Authorization / Broken Access Control
Authorization vulnerabilities occur when applications fail to properly enforce access controls, allowing users to perform actions or access resources beyond their intended permissions. Broken Access Control consistently ranks as the #1 risk in the OWASP Top 10, encompassing issues like privilege escalation (both vertical and horizontal), missing function-level access controls, and insecure direct object references at the authorization layer. Unlike authentication (verifying who you are), authorization determines what you are allowed to do — and flaws here can expose entire administrative interfaces, allow users to modify other accounts, or grant elevated privileges through parameter tampering, forced browsing, or JWT manipulation. Modern applications with complex role hierarchies, microservice architectures, and API-first designs face particular challenges in maintaining consistent authorization checks across every endpoint and resource.
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-05-11 NEW 2026 | Devastating 'Dirty Frag' exploit leaks out gives immediate root access on most Linux machines since 2017 no patches available no warning given Copy Fail-like vulnerability had its embargo broken news | Tool that provides immediate root access on most Linux machines since 2017 due to the Dirty Frag vulnerability. This local privilege escalation exploit leverages a zero-copy operation in IPSec-related modules, specifically affecting "xfrm-ESP Page Cache Write" and "RxRPC Page-Cache Write." Distributions like Ubuntu, Arch, RHEL, and Fedora are impacted. Mitigation involves disabling esp4, esp6, and rxrpc kernel modules. The exploit code is available via a GitHub repository for testing. |
| 2026-05-06 NEW 2026 | Zero-Auth Flaw Exposes DoD Contractor to Cross-Tenant Data Access news API Sec | A critical zero-authentication flaw in a contractor's system has exposed the Department of Defense (DoD) to cross-tenant data access risks. This vulnerability allowed unauthorized access to sensitive information without any credentials. The specific details and the contractor involved were not disclosed. This breach highlights significant security concerns for government contractors and the sensitive data they handle. → cybersecuritynews.com |
| 2026-05-04 2026 | Critical MOVEit Automation auth bypass vulnerability fixed (CVE-2026-4670) news | Writeup of CVE-2026-4670, a critical authentication bypass in Progress Software's MOVEit Automation, enabling unauthorized administrative control and data exposure. This vulnerability, along with a privilege escalation flaw (CVE-2026-5174), affects specific older versions and can be exploited via low-complexity attacks by unauthenticated or authenticated attackers, respectively. Upgrading to patched versions 2025.1.5, 2025.0.9, or 2024.1.8 is strongly advised to remediate these issues. → helpnetsecurity.com |
| 2026-05-02 2026 | CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments news | Analysis of CVE-2026-31431, nicknamed "Copy Fail," details a high-severity Linux kernel vulnerability affecting Red Hat, Ubuntu, SUSE, and AWS Linux. This logic flaw in the AF_ALG module allows local unprivileged users to gain root privileges by corrupting the kernel page cache, impacting cloud workloads and Kubernetes clusters. The exploit, a small script leveraging the splice() system call and AF_ALG, enables container breakout and lateral movement, posing a significant risk to multi-tenant environments. Microsoft Defender provides detection insights, mitigation recommendations, and hunting guidance. → microsoft.com |
| 2026-04-30 2026 | Escape AI Pentesting Agents 2.0 news | Library for agentic pentesting, offering a multi-agent architecture with a coordinator agent orchestrating specialized agents for tasks like reconnaissance, XSS detection (including reflected, stored, DOM-based, CSP bypasses, and framework-specific attacks), and application crawling. This system chains multiple techniques, adapts strategies in real-time, and produces evidence-rich findings with executable proof and reasoning traces, designed to improve upon traditional DAST scanner limitations and provide programmable security gates for CI/CD pipelines. → securityboulevard.com |
| 2026-04-22 2026 | Rights Management Approaches: ACL, RBAC, ABAC, ReBAC beginner | Guide on access control models, including ACL, RBAC, ABAC, and ReBAC, for defining architectural security requirements. It covers practical guidance, trade-offs like UX friction and latency, and discusses Google's Zanzibar system as a canonical source for ReBAC. The guide offers phased roadmaps for implementation, focusing on inventory, RBAC baselines, context rules, and continuous verification, while highlighting common antipatterns and metrics for operational control. |
| 2026-04-22 2026 | OPA, Cedar, OpenFGA: Why Are Policy Languages Trending Right Now? news | Library for understanding policy languages like OPA (Rego), Cedar, and OpenFGA, which are trending for Identity and Access Management (IAM) due to increasing authorization complexity. These declarative languages offer readable, performant, and auditable ways to manage fine-grained access controls across microservices, databases, and evolving user requirements, including AI agents. The article discusses authorization challenges, layered architectural principles for decision-making, and the benefits of policy-as-code. |
| 2026-04-22 2026 | OPA vs OpenFGA: A Technical Comparison of Policy Engines intermediate | Reference comparing Open Policy Agent (OPA) and OpenFGA, two distinct policy engines. OPA, a CNCF project, uses Rego for centralized, rule-based access control, excelling in complex attribute-based decisions and infrastructure authorization like Kubernetes admission control. OpenFGA, based on Google's Zanzibar model, employs a tuple-based relationship approach for fine-grained, object-level permissions and hierarchical access, suitable for collaborative features and social network-style sharing. The comparison details their core concepts, architectural differences, and use case scenarios. |
| 2026-04-22 2026 | Implementing Google Zanzibar: A Demonstration of Its Basics intermediate | Library demonstrating Google Zanzibar fundamentals, focusing on its Relationship-Based Access Control (ReBAC) model. The entry explores Zanzibar's data model, relationship tuples with examples like `file123#owner@alice`, and provides a PostgreSQL implementation for storing these tuples, illustrating concepts such as ownership and membership. |
| 2026-04-22 2026 | How to Protect Your API with OpenFGA: ReBAC Concepts to Practical Usage intermediate | Library introducing Relation-Based Access Control (ReBAC) via OpenFGA, an open-source implementation of Google's Zanzibar concepts. It details ReBAC principles, contextual conditions, and attribute-based access, offering practical examples for protecting APIs and managing complex authorization logic. The library covers ReBAC concepts, OpenFGA's features like time-based and status-driven permissions, and contrasts its approach with traditional methods such as RBAC and ABAC, highlighting benefits in maintainability and scalability. |
| 2026-04-22 2026 | How Google Drive Models Authorization: A Look into Zanzibar intermediate | Library implementing Google's Zanzibar authorization system, which utilizes relationship-based access control (ReBAC) to manage permissions for services like Google Drive. Zanzibar centers on user-resource relationships rather than roles, enabling complex, nested access models with high availability and low latency through its globally distributed database and consistency protocol, which employs timestamps and "zookies" to ensure accurate permission checks in distributed environments. |
| 2026-04-22 2026 | Common Bug Bounty Vulnerabilities: A Technical Deep Dive for Hunters in 2026 intermediate | Reference outlining common bug bounty vulnerabilities, detailing techniques and tools such as local LLM integration with Ollama for response analysis, Burp Suite extensions like Authz and Turbo Intruder for IDOR testing, Interactsh for SSRF callbacks, sqlmap for SQL injection, InQL for GraphQL fuzzing, and Burp's DOM Invader for XSS, alongside methods for exploiting business logic flaws. |
| 2026-04-22 2026 | CVE-2026-32877 - Red Hat Security Advisory news | CVE-2026-32877 - Red Hat Security Advisory |
| 2026-04-22 2026 | CVE 2026: When Identity Breaks and Legacy Code Bites Back news | Analysis of CVE-2026-24858, a critical Fortinet SSO logic flaw, and CVE-2026-24061, an argument injection in GNU InetUtils' telnetd, highlighting early 2026's vulnerability landscape dominated by legacy code exploits and advanced Agentic AI threats. The analysis details the mechanics and exploit logic for both, emphasizing the reduced exploitation windows and the need for continuous, AI-driven validation to combat automated exploitation. → penligent.ai |
| 2026-04-22 2026 | What is Google Zanzibar? beginner | Library detailing Google Zanzibar, a consistent, global authorization system that implements relationship-based access control (ReBAC). It explains namespaces, relation tuples with the format `<object>#<relation>@<user>`, schema configuration, and the 'zookie' for user-specified consistency. The system leverages Google's Spanner database and employs layered caches and request hedging for scalability and performance, offering core API methods for read, write, watch, check, and expand operations. |
| 2026-04-19 2026 | Broken Access Control: The Quiet Killer in Web Applications beginner | Broken Access Control: The Quiet Killer in Web Applications → infosecwriteups.com |
| 2026-04-19 2026 | Broken Access Control: The Silent Web Vulnerability beginner | Broken Access Control: The Silent Web Vulnerability |
| 2026-04-19 2026 | Broken Access Control: The 40% Surge in 2025 news | Library for identifying and preventing broken access control vulnerabilities, a pervasive and critical application security risk that surged in 2025. This library addresses common weaknesses like vertical and horizontal privilege escalation, Insecure Direct Object References (IDOR), forced browsing, and missing function-level access control, which attackers exploit to gain unauthorized data access. It is designed to mitigate the impact of these flaws, which are exacerbated by rapid development cycles, complex architectures, and the introduction of vulnerabilities from AI-generated code. |
| 2026-04-19 2026 | OWASP Top 10 2025 — A01 Broken Access Control beginner | Reference detailing OWASP Top 10 2025 A01: Broken Access Control, the most prevalent vulnerability. It highlights common weaknesses like insecure direct object references, privilege escalation, JWT manipulation, CORS misconfigurations, and force browsing. Prevention strategies emphasize server-side enforcement, deny-by-default principles, robust access control mechanisms, and proper session management with short-lived JWTs or refresh tokens. The document also mentions related CWEs such as CWE-200, CWE-201, CWE-918 (SSRF), and CWE-352 (CSRF), and provides example attack scenarios. → owasp.org |
| 2026-04-16 2026 | Enhancing OAuth 2.0 Security with PKCE: Deep Dive advanced | Walkthrough of OAuth 2.0 integration with PKCE, detailing how Omnissa Intelligence uses the Proof Key for Code Exchange extension to prevent authorization code interception attacks when connecting with External Partner services. The process involves `code_verifier`, `code_challenge`, and `code_challenge_method=S256` to securely exchange authorization codes for access tokens, safeguarding against session hijacking and man-in-the-middle attacks. |
| 2026-04-16 2026 | Attacks via OAuth Authorization Code Injection intermediate AuthN | Attacks via OAuth Authorization Code Injection |
| 2026-04-16 2026 | Security Benchmarking Authorization Policy Engines: Rego, Cedar, OpenFGA advanced | Framework for dynamically evaluating authorization policy engines, including Rego, Cedar, OpenFGA, and Teleport ACD. This system automates security benchmarking and robustness testing by executing predefined test cases in isolated Docker containers for each engine, comparing actual results against expected outcomes to identify potential threats and vulnerabilities. |
| 2026-04-16 2026 | Privilege Escalation by JWT Token Manipulation intermediate | Privilege Escalation by JWT Token Manipulation |
| 2026-04-16 2026 | JWTs Under the Microscope: Exploiting Auth Weaknesses - Traceable intermediate | Library for identifying and exploiting JWT authentication weaknesses. It details vulnerabilities like Improper JWT Signature Validation, JWT Algorithm Confusion, JWT Weak Secret, and attacks leveraging KID fields (SQL Injection, SSRF, Path Traversal), JKU/X5U misuse, X5T collisions, and payload manipulation leading to Broken Object Level Authorization (BOLA) and Broken Functional Level Authorization (BFLA), as well as JWT Expired Token issues. |
| 2026-04-16 2026 | Privilege Escalation via IDOR and ACL Bypass in SaaS intermediate | Privilege Escalation via IDOR and ACL Bypass in SaaS |
| 2026-04-16 2026 | Organization Takeover via Privilege Escalation (IDOR) intermediate | Organization Takeover via Privilege Escalation (IDOR) |
| 2026-04-16 2026 | Horizontal Privilege Escalation via IDOR intermediate | Horizontal Privilege Escalation via IDOR |
| 2026-04-16 2026 | Fine-Grained Authorization: Technical Guide for Microservices intermediate | Guide to fine-grained authorization for microservices, moving beyond traditional RBAC to Relationship-Based Access Control (ReBAC). It details the limitations of RBAC in dynamic environments and advocates for centralized policy engines like Open Policy Agent (OPA) and Zanzibar-inspired systems (e.g., OpenFGA). The guide provides a practical roadmap for implementation, focusing on auditing relationships, centralizing the source of truth, and iteratively decoupling authorization logic from individual services. |
| 2026-04-16 2026 | RBAC vs ABAC vs ReBAC: How to Choose Access Control Models beginner | Library comparing Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Relationship-Based Access Control (ReBAC). It details how RBAC, while simple, suffers from "Role Explosion" due to complexity in systems like AWS IAM and Kubernetes. ABAC is presented as a solution, using attributes and dynamic evaluation instead of static roles, exemplified by OPA and AWS IAM's Condition blocks. ReBAC principles are also touched upon, particularly in the context of Azure's resource hierarchy inheritance. |
| 2026-04-15 2026 | Privilege Elevation Dominates Massive Microsoft Patch Update news | Library of patches addressing Microsoft's April 2026 update, which included 165 CVEs, with a significant portion being elevation-of-privilege bugs. Key vulnerabilities detailed include CVE-2026-32201 (a SharePoint Server spoofing zero-day actively exploited), CVE-2026-33825 (a Defender privilege escalation zero-day), CVE-2026-33824 (a critical RCE in Windows IKE Service Extensions), and CVE-2026-33827 (a rare unauthenticated RCE in Windows secure tunneling). The update also featured numerous fixes for Microsoft Edge and Chromium. → darkreading.com |
| 2026-04-14 2026 | Critical etcd Auth Bypass Flaw Lets Attackers Access Sensitive Cluster APIs Without Authorization news | Critical etcd Auth Bypass Flaw Lets Attackers Access Sensitive Cluster APIs Without Authorization https://ift.tt/3a7iPej → cyberpress.org |
| 2026-04-11 2026 | RBAC vs ABAC vs PBAC - Styra beginner | Library comparing Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC). It details RBAC's traditional role-centric limitations, ABAC's attribute-driven flexibility, and PBAC's policy-as-code approach. The resource highlights how Styra DAS leverages PBAC and OPA for unified authorization, bridging policy formulation and implementation challenges. |
| 2026-04-11 2026 | Policy as Code: Fine-Grained Authorization intermediate | Library detailing Policy as Code for fine-grained authorization, featuring discussions on Rego for Open Policy Agent (OPA), AWS Cedar, and OpenFGA. The resource highlights the practice of defining policies with code for dynamic and adaptable management, distinguishing between validation and authorization, and emphasizing how policy languages abstract API complexities for easier rule definition and enforcement. Experts Jimmy Ray and Omer Zuarets share insights on applying policy as code in cloud-native security and simplifying policy implementation through tooling. |
| 2026-04-11 2026 | Policy Engine Showdown: OPA vs OpenFGA vs Cedar intermediate | Reference to a panel discussion comparing application policy engines OPA, OpenFGA, and Cedar. The session, "Policy Engines Showdown," featured engineers discussing the strengths, trade-offs, and practical considerations of each engine, including OpenFGA's ReBAC model, Cedar's policy-driven approach, and OPA's multipurpose flexibility. The goal was to help developers select the best decision engine for their specific use cases, highlighting that suitability depends on implementation needs rather than a single "winner." The discussion also touched upon tools like OPAL for policy synchronization. |
| 2026-04-11 2026 | ReBAC Authorization Academy - Oso beginner | Library exploring Relationship-Based Access Control (ReBAC) for application security, using the GitClub example to illustrate how permissions can be organized based on relationships between resources like users, repositories, and issues. It contrasts ReBAC with Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), highlighting how ReBAC can elegantly handle data ownership scenarios where users need specific permissions on resources they created or are directly associated with. The library guides developers to leverage existing data structures to define these relationships, providing a natural and intuitive authorization model that complements traditional RBAC. |
| 2026-04-11 2026 | RBAC vs ABAC vs PBAC - Oso beginner | Library for implementing consistent, maintainable authorization across distributed systems. It details Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC), showcasing how Oso's Polar language enables declarative definition and enforcement of RBAC and ABAC through PBAC. This approach centralizes authorization logic into a single policy engine, ensuring uniform decisions based on user roles, attributes, and contextual data, enhancing auditability and simplifying evolution of access control policies across microservices. |
| 2026-04-11 2026 | RBAC vs ABAC vs ReBAC - Oso beginner | Reference detailing RBAC, ABAC, and ReBAC access control paradigms, comparing their strengths and limitations for applications. It highlights RBAC's role-based assignments, ABAC's attribute-driven policies, and ReBAC's relationship-based permissions. The document explains how these models can be combined for fine-grained authorization and suggests Oso as a tool to simplify implementation. |
| 2026-04-11 2026 | Fine Grained Authorization using SpiceDB for RAG intermediate | Library implementing fine-grained authorization for RAG using SpiceDB. This resource details how to integrate SpiceDB with Pinecone, Langchain, and OpenAI to enforce relationship-based access control (ReBAC) on document retrieval for AI applications. It covers schema definition, relationship writes, and querying authorized resources to pre-filter vector database searches, enhancing both security and efficiency in enterprise AI. |
| 2026-04-11 2026 | Relationship-Based Permissions in SpiceDB intermediate | Library for managing application permissions using Relationship-Based Access Control (ReBAC). SpiceDB, inspired by Google's Zanzibar, stores relationships between subjects and resources to efficiently answer permission queries. It supports robust write patterns, including two-phase commits with relational databases and streaming commits via systems like Kafka, ensuring data consistency. Alternatively, relationships can be stored solely within SpiceDB, simplifying application logic and enabling schema-driven permission computation. Asynchronous updates are also an option for applications tolerating less strict consistency. |
| 2026-04-11 2026 | Introduction to Google Zanzibar beginner | Reference on Google Zanzibar, an authorization system developed to manage permissions across Google's vast product suite, detailing its relationship-based access control (ReBAC) model. It explains how Zanzibar overcomes the limitations of application-specific authorization, addresses the "new enemy problem" through external consistency guarantees, and scales to handle billions of users and trillions of objects with low latency. The resource also highlights how open-source tools like SpiceDB can be used to implement similar systems, drawing parallels to Google's internal infrastructure and the significance of the 2019 Zanzibar research paper. |
| 2026-04-11 2026 | OpenFGA: Open-Source Engine for Access Control beginner | Library for relationship-based access control, OpenFGA is an open-source, high-performance engine inspired by Google’s Zanzibar system. It allows developers to define and enforce fine-grained permissions with support for multiple storage backends, including PostgreSQL and MySQL, and offers APIs and SDKs in Java, Node.js, Go, Python, and .NET. OpenFGA integrates relationship-based, role-based, and attribute-based access control models, and includes a CLI, playground, and Terraform provider for easier management and testing. Notable adopters include Auth0 and Grafana Labs. → helpnetsecurity.com |
| 2026-04-11 2026 | Announcing OpenFGA news | Library for fine-grained authorization, OpenFGA, is an open-source engine inspired by Google's Zanzibar. It allows developers to model complex access control rules, integrate them consistently across applications, and manage permissions efficiently at scale. OpenFGA features an expressive modeling language, HTTP APIs for checking and writing permissions, and supports various integrations with identity providers and proxies, addressing security, compliance, and privacy needs for modern collaborative and social applications, effectively tackling OWASP's top risk: broken access control. |
| 2026-04-11 2026 | Authorization Concepts - OpenFGA beginner | Reference detailing OpenFGA's approach to authorization, explaining Fine-Grained Authorization (FGA) and contrasting Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), Policy-Based Access Control (PBAC), and Relationship-Based Access Control (ReBAC). It highlights ReBAC as a superset of RBAC and a solution for ABAC scenarios, noting OpenFGA extends ReBAC with Conditions and Contextual Tuples, drawing parallels to Google's Zanzibar system. |
| 2026-04-11 2026 | Cedar Policy Language Complete Guide intermediate | Library for fine-grained authorization, Cedar is an open-source policy language built in Rust that decouples access control from application logic. It supports RBAC, ABAC, ReBAC, and *BAC models, and is designed for simplicity, expressiveness, and performance, allowing for modular and reusable authorization policies. Cedar's evaluation logic prioritizes `forbid` statements, ensuring requests are denied if any matching `forbid` policy exists. |
| 2026-04-11 2026 | Amazon Verified Permissions - Cedar intermediate | Library for externalizing authorization and centralizing policy management, Amazon Verified Permissions leverages the Cedar policy language to enable developers to build secure applications and align with Zero Trust principles. It accelerates development by decoupling authorization from business logic, streamlining security with intuitive, policy-based access controls that support common frameworks. This service helps protect resources, manage user access according to the principle of least privilege, and facilitates granular authorization decisions. Users include TELUS for smart home device permissions, Grosvenor Engineering Group for building asset access, and STEDI for protecting healthcare transaction endpoints. → aws.amazon.com |
| 2026-04-11 2026 | Cedar Policy Language Reference intermediate | Reference for Version 4.5 of the Cedar policy language, used for writing authorization policies and making decisions. Cedar decouples business logic from authorization, allowing applications to query an engine for "allow" or "deny" decisions based on policies, entities, context, and a schema. This separation simplifies updates and testing, as security teams can modify policies without touching application code. Cedar supports attributes, logical operators, and dynamic evaluation for fine-grained control, role-based access control (RBAC), and attribute-based access control (ABAC), with features like fast, scalable, and bounded-latency evaluation. |
| 2026-04-11 2026 | Basic ABAC with OPA and Rego - AWS intermediate | Library demonstrating basic Attribute-Based Access Control (ABAC) with OPA and Rego. It provides example Rego code snippets for a fictional Payroll microservice, illustrating how to enforce policies such as "Employees can read their own salary" and "Employees can read the salary of anyone who reports to them," utilizing external data for manager-report relationships. |
| 2026-04-11 2026 | OPA Rego Language Tutorial beginner | Tutorial on Rego, the declarative policy language for Open Policy Agent (OPA), detailing its fundamental constructs and mechanisms. Learn how Rego's logic-based syntax enables codifying rules for authorization, configuration validation, and data filtering, particularly within Kubernetes and Envoy. The tutorial covers writing Rego policies, including decisions, variable assignments, and using the "some" keyword for iterating over data structures, along with best practices for effective policy authoring. |
| 2026-04-11 2026 | What is Open Policy Agent (OPA)? beginner | Library for managing cloud-native policies, Open Policy Agent (OPA) offers a unified, context-aware approach by decoupling policy enforcement from application code. It uses the Rego policy language for expressive, declarative rules, enabling security and compliance through policy-as-code, consistency across Kubernetes, microservices, and CI/CD pipelines, and efficient updates via a centralized policy library. → wiz.io |
| 2026-04-11 2026 | OPA: Best Practices for Secure Deployment - CNCF intermediate | Library for secure Open Policy Agent (OPA) deployment, focusing on preventing vulnerabilities like remote calls and Windows UNC path exploits by emphasizing separation of policy code from application code, decoupling schema and data through external sources, and structured data management. It highlights best practices derived from large-scale OPA usage, including techniques for restricting sensitive built-ins and leveraging tools like OPAL for synchronized policy and data updates. |
| 2026-04-11 2026 | Kubernetes RBAC Best Practices beginner | Reference detailing Kubernetes RBAC best practices, emphasizing the importance of the principle of least privilege (PoLP) and regular permission reviews. It highlights the risks of misconfigured RBAC, citing the "RBAC Buster" attack, and recommends tools like Open Policy Agent (OPA) for automating policies and Wiz for auditing. The entry also covers using namespaces for scope limitation, auditing RBAC events, securing sensitive operations, and integrating with external identity providers. → wiz.io |
| 2026-04-11 2026 | Kubernetes RBAC Good Practices beginner | Reference on Kubernetes RBAC best practices, detailing how to minimize privilege escalation risks by assigning least privilege to users and service accounts. It highlights dangerous permissions such as `cluster-admin`, `system:masters`, `nodes/proxy`, `escalate`, `impersonate`, and direct access to the CSR API and service account tokens. The document also advises against granting broad permissions to create workloads, PersistentVolumes, or modify namespaces, emphasizing the importance of reviewing default access and periodic audits. |
| 2026-04-11 2026 | NIST SP 800-162: Guide to ABAC beginner | NIST SP 800-162: Guide to ABAC |
| 2026-04-11 2026 | Authorization Testing Automation Cheat Sheet - OWASP intermediate | Cheat sheet offering a methodology for automating authorization tests by formalizing an authorization matrix in XML. This approach enables the creation of integration tests that validate access controls for REST services across different logical roles like ANONYMOUS, BASIC, and ADMIN. The process involves defining roles, services with their associated permissions, and test payloads to ensure new feature additions or modifications do not conflict with existing authorization definitions. → cheatsheetseries.owasp.org |
| 2026-04-11 2026 | Access Control Cheat Sheet - OWASP intermediate | Access Control Cheat Sheet - OWASP → cheatsheetseries.owasp.org |
| 2026-04-11 2026 | Authorization Cheat Sheet - OWASP intermediate | Cheatsheet providing guidance for robust authorization logic, addressing concerns like Broken Access Control, a top OWASP 2021 vulnerability. It details implementing "Least Privileges" by granting only necessary permissions and adopting a "Deny by Default" approach for all requests, emphasizing the need for validation on every interaction to prevent unauthorized access to resources, which can impact confidentiality, integrity, and availability. → cheatsheetseries.owasp.org |
| 2026-04-10 2026 | BLA9:2025 Broken Access Control - OWASP beginner | Reference detailing BLA9:2025 Broken Access Control, a critical OWASP Top 10 vulnerability. It explains how missing role checks, flawed logic trusting client-supplied parameters, overly broad permissions, and identifier tampering (BOLA) enable attackers to perform unauthorized operations. Examples include Gitlab branch deletion vulnerabilities and privilege escalation in hay-kot mealie v2.2.0, mapping to CWEs like CWE-863 and CWE-862, and referencing CVEs such as CVE-2021-39931 and CVE-2023-3290. → owasp.org |
| 2026-04-10 2026 | Broken Access Control: 40% Surge in 2025 news | Broken Access Control: 40% Surge in 2025 |
| 2026-04-10 2026 | Defending Against Broken Access Control beginner | Library for defending against Broken Access Control (BAC), the #1 threat (A01:2021) in the OWASP Top 10. This vulnerability occurs when applications fail to enforce authorization, allowing unauthorized users to access data or functions. Learn about common attack techniques like Horizontal and Vertical Privilege Escalation, Parameter Tampering, IDOR, Data Exposure, API Abuse, and BOLA. The resource highlights real-world examples such as the Optus data breach and the Kia vehicle control vulnerability, emphasizing the critical need for robust server-side authorization. |
| 2026-04-10 2026 | Why Broken Access Control Dominates OWASP Top 10 in 2026 beginner | Library for building secure applications, focusing on mitigating Broken Access Control (BAC) and Broken Object Level Authorization (BOLA). It highlights how traditional SAST and DAST tools struggle with these logic flaws, contrasting them with technical vulnerabilities like SQL Injection. The library advocates for centralized authorization logic using the Policy Decision Point (PDP) and Policy Enforcement Point (PEP) pattern, and promotes Policy as Code (PaC) with tools like Auth0 FGA, OpenFGA, and OPA to manage authorization policies externally from application code. |
| 2026-04-10 2026 | Broken Access Control: How to Detect and Prevent beginner | Library of techniques for detecting and preventing broken access control vulnerabilities, the most impactful risk category in the OWASP Top 10. This resource details exploitation methods like vertical and horizontal privilege escalation, insecure direct object references (IDOR), and bypasses via predictable identifiers, parameter tampering, and path variations, offering best practices to mitigate these widespread security weaknesses. → invicti.com |
| 2026-04-10 2026 | OWASP A01: Broken Access Control Risks and Prevention beginner | Library detailing OWASP A01: Broken Access Control risks and prevention. This resource clarifies the distinction between authentication and authorization, highlights the importance of the principle of least privilege (PoLP) and Role-Based Access Control (RBAC), and provides a Python Flask code snippet demonstrating secure RBAC implementation. It further explains how vulnerabilities manifest through techniques like URL manipulation and parameter tampering, and identifies common failure scenarios such as Insecure Direct Object References (IDOR) and missing function-level access control. |
| 2026-04-10 2026 | OWASP-TOP-10 A01:2025 Broken Access Control beginner | Library detailing Broken Access Control, a critical OWASP Top 10 risk where applications fail to enforce user restrictions. This resource highlights how attackers can exploit missing or client-side enforced authorization checks, using tools like Burp Suite to directly access backend administrative endpoints. It demonstrates the vulnerability through a case study of an application trusting client-side role validation, leading to unauthorized data access, privilege escalation, and account compromise, and emphasizes implementing server-side authorization and the principle of least privilege for mitigation. |
| 2026-04-10 2026 | OpenClaw: Authorization Bypass and Privilege Escalation intermediate | Library detailing authorization bypass and privilege escalation vulnerabilities within multi-user OpenClaw deployments, specifically addressing session context bleed. This failure mode allows standard users to execute actions with administrative privileges by exploiting weaknesses in how user identity is bound to requests, especially under asynchronous conditions. The article explains how this can lead to persistence through unauthorized job creation, impacting systems that rely on session context for RBAC, and references CWE-287 and CWE-284. → penligent.ai |
| 2026-04-10 2026 | CVE-2025-67274: Broken Access Control in aangine news IDOR | CVE-2025-67274: Broken Access Control in aangine |
| 2026-04-10 2026 | CVE-2026-33312: BOLA in Vikunja news IDOR | Writeup detailing CVE-2026-33312, a Broken Object Level Authorization (BOLA) vulnerability in Vikunja versions 0.20.2 through 2.1.x. This Incorrect Authorization flaw allows read-only users to permanently delete project background images by exploiting an authorization check designed only for read permissions within the `RemoveProjectBackground` function. The vulnerability, categorized under CWE-863, is fixed in version 2.2.0. |
| 2026-04-10 2026 | BOLA Vulnerability - Vulnsy beginner | Writeup on Broken Object Level Authorization (BOLA), the top OWASP API Security Top 10 risk, detailing how attackers exploit API endpoints that expose object identifiers without proper authorization checks. It covers BOLA's impact on unauthorized data access and modification, simple exploitation methods, and advanced techniques like using predictable IDs or GraphQL introspection. Remediation steps include implementing centralized authorization, using UUIDs, and robust testing with tools like Burp Suite and OWASP ZAP. |
| 2026-04-10 2026 | BOLA: API Attack & Prevention - StackHawk intermediate API Sec | Library detailing Broken Object Level Authorization (BOLA), the OWASP API Security Top 10's persistent #1 risk. BOLA vulnerabilities, also known as Insecure Direct Object Reference (IDOR), occur when APIs fail to verify user permissions for specific data objects, allowing attackers to access or modify sensitive information like financial or medical records by altering predictable identifiers in API requests. The article explains BOLA's root causes, including over-reliance on object identifiers, lack of ownership verification, and insufficient authorization focus, alongside practical examples and prevention strategies. |
| 2026-04-10 2026 | What is BOLA - Imperva beginner | Guide to Broken Object Level Authorization (BOLA), a top OWASP API security risk. BOLA occurs when applications fail to verify user authorization for specific data objects, allowing access to sensitive information or unauthorized actions. The guide details how attackers identify vulnerabilities by manipulating object references, such as sequential IDs in URLs or GraphQL mutations, leading to data breaches and compliance failures under regulations like GDPR and HIPAA. Prevention strategies include applying proper access controls, mapping users to accessible objects, implementing robust authentication, using non-guessable IDs, and leveraging API gateways. → imperva.com |
| 2026-04-06 2026 | 2026 SANS Identity Threats Report: Why Attacks Still Work news | Report summarizing the 2026 SANS Identity Threats & Defenses Survey, revealing that while identity security solutions are widely deployed, identity-related breaches persist due to a mismatch between defenses and attack methods. The survey highlights challenges in containment post-detection and the increasing reliance on legitimate credentials obtained via compromised browsers, MFA fatigue, and token-based access, emphasizing that credential exposure upstream of authentication is the root cause of ongoing attacks, not authentication failures themselves. |
| 2026-04-06 2026 | Exposing Security Blind Spots in GCP Vertex AI advanced | Writeup on double agents in GCP Vertex AI, detailing how a misconfigured Per-Project, Per-Product Service Agent (P4SA) with excessive default permissions can be exploited. This research demonstrates obtaining privileged access to consumer project data and restricted Google-owned Artifact Registry repositories, including proprietary container images for the Vertex AI Reasoning Engine, by compromising a single service agent and exfiltrating its credentials. → unit42.paloaltonetworks.com |
| 2026-04-06 2026 | Critical Access Control Risks in Simple Membership CVE-2026-34886 news | Advisory detailing CVE-2026-34886, a critical broken access control vulnerability in WordPress Simple Membership plugin versions 4.7.1 and earlier. This flaw allows unauthenticated users to execute privileged actions, potentially leading to unauthorized access, data manipulation, or site compromise. Immediate remediation involves updating to version 4.7.2 or higher, with temporary workarounds including plugin disabling, server-level blocking of PHP execution, or WAF virtual patching. Developer recommendations focus on implementing robust capability checking, nonce verification, and REST API permission callbacks. |
| 2026-04-06 2026 | Security Update: Vulnerability Disclosures and Ongoing Hardening - LiteLLM news | Library updates address critical and high-severity vulnerabilities in LiteLLM, including authentication bypass via OIDC cache collision (CVE-2026-35030), privilege escalation through /config/update (CVE-2026-35029), and password hash exposure with pass-the-hash login (GHSA-69x8-hrgq-fjj8). These fixes, along with an ongoing audit by Veria Labs and a new bug bounty program, enhance the security posture of the proxy. |
| 2026-04-03 2026 | Broken Authentication and IDOR – A Big but Solvable Problem | Inspectiv beginner | Reference detailing common application security vulnerabilities, specifically Broken Authentication and Insecure Direct Object Reference (IDOR). It highlights attack vectors like credential stuffing, brute force, and session hijacking, alongside IDOR exploits through predictable identifiers. Mitigation strategies discussed include Multi-Factor Authentication (MFA), server-side validation, least privilege access controls, and using non-sequential identifiers. The resource emphasizes the importance of continuous external validation through bug bounty programs and dynamic application security testing to detect these prevalent threats. |
| 2026-04-03 2026 | Exploiting Broken Access Control Vulnerability for Bounty intermediate | Exploiting Broken Access Control Vulnerability for Bounty |
| 2026-04-03 2026 | Broken Access Control Testing Software for Web Apps | Penti AI intermediate | Tool for autonomous broken access control vulnerability testing; Penti's AI agents discover, reproduce, and prioritize exploitation paths like insecure direct object references and weak tenancy boundaries, then human experts verify impact. The platform offers clear evidence and developer-ready remediation for authorization checks, object scoping, and tenancy isolation, integrating into the SDLC to test for horizontal and vertical privilege escalation. |
| 2026-04-03 2026 | WSTG Methodology: Web Penetration Testing | Haxoris beginner | Guide detailing the OWASP Web Security Testing Guide (WSTG) methodology for comprehensive web application penetration testing. It covers information gathering, configuration, authentication, session management, authorization, input validation (including XSS and SQL Injection), cryptography, and business logic flaws, aiming to uncover threats like IDOR and SSRF. The guide emphasizes a systematic approach, using tools like Burp Suite, and provides detailed reports with remediation steps and a free retest. |
| 2026-04-03 2026 | Insecure Direct Object Reference (IDOR) Attack Guide | Hackviser beginner IDOR | Guide to Insecure Direct Object Reference (IDOR) vulnerabilities, detailing manual testing techniques across URL parameters, POST bodies, HTTP headers, cookies, and file access. It covers automated discovery using tools like Burp Suite and ffuf, scripting with Python, and various attack vectors including numeric, UUID, hash-based, parameter pollution, and mass assignment bypasses, as well as blind IDOR exploitation. |
| 2026-04-03 2026 | OWASP Top 10 #1: Broken Access Control and Security Tips beginner | Guide analyzing OWASP Top 10 #1, Broken Access Control. It details common exploit scenarios, including Insecure Direct Object References (IDOR) and Mass Assignment vulnerabilities. The guide provides practical advice and fixes for strengthening access control, differentiating between vertical, horizontal, and contextual controls, and explaining how authentication and session management contribute to overall security. → vaadata.com |
| 2026-04-03 2026 | Primer on Broken Access Control Vulnerabilities and How to Find Them beginner | Writeup on broken access control vulnerabilities, which have become the top OWASP Top 10 vulnerability. It details vertical and horizontal privilege escalation, including techniques like insecure direct object references (IDOR), lack of protection over sensitive functionality (e.g., direct URL access to admin pages), inadequate parameter-based access control (e.g., manipulating `admin=true` parameters), and misconfigured platform-level controls that can be bypassed with custom HTTP headers or alternative HTTP methods. |
| 2026-04-03 2026 | Horizontal and Vertical Privilege Escalation Explained | Blue Goat Cyber beginner | Reference detailing medical device cybersecurity requirements, focusing on FDA submissions, SPDF development, SBOMs, and threat modeling. It emphasizes the importance of understanding device operation, real-world threats, and supply chain risks, referencing standards like ISO 14971, FDA Guidance, UL 2900, and AAMI TIR57 to ensure compliance and patient safety. |
| 2026-04-03 2026 | Broken Access Control - Vertical Privilege Escalation Writeup intermediate | Writeup detailing the identification and exploitation of Broken Access Control vulnerabilities, specifically focusing on Vertical Privilege Escalation. It provides a walkthrough of PortSwigger labs, demonstrating techniques such as discovering admin URLs via robots.txt, source code analysis, manipulating cookie parameters to elevate privileges, and modifying request parameters like `roleid` using Burp Suite to gain administrative access and delete users. |
| 2026-04-03 2026 | Access Control Vulnerabilities and Privilege Escalation | PortSwigger beginner | Reference detailing access control vulnerabilities and privilege escalation, explaining vertical and horizontal controls, context-dependent mechanisms, and common vulnerabilities such as unprotected functionality, parameter-based bypasses, and platform misconfigurations involving headers like `X-Original-URL` and `X-Rewrite-URL`. It also covers URL-matching discrepancies, including case insensitivity and the `useSuffixPatternMatch` option in Spring. → portswigger.net |
| 2026-04-03 2026 | Insecure Direct Object References (IDOR) | PortSwigger beginner IDOR | Reference on Insecure Direct Object References (IDOR), an OWASP Top Ten vulnerability type where applications misuse user-supplied input to access objects directly. It details how attackers can exploit this, leading to horizontal or vertical privilege escalation by altering parameters to access other users' data, such as in database queries (e.g., `customer_account?customer_number=132355`) or static files (e.g., `/static/12144.txt`). → portswigger.net |
| 2026-04-03 2026 | IDOR - HackTricks beginner IDOR | Reference detailing Insecure Direct Object Reference (IDOR) and Broken Object Level Authorization (BOLA) vulnerabilities, which occur when applications expose user-controllable identifiers to access internal objects without proper authorization checks. The resource highlights exploitation techniques using parameters in paths, queries, JSON bodies, headers, and cookies, including examples with sequential IDs and common tools like `curl` and `ffuf`. It discusses real-world breaches such as the McHire applicant data exposure and the Carlsberg media leak, emphasizing that encoding does not inherently provide security and advocating for server-side object-level authorization and unpredictable identifiers like UUIDv4. → book.hacktricks.xyz |
| 2026-04-03 2026 | Testing for Privilege Escalation | OWASP WSTG intermediate | Guide detailing privilege escalation testing within the OWASP Web Security Testing Guide. It covers techniques for identifying and exploiting vulnerabilities that allow users to gain unauthorized access to more resources or functionality. Specific methods include manipulation of user groups, profiles, condition values, and IP addresses, as well as bypassing authorization schemas by switching session identifiers. The guide also provides examples of how to test for vertical and horizontal privilege escalation. → owasp.org |
| 2026-04-03 2026 | Testing for Insecure Direct Object References | OWASP WSTG beginner | Guide for testing Insecure Direct Object References (IDOR), a vulnerability where direct object access is granted based on user-supplied input. It details how attackers can bypass authorization by modifying parameters used to retrieve database records, perform operations, access file system resources, or invoke application functionality. The guide recommends mapping object reference points, assessing access controls, and using multiple test user accounts with different object ownership and privileges to identify and exploit IDOR flaws. → owasp.org |
| 2026-04-03 2026 | Top HackerOne Reports - Authorization Bypass intermediate | Reports from HackerOne highlight prevalent authorization bypass vulnerabilities, including email confirmation flaws leading to privilege escalation in Shopify and Line Corporation, and request smuggling on `admin-official.line.me`. Several reports detail IDOR vulnerabilities affecting sensitive data access on platforms like TikTok and LinkedIn, and privilege escalation techniques on systems including GitLab and Ubiquiti Inc. Other critical findings involve OAuth grant bypasses, blind SSRF, and improper access control leading to account takeovers, data leaks, and administrative control for various vendors. |
| 2026-04-03 2026 | Broken Authentication: Advanced Exploitation Guide | Intigriti advanced | Guide to exploiting broken authentication vulnerabilities, this resource covers identifying and exploiting common and advanced flaws. It details techniques like forced browsing, utilizing default credentials, and leveraging lack of rate limiting for brute-forcing. The guide also explains how input validation issues, such as SQL injection, can lead to authentication bypasses, providing examples for practical application. → intigriti.com |
| 2026-04-03 2026 | How To Find Broken Access Control Vulnerabilities in the Wild | HackerOne intermediate | Guide to finding Broken Access Control (BAC) vulnerabilities, explaining concepts like Insecure Direct Object Reference (IDOR) and covering identifier types such as numeric, user-chosen, natural keys, composite keys, UUIDs, and hashes. It details the permissions mapping technique for identifying BAC flaws by creating lists of user roles and application actions, and highlights the prevalence of BAC bugs as the OWASP Top 1 vulnerability. → hackerone.com |
| 2026-04-03 2026 | BugQuest 2026: 31 Days of Broken Access Control | Intigriti intermediate IDOR | Collection of 31 posts detailing broken access control (BAC) vulnerabilities, covering OWASP A01:2025 concepts, authentication versus authorization distinctions, and various authorization models like RBAC. It explores discovery techniques including content discovery with ffuf, JavaScript enumeration, API documentation mining, GraphQL introspection, and mobile application analysis. Specific exploitation methods discussed include request method tampering, HTTP parameter pollution, static keyword swapping, JWT algorithm confusion, and second-order attacks, alongside practical examples like IDOR and URL-matching discrepancies. → intigriti.com |
| 2026-04-03 2026 | Authn vs. authz: How are they different? beginner AuthN | Authentication (authn) refers to identity, while authorization (authz) has to do with permissions. Learn about the difference between authn vs. authz in more detail. |
| 2026-03-01 2026 | gadievron/raptor: Raptor turns Claude Code into a general-purpose AI offensive/defensive security agent. By using Claude.md and creating rules, sub-agents, and skills, and orchestrating security tool usage, we configure the agent for adversarial thinking, and perform research or attack/defense operations. advanced AI | Library for autonomous security research, RAPTOR orchestrates static analysis, binary analysis, LLM-powered vulnerability validation, exploit generation, and patch writing. It integrates Semgrep and CodeQL for scanning and utilizes LLMs for vulnerability analysis, generating Proof-of-Concepts, and creating patches. RAPTOR supports multiple LLM providers and can leverage Z3 for constraint analysis to improve accuracy and prioritize reachable exploits. It offers project management features for organizing findings and tracking progress across multiple runs. |
| 2026-01-21 2026 | OAuth 2.0 Course for Beginners beginner AuthN | Course on OAuth 2.0 for beginners, explaining the authorization framework's use of access tokens for delegated access and passwordless integration with third-party apps. It covers key concepts like the four OAuth roles (Resource Owner, Client, Auth Server, Resource Server), the importance of PKCE, and practical implementation details for building authorization and resource servers, alongside client applications. The 2-hour video tutorial also addresses debugging common issues such as JWKS and Axios errors, concluding with a summary of best practices and repository setup. |
| 2025-10-22 2025 | Beyond credentials: weaponizing OAuth applications for persistent cloud access | Proofpoint US intermediate AuthN | Tool for automating the creation of malicious second-party OAuth applications within compromised cloud environments. This tool, developed by Proofpoint researchers, demonstrates how threat actors can achieve persistent access, even after user credentials are reset or multi-factor authentication is enforced, by registering internal applications with chosen API scopes such as Mail.Read and offline_access. The research highlights a real-world attack vector already exploited by threat actors, offering a technical analysis of the automated process for application registration, secret generation, and token harvesting. |
| 2025-09-05 2025 | Authentication Explained: When to Use Basic, Bearer, OAuth2, JWT & SSO | daily.dev beginner AuthN JWT | Guide to authentication and authorization mechanisms, detailing the differences and use cases for Basic, Bearer, OAuth2, JWT, and SSO. It explains authorization models such as RBAC, ABAC, and ACL, highlighting how real-world applications like GitHub and Stripe combine them. The entry emphasizes selecting appropriate models and token types based on application complexity and security needs. |
| 2024-10-03 2024 | Automate your API hacking with Autorize intermediate API Sec AuthN | Library that automates API security testing by detecting broken object level authorization (BOLA) and other access control issues. Autorize, a Burp Suite extension, functions by sending modified requests with low-privileged, high-privileged, and unauthenticated user tokens to APIs. It then analyzes responses for discrepancies, flagging potential vulnerabilities like "Bypassed!" enforcement statuses. Users can configure interception filters, integrate with Burp's Repeater, and fine-tune enforcement detectors to identify issues such as unauthorized access to administrative functions by checking for 401 status codes. → danaepp.com |
| 2024-09-16 2024 | Automating the CORS Vulnerability Scan intermediate API Sec Bug Bounty | When conducting a bug bounty, automating your scanning process not only saves time but ensures you don’t miss common vulnerabilities. One… |
| 2023-09-21 2023 | Attacking and Defending Azure & M365 intermediate | Attacking and Defending Azure & M365 https://ift.tt/0F6sIRP |
| 2023-09-03 2023 | GitHub - dirkjanm/adidnsdump: Active Directory Integrated DNS dumping by any authenticated user intermediate AuthN | Tool for Active Directory Integrated DNS record enumeration and export, enabling reconnaissance of internal networks. By default, any authenticated Active Directory user can perform zone transfers, and this application facilitates that capability. It can be installed via pip or from source, requiring impacket and dnspython. The tool supports direct network use and proxychains, with an option for DNS over TCP. |
| 2023-09-01 2023 | Spraying the Microsoft Cloud intermediate AuthN | Adversaries continue to probe and make entry via the cloud perimeter of organisations. Multi-Factor Authentication (MFA) and additional… |
| 2023-05-21 2023 | Authentication authorization and security in SharePoint intermediate AuthN | Reference on SharePoint authentication and authorization, detailing its role-based security model and support for Windows authentication (including NTLM and Kerberos) and ASP.NET forms-based authentication. It highlights claims-based identity as a core feature, enabling cross-platform authentication and integration with external identity systems, and explains how membership and role providers are utilized to manage user identities and group memberships. |
| 2023-05-09 2023 | Seven Common Ways To Bypass Login Page intermediate AuthN | Seven Common Ways To Bypass Login Page https://ift.tt/8PI0ers |
| 2023-04-13 2023 | OWASP Proactive Controls 2023/2024 v1 beginner API Sec AuthN | OWASP Proactive Controls 2023/2024 v1 https://ift.tt/xVAnFY5 → docs.google.com |
| 2023-03-29 2023 | skills/secure-code-game beginner Bug Bounty | Library for learning secure coding through an interactive in-editor game. Season 4 focuses on securing Agentic AI, teaching how to protect Agentic Workflows and Multi-Agent Communications through five progressive levels. Players can start quickly from their browser, with no AI or coding experience required. The game runs instantly in GitHub Codespaces, with over 10,000 players participating from industry and academia. |
| 2022-04-14 2022 | Favorite tweet by @Jhaddix intermediate Bug Bounty | Favorite tweet: 🧵Another hacker story thread!🧵 === Penetrating a Porn Site === How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities. Here's how I did... |
| 2022-01-10 2022 | At DevSecCon24 find out how to build a Security Champions programme to scale your team beginner | At DevSecCon24 find out how to build a Security Champions programme to scale your team |
| 2021-11-10 2021 | How to Control Access to Your Amazon Elasticsearch Service Domain intermediate | Reference for controlling access to Amazon OpenSearch Service (formerly Amazon Elasticsearch Service) domains. It details how to leverage AWS Identity and Access Management (IAM) through resource-based policies and identity-based policies. The entry also covers authentication strategies, including IP-based restrictions and Signature Version 4 signing, with examples for both Python and Java. → aws.amazon.com |
| 2021-10-29 2021 | Improvements to Burp Suite authenticated scanning intermediate Burp | Library improvements in Burp Suite 2021.9.1 enhance authenticated scanning by better handling iframes, animated elements, JavaScript-driven redirections, nested SVGs within buttons, and multi-select elements, leveraging the Burp Suite Navigation Recorder for complex login sequences. → portswigger.net |
| 2021-10-28 2021 | IAM Power Editor intermediate | IAM Power Editor |
| 2021-09-14 2021 | IAM Vulnerable intermediate | Tool for creating a vulnerable-by-design AWS IAM privilege escalation playground. Using Terraform and your AWS credentials, it deploys over 250 IAM resources to facilitate learning and exploitation of 31 unique privilege escalation paths, referencing techniques pioneered by Spencer Gietzen and applicable to tools like Cloudsplaining and Pacu. |
| 2021-09-10 2021 | IAM Vulnerable - An AWS IAM Privilege Escalation Playground intermediate Bug Bounty | Library for automating the creation of intentionally vulnerable AWS IAM configurations, allowing security practitioners to practice identifying and exploiting privilege escalation paths. It deploys over 250 IAM resources using Terraform, including users, roles, and policies, to simulate 31 unique escalation test cases, building upon research from Spencer Gietzen and Gerben Kleijn. The library supports modular deployment, offering free resources by default and optional non-free resources like EC2 instances and Lambda functions for more complex scenarios. |
| 2021-09-07 2021 | Automating Authorization Testing: AuthMatrix Part 1 intermediate Bug Bounty | Library for automating authorization testing. This resource, AuthMatrix Part 1, introduces a technique for comprehensively testing application authorization by creating custom matrices to cover all possible user role and permission combinations, effectively identifying and mitigating authorization bypass vulnerabilities. → whiteoaksecurity.com |
| 2021-07-28 2021 | Chaining password reset link poisoning IDOR and information leakage to achieve account takeover at api.redacted.com advanced Bug Bounty IDOR | This report details a method to achieve account takeover at api.redacted.com by chaining three vulnerabilities. The attacker first exploits password reset link poisoning, then an Insecure Direct Object Reference (IDOR) flaw, and finally leverages information leakage. These combined vulnerabilities allow for unauthorized access to user accounts. No bounty payout amount is mentioned. |
| 2021-07-19 2021 | AWS IAM Role Chaining intermediate | AWS IAM Role Chaining allows one IAM role to assume another IAM role. This enhances security by enabling temporary, limited-privilege credentials to be granted for specific tasks. Instead of managing separate policies for every user and service, roles can be chained together, where Role A assumes Role B. This promotes the principle of least privilege, reducing the potential attack surface. The primary benefit is improved security and streamlined credential management within AWS environments. |
| 2021-06-30 2021 | Forbidden You dont have permission to access / on this server Error beginner | Reference on resolving the Apache "Forbidden – You don’t have permission to access / on this server" error. This guide addresses common causes such as incorrect file/directory permissions, misconfigurations in Apache's main configuration files, and improperly formatted .htaccess files. Solutions include recursively adjusting file permissions with `chmod 755` for directories and `chmod 644` for files, modifying ownership with `chown`, and ensuring `AllowOverride All` is set in Apache's `<Directory>` directives. |
Frequently Asked Questions
- What is broken access control?
- Broken access control occurs when an application fails to enforce restrictions on what authenticated users are allowed to do. This can lead to unauthorized access to other users' data, privilege escalation to admin roles, or performing actions outside the user's intended permissions — such as modifying or deleting resources they should not have access to.
- What is the difference between authentication and authorization?
- Authentication verifies identity (who are you?), while authorization determines permissions (what can you do?). A user can be properly authenticated but still access resources they shouldn't if authorization checks are missing or flawed. Many critical vulnerabilities arise from this distinction being overlooked.
- How do you test for authorization vulnerabilities?
- Test by accessing resources with different user roles, manipulating tokens or session cookies, changing IDs in API requests, and attempting to reach admin endpoints as a regular user. Tools like Autorize (Burp extension) automate this by replaying requests with different session tokens to detect missing authorization checks.
Weekly AppSec Digest
Get new resources delivered every Monday.