Any obvious pitfalls of modeling access control policies using subject, scope, object?

Context
A small web application with REST API and postgres as db, that has users, documents and teams. A user can do basic CRUD operations on document.
A user is always a part of a team. A team is generated on user signup. A team has at le… Continue reading Any obvious pitfalls of modeling access control policies using subject, scope, object?

AWS AppSync awsconfiguration.json file found in prod apk, is it a security issue and how to verify api key

while fuzzing a public APK file for a bug bounty I came across a file awsconfiguration.json with some pretty promising data. However after reading here https://docs.aws.amazon.com/pdfs/appsync/latest/APIReference/appsync-api.pdf#Welcome a… Continue reading AWS AppSync awsconfiguration.json file found in prod apk, is it a security issue and how to verify api key

What does it mean that MFA is supported only at the infrastructure layer? [closed]

I am trying to understand how/if I can force MFA to a webapp hosted in the public cloud but the only information I have is that it only supports MFA at the infrastructure level. Does that mean that only specific groups in AAD can be enable… Continue reading What does it mean that MFA is supported only at the infrastructure layer? [closed]

What are the security risks of only using an id in the url to protect the content?

I’m building a note-taking app, when a user writes a note an id is generated and I redirect them to a page where they can see its content with a URL like /note/DXSt832pS5iLuos6uxBn. What are the security risks of not double-checking that t… Continue reading What are the security risks of only using an id in the url to protect the content?

Why PAKE or Zero-knowledge password proof didn’t replace sending a password via HTTPS

Technologies like Zero-knowledge password proof and PAKE seems to be pretty mature but almost all modern web-sites still send passwords over HTTPS to check authentication. At first glance, this protocols look like a magic pill, but still n… Continue reading Why PAKE or Zero-knowledge password proof didn’t replace sending a password via HTTPS