPS as the protocol between client and server but I know that HTTPS can’t prevent parameter tampering.
As we know, we can set parameters in URL, in HTTP header or in HTTP body. So clients could… Continue reading What is a proper way to prevent parameter tampering and to make parameter secure
As per the title. What risks and controls should I consider? Are there any questions i need to ask the external party AD before setting up the ‘Trust’ between the 2 ADs?
Logged failed logins into a company’s Okta domain could be used by threat actors to discover access credentials of valid accounts, Mitiga researchers have found. Those credentials can then be used log in to any of the organization’s platforms tha… Continue reading A common user mistake can lead to compromised Okta login credentials
Suppose I have an Admin account and a normal user account. There is some functionality that is only accessible to the admin only, like promoting other users. In this scenario, I captured a request from the admin when the admin is promoting… Continue reading Is this considered Privilege Escalation?
There were some that doubted the day would ever come, but we’re happy to report that the ambitious self-destructing USB drive that security researcher [Walker] has been working on for …read more Continue reading Self-Destructing USB Drive Releases the Magic Smoke
I am not an infosec professional, but I’m working on a project that requires designing and implementing a permission system for a customer. The system the customer proposes is as follows:
Users are assigned to roles such as viewer, editor… Continue reading Is it a good idea to combine DAC with RBAC in this way?
i am setting up an s3 to allow a partner (also on AWS) access to our bucket. Is the connection routed over the internet or privately?
As per the below resource: https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/
we should validate the redirect url at 3 points:
at time of app registration
when the auth flow begins
when granting an access token
A… Continue reading Oauth: redirect uri validation [duplicate]
I study in a boarding school and the only internet connection we can get is from them because phone’s signals are too weak to connect internet.
The school forced us to download a certificate of the school to connnect to internet. It restri… Continue reading I had to download a certificate to get access to connect to school’s wifi and It restricts the internet. What can i do? [closed]