Authorization / Broken Access Control
Authorization vulnerabilities occur when applications fail to properly enforce access controls, allowing users to perform actions or access resources beyond their intended permissions. Broken Access Control consistently ranks as the #1 risk in the OWASP Top 10, encompassing issues like privilege escalation (both vertical and horizontal), missing function-level access controls, and insecure direct object references at the authorization layer. Unlike authentication (verifying who you are), authorization determines what you are allowed to do — and flaws here can expose entire administrative interfaces, allow users to modify other accounts, or grant elevated privileges through parameter tampering, forced browsing, or JWT manipulation. Modern applications with complex role hierarchies, microservice architectures, and API-first designs face particular challenges in maintaining consistent authorization checks across every endpoint and resource.
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-06-20 NEW 2026 | Defeating Kubernetes Privilege Escalation: A Cloud Detection & Response Case Study intermediate 3 min read | Case study detailing a real-world attack where adversaries escalated privileges from Kubernetes to AWS control planes. The attack leveraged a newly published RCE CVE on an open-source application running on an EKS pod's EC2 instance, which was misconfigured with internet access. This allowed exploitation to gain access to the EC2 instance IAM role via the Instance Metadata Service (IMDS), highlighting the need for rapid, contextualized cloud detection and response. → wiz.io |
| 2026-06-19 NEW 2026 | Data access governance: Who's got the keys to your data kingdom? beginner 4 min read | Capabilities for data access governance leverage Wiz DSPM and CIEM to discover sensitive data, analyze effective permissions of human and non-human identities, and govern access to critical data across multi-cloud environments, including Snowflake and OpenAI, while identifying and remediating risky identities with access to sensitive information. → wiz.io |
| 2026-06-19 NEW 2026 | Preventing broken access control in express Node.js applications beginner 11 min read API Sec | Library detailing broken access control vulnerabilities in Express Node.js applications, covering scenarios like unprotected admin panels, predictable user IDs leading to IDOR, and insecure direct object references. It illustrates how to prevent issues such as vertical privilege escalation and horizontal data exposure, emphasizing the risks of clear text logging and insufficient CSRF protection within Express middleware. → snyk.io |
| 2026-06-19 NEW 2026 | I almost ordered a product for free. (Business Logic Vulnerability) beginner | Security engineer Sumeet Mahadik discovered a business logic vulnerability that nearly allowed him to order a product for free. While the exact method isn't detailed, the vulnerability presented an opportunity for significant savings. The content is the beginning of a blog post where Mahadik intends to explain his findings. No bounty payout amount is mentioned. → infosecwriteups.com |
| 2026-06-19 NEW 2026 | “Bug Bounty Bootcamp #47: Account Takeover 101 — How to Steal Everyone’s Account (Legally)” beginner IDOR | This article from Bug Bounty Bootcamp #47, "Account Takeover 101," explains how to legally perform account takeovers. It highlights common vulnerabilities like Insecure Direct Object References (IDOR), leaked invite links, and mass-assignable "role" fields as key entry points. The content suggests that sophisticated hacking skills are not necessary to exploit these weaknesses. → infosecwriteups.com |
| 2026-06-18 NEW 2026 | New Developments in LLM Hijacking Activity intermediate 3 min read AI | Writeup on the JINX-2401 LLM hijacking campaign targeting AWS, detailing IAM privilege escalation tactics and attempts to invoke Bedrock models. This campaign leverages compromised IAM user access keys and employs specific naming conventions for newly created IAM users and policies like "New_Policy". The report also highlights detection strategies for CloudTrail logs and Wiz Defend rules to identify suspicious activity related to LLM abuse and IAM credential misuse. → wiz.io |
| 2026-06-17 NEW 2026 | Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) news 4 min read RCE | Analysis of CVE-2024-50603, an unauthenticated RCE vulnerability in Aviatrix Controller, details its exploitation in the wild for cryptojacking and backdoor deployment, including Sliver and Mirai. This command injection flaw, stemming from improper input neutralization, allows arbitrary command execution and can lead to privilege escalation in AWS control planes. Patched versions 7.1.4191 and 7.2.4996 address this critical vulnerability. → wiz.io |
| 2026-06-17 NEW 2026 | TryHackMe — Checkmate | Full Walkthrough beginner Bug Bounty OSINT | This TryHackMe room, "Checkmate," is an easy-level lab focusing on password attacks, OSINT, and privilege escalation. It simulates an internal network compromise by exploiting an IT employee's weak password habits. The lab involves gaining access to various systems, including a firewall panel and SSH, by leveraging these vulnerabilities. → infosecwriteups.com |
| 2026-06-16 NEW 2026 | How to use the new CloudTrail network activity events for AWS VPC Endpoints intermediate 6 min read | Reference on AWS VPC Endpoint CloudTrail network activity events, detailing how to enable and utilize these new opt-in events for CloudTrail to gain visibility into API activity traversing VPC Endpoints. It covers using these logs for safely developing VPC Endpoint Policies, detecting data exfiltration, and understanding network connections between VPC services and AWS resources, with specific mention of supported services like S3 and KMS, and considerations for cost and coverage compared to Data Events. → wiz.io |
| 2026-06-16 NEW 2026 | CIEM and Secure Cloud Access: Best Practices from Wiz and CyberArk intermediate 5 min read | Library integrating Wiz and CyberArk, this resource details best practices for Cloud Infrastructure Entitlements Management (CIEM) and Secure Cloud Access. It emphasizes gaining full visibility into cloud identities and permissions, enforcing least privilege, prioritizing critical attack paths, and implementing Zero Standing Privileges (ZSP). The entry also covers applying privilege controls post-authentication, maintaining continuous identity governance, and enabling on-demand access for unplanned events, aiming to balance security with productivity. → wiz.io |
| 2026-06-16 NEW 2026 | Wiz Data Foundations: Where’s My Sensitive Data—And Who Can Access It? intermediate 3 min read | Library for cloud data security that offers visibility into sensitive data locations and access controls. It features an agentless scan to detect and classify sensitive data, a Data Stores Treemap for visualizing data distribution by resource type and sensitivity, and multiple workflows to explore access entitlements by data store, identity, or through the Security Graph. The library helps identify who can access sensitive data, how access was granted, and any associated risks, supporting workflows from broad trends to deep, targeted investigations. → wiz.io |
| 2026-06-16 NEW 2026 | Federal Data, Meet your New Bodyguard: DSPM joins Wiz for Government news 3 min read | Library for automated sensitive data discovery and classification within FedRAMP environments. This DSPM solution provides visualization of data residency, access controls, and attack paths, aiding in compliance with regulations like GDPR, CCPA, HIPAA, FISMA, OMB M-17-12, CMMC, and Zero Trust principles. It supports agentless scanning, custom data classification rules, and AI readiness by identifying sensitive training data and potential leaks, ultimately reducing the data attack surface and accelerating federal data security use cases. → wiz.io |
| 2026-06-16 NEW 2026 | What Analyzing Hundreds of Thousands of Cloud Environments Taught Us About Data Exposure intermediate 2 min read | Report analyzing hundreds of thousands of cloud environments, revealing that 54% have exposed VMs and serverless instances with sensitive data, and 35% of these are also vulnerable to critical threats. It highlights that 72% of environments have publicly accessible PaaS databases lacking access controls, and 12% still have exposed and exploitable containers. The findings emphasize the need to prioritize actions based on the context of exposure, vulnerability, and data sensitivity. → wiz.io |
| 2026-06-15 NEW 2026 | What Changed in OWASP Top 10 2025? Full Breakdown & Recommendations beginner 13 min read | Analysis of the OWASP Top 10 2025 identifies two new categories: Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10). Security Misconfiguration has jumped to #2, highlighting risks from continuous deployment without continuous scanning. Broken Access Control (A01) now explicitly includes BOLA and BFLA, crucial for API security. While OWASP's recommendations are sound, their application requires mature SDLC discipline and unified tooling. Software Supply Chain Failures (A03) shows a high incidence rate but low CVE coverage, indicating current attacks with limited scanner detection. Addressing these shifts by category can improve an organization's security posture. |
| 2026-06-15 NEW 2026 | Wiz Research Uncovers Critical Vulnerability in AI Vibe Coding platform Base44 Allowing Unauthorized Access to Private Applications news 8 min read AI | Writeup on an authentication bypass vulnerability in the Base44 vibe coding platform, discovered by Wiz Research. Attackers could exploit undocumented registration and email verification endpoints by providing a non-secret `app_id` to create verified accounts for private applications, bypassing SSO and gaining unauthorized access to sensitive enterprise data. The flaw was fixed within 24 hours by Base44 and Wix. → wiz.io |
| 2026-06-15 NEW 2026 | Securing the Digital Future: AppSec Best Practices in Digital Banking beginner 3 min read API Sec | Talk slides from the Digital Banking Asia Summit 2024 outlining application security best practices for financial services. The presentation highlights key challenges including regulatory compliance, third-party integration, sophisticated attackers, complex architectures, legacy systems, resource limitations, insider threats, and balancing release velocity with security. It also addresses developer-security team disconnects due to lack of shared context, leadership priorities for CTOs and CISOs, and five pillars of success: developer adoption, security trust, effective fix delivery, a comprehensive platform, and a strong partner ecosystem. → snyk.io |
| 2026-06-15 NEW 2026 | BFI’s Journey in Digital Transformation: A Fireside Chat on Elevating Application Security and Developer Experience beginner 2 min read API Sec | Talk at CISO Indonesia 2024 detailing BFI Finance's shift-left security strategy using Snyk. The discussion highlights BFI's transition from reactive pen tests and container scans to proactive measures like pull request scans, in-development code scans, IaC scans for Terraform, and container scans. Key results include zero critical/high production issues, defined patch grace periods, improved developer experience via IDE and CI/CD integration, and enhanced reporting. Lessons learned emphasize cross-team collaboration and cultural transformation for embedding security standards. → snyk.io |
| 2026-06-14 2026 | Wiz Research Discovers One in Five Organizations Exposed to Systemic Risks in Vibe-Coded Applications - Here's How to Secure Them intermediate 8 min read API Sec | Library for securing applications built with "vibe coding" platforms like Lovable. It details common risks such as authentication logic living entirely in the browser, API keys and secrets exposed in client-side code, and database tables being wide-open. Solutions include enforcing server-side authentication, proxying API calls through a secure backend, and implementing proper Row-Level Security (RLS) for databases like Supabase. → wiz.io |
| 2026-06-14 2026 | Beyond CVEs: The Exploitation of Everyday Misconfigurations beginner 6 min read API Sec | Library detailing the exploitation of common cloud application misconfigurations, moving beyond traditional CVEs. It covers unrestricted access, default/weak credentials, excessive permissions, and exposed databases, providing real-world case studies of abuse. Examples include Selenium Grid RCE via arbitrary command execution, Spring Boot Actuator SSRF and sensitive data leakage through heap dumps, and PostgreSQL command execution using the `COPY FROM PROGRAM` feature with weak credentials. The library emphasizes proactive perimeter scanning and shifting security left within CI/CD pipelines to mitigate these risks. → wiz.io |
| 2026-06-14 2026 | CVE-2025-29927 Authorization Bypass in Next.js Middleware news 3 min read API Sec | Writeup of CVE-2025-29927, an authorization bypass vulnerability in Next.js middleware. This critical 9.1 severity flaw affects Next.js versions prior to 15.2.3, 14.2.25, and 13.5.9. Attackers can bypass middleware logic and access protected routes by manipulating the `x-middleware-subrequest` HTTP header. Developers are urged to upgrade Next.js versions or apply firewall rules to mitigate the risk. → snyk.io |
| 2026-06-13 2026 | Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE) - watchTowr Labs news 15 min read RCE | Analysis of Splunk Enterprise CVE-2026-20253 details a pre-authentication RCE vulnerability affecting Splunk versions 10 and above. The flaw resides in the PostgreSQL Sidecar Service Endpoint, which, when installed and enabled by default (as on AWS deployments), allows unauthenticated attackers to trigger file operations via a proxied HTTP request to the main Splunk web application. This insecure endpoint, exposed on localhost but accessible through the main interface, can be leveraged for unauthorized actions. → labs.watchtowr.com |
| 2026-06-13 2026 | Header Manipulation: Bypasses, Probing, and the Security Audit Nobody Does intermediate API Sec | Request headers are not mere metadata but critical inputs that can be manipulated. Attackers exploit this to bypass access controls, probe for misconfigurations, spoof identities, and test security. This article delves into header manipulation techniques frequently encountered in penetration testing platforms, emphasizing their role in security assessments. → infosecwriteups.com |
| 2026-06-13 2026 | Full Fathom Five: The context of Anthropic’s Mythos-class public release beginner 6 min read AI | Reference detailing Anthropic's Claude Fable 5 release, clarifying it routes cybersecurity prompts to Opus 4.8 and is not for vulnerability discovery. It emphasizes that advanced LLMs aren't required for finding issues like IDORs and business logic flaws, highlighting that misconfigurations, exposed services, and broken identity edges constitute 80% of security problems, not just CVEs. The analysis critiques the fetishization of CVEs and zero-days, suggesting LLM tokens are better utilized for defensive scans, remediation, and exposure management. → aikido.dev |
| 2026-06-13 2026 | KCD New York 2026: Trust, Agents, and the Work Behind the Work news 8 min read AI API Sec | Talk slides from KCD New York 2026 cover securing cloud-native systems through zero trust principles with Istio Ambient Mesh, addressing discrepancies in Kubernetes CVE data from sources like MITRE and maintainer discussions, and enabling autonomous multi-cluster remediation via agentic AI and MCP servers. The importance of a "trust ladder" for remediation, starting with recommendations and progressing to opt-in auto-remediation, is highlighted, emphasizing robust identity and RBAC. The event also stressed that community, not just technology, forms the essential infrastructure for open-source projects, with initiatives like contributor onboarding crucial for sustainability. → blog.gitguardian.com |
| 2026-06-12 2026 | Bringing Oracle Cloud Identity to Wiz intermediate 3 min read | Library support for Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) provides unified visibility across OCI, AWS, Azure, and GCP. It normalizes OCI's Identity Domains, Compartments, and natural-language policies into Wiz's security graph, allowing analysis of users, groups, service principals, access paths, and OCI API keys. This enables consistent cross-cloud controls and threat analysis by mapping OCI constructs like resource types and permissions to Wiz objects and access types. → wiz.io |
| 2026-06-11 2026 | Jupyter Enterprise Gateway - From Notebook to Kubernetes Cluster Admin - elttam intermediate 9 min read | Writeup detailing three vulnerabilities found in Jupyter Enterprise Gateway v3.2.3, allowing a notebook user to escalate privileges to full Kubernetes cluster administrator. These vulnerabilities, responsibly disclosed to the Jupyter security team and patched in v3.3.0, enable a user to bypass UID/GID restrictions by providing values with trailing spaces, leading to root execution within kernel pods. Combined with hostPath volume mounts, this allows access to sensitive cluster secrets, mounting host filesystems, and the creation of arbitrary privileged pods, potentially compromising the entire cluster. |
| 2026-06-10 2026 | Security Insights Where Work Happens: Notion Custom Agents + Wiz MCP news 3 min read AI | Library integration enabling Notion Custom Agents to securely access Wiz cloud security insights. This allows teams to answer security questions, generate automated reports, and investigate risks directly within Notion, bringing security context into collaborative workspaces where decisions are made. → wiz.io |
| 2026-06-10 2026 | Introducing Wiz Agents & Workflows: Security at the Speed of AI news 7 min read AI | Library introducing Wiz Agents and Workflows, a suite of AI-powered security tools designed to accelerate threat detection, investigation, and remediation. The Red Agent acts as an AI attacker to find logic-driven vulnerabilities, the Blue Agent investigates threats using cloud telemetry and runtime signals, and the Green Agent provides environment-specific remediation guidance. Workflows orchestrate these agents, enabling automated responses and scalable security operations grounded in the Wiz Security Graph's context. → wiz.io |
| 2026-06-10 2026 | ServiceNow's Virtual Agent Vulnerability Shows Why AI Security Needs Traditional AppSec Foundations beginner 6 min read AI AuthN | Library for securing AI agents, this resource details a critical vulnerability chain in ServiceNow's Virtual Agent that allowed platform takeover via broken API authentication, weak identity verification, and excessive agent privileges. It emphasizes that securing AI requires foundational application security practices like threat modeling, DAST for vulnerability detection, and AI red teaming to expose impact paths. The library advocates for a layered security approach, auditing agent permissions, enforcing strong API identity, and implementing continuous testing to address the evolving risks of agentic AI. → snyk.io |
| 2026-06-10 2026 | I Found the Entire Admin UI of a Live PlatformJust By Tweaking Traffic in Burp Suite intermediate Burp | Security researcher Hamza Hashim (refang) discovered the entire admin UI of the live internship program portal REDACTED.org by manipulating traffic in Burp Suite. While participating in the internship, Hashim found this vulnerability, which was part of a larger bug report submitted to the organization. The article details this specific finding from a real-world application. → infosecwriteups.com |
| 2026-06-10 2026 | Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility advanced 13 min read | Analysis of techniques for abusing cloud logging services, specifically AWS CloudTrail and Google Cloud Logging, to achieve defense evasion and maintain attacker visibility. The article details methods such as stopping logging, deleting log storage destinations like S3 buckets or Google Cloud log buckets, removing log routers (trails or sinks), impairing logging via attacker-controlled encryption keys, and log poisoning. Understanding these attack vectors helps organizations implement stronger security configurations to detect and prevent misuse of these critical visibility tools. → unit42.paloaltonetworks.com |
| 2026-06-08 2026 | Copy Fail: Universal Linux Local Privilege Escalation Vulnerability intermediate 4 min read | Writeup on CVE-2026-31431, a Linux kernel vulnerability dubbed "Copy Fail," allowing unprivileged local users to escalate to root. Discovered by Xint, it affects nearly all Linux kernels since 2017 due to a logic flaw in the AEAD crypto implementation, enabling attackers to overwrite file page cache and inject code into binaries like `/usr/bin/su`. Mitigation involves kernel updates or blocking AF_ALG socket creation via seccomp. Detection can involve correlating AF_ALG loading with other suspicious signals or monitoring for malformed `auth.log` entries from corrupted `su` binaries. → wiz.io |
| 2026-06-08 2026 | Dirty Frag: Linux Kernel Local Privilege Escalation via ESP and RxRPC intermediate 2 min read | Writeup of "Dirty Frag," a Linux kernel local privilege escalation vulnerability chain (CVE-2026-43284, CVE-2026-43500), exploiting flaws in the ESP and RxRPC subsystems. This deterministic vulnerability, a successor to Copy Fail (CVE-2026-31431), allows root privilege escalation by corrupting page-cache memory. Exploitation typically requires CAP_NET_ADMIN privileges, making it less likely in hardened containers but a significant risk for VMs. Affected code paths date back to 2017 for ESP and 2023 for RxRPC, impacting a wide range of kernel versions. → wiz.io |
| 2026-06-08 2026 | Fragnesia: Linux Kernel Local Privilege Escalation via ESP-in-TCP intermediate 1 min read | Library for Linux kernel local privilege escalation, Fragnesia, targets the XFRM ESP-in-TCP subsystem. This vulnerability, a variant of DirtyFrag, allows unprivileged local attackers to modify read-only file contents in the kernel page cache and gain root privileges through deterministic page-cache corruption. The exploit manipulates AES-GCM keystream during decryption to overwrite critical binaries like `/usr/bin/su` with an ELF payload, achieving a root shell. Recommended mitigation involves applying vendor kernel patches or disabling vulnerable modules. → wiz.io |
| 2026-06-08 2026 | OSCP Windows Enumeration Checklist: My Complete Privilege Escalation Workflow for Every Box intermediate | This article details a comprehensive Windows enumeration workflow for the OSCP certification, focusing on privilege escalation. The author shares their exact process, highlighting key techniques like analyzing WinPEAS output, hunting for credentials, leveraging token abuse, and examining services. The goal is to provide a structured approach for tackling Windows-based machines encountered during the exam, ensuring thoroughness in identifying vulnerabilities and escalating privileges effectively. → infosecwriteups.com |
| 2026-06-08 2026 | Ransacking your password reset tokens intermediate 18 min read Bug Bounty | Library exposing sensitive data via attribute brute-force attacks in Ruby on Rails applications. The Ransack library's default configuration permits users to guess arbitrary attributes and values character by character, allowing extraction of sensitive information like password reset tokens. Similar vulnerabilities exist in technologies like Hasura and Sequelize. Ransack version 4.0.0 mitigates this by enforcing explicit allow lists for searchable attributes and associations. |
| 2026-06-08 2026 | Designing Identity for the Agentic Enterprise: The Okta AI Identity Summit news 7 min read AI | Survey of discussions from the Okta AI Identity Summit, focusing on the critical need for robust identity systems to govern agentic AI. Key themes include the evolution of identity beyond credentials to control actions, the necessity of discovery and real-time governance for shadow agents, and the imperative to future-proof identity architectures for non-human actors operating at machine speed, emphasizing that capability without accountability is not a viable strategy. → blog.gitguardian.com |
| 2026-06-08 2026 | Looting UniFi Controllers: Detecting and Weaponizing CVE-2026-22557 news 20 min read RCE | Tool for detecting and weaponizing CVE-2026-22557, an unauthenticated path traversal vulnerability in UniFi Network Application's guest captive portal. This critical flaw, with a CVSS score of 10.0, allows attackers to read arbitrary files, potentially exfiltrating administrative credentials from controller backups. The analysis details practical attack paths, exploitation preconditions, and offers a safe detection tool available on GitHub. Affected versions require patching to 10.1.89, 10.2.97, or 9.0.118 or later. → bishopfox.com |
| 2026-06-08 2026 | Otto Support - Testing MCP Servers intermediate 3 min read | Tool for testing MCP servers; utilizes nmap for discovery, a Nuclei template to identify MCP endpoints, and MCP Inspector to enumerate services and exploit an authorization gap. This bypass allows an unprivileged user to delete other users' tickets by directly calling the `delete_ticket` JSON-RPC method, demonstrating that MCP servers share familiar security fundamentals with traditional web services. → bishopfox.com |
| 2026-06-08 2026 | Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis news 18 min read RCE | Library providing analysis of the UniFi OS Server RCE chain (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910), which allows unauthenticated attackers to gain root privileges. It details the bypass of the authentication gateway, path traversal, and command injection vulnerabilities, and outlines remediation steps including patching to version 5.0.8 or later, rotating secrets, and rebuilding compromised systems. A detection tool is also available to identify vulnerable instances. → bishopfox.com |
| 2026-06-08 2026 | How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered framework intermediate 22 min read AI Secrets | Library that leverages the GitHub Security Lab Taskflow Agent for AI-powered vulnerability scanning. This framework, designed to find high-impact web security vulnerabilities like authorization bypasses and information disclosure, operates through taskflows written in YAML that guide LLM analysis. It breaks down auditing into stages, starting with threat modeling to define component boundaries and then suggesting potential vulnerabilities, followed by a rigorous triage step to minimize false positives and hallucinations. This approach has successfully identified over 80 vulnerabilities, with many disclosed, and is open-source for community contribution. A GitHub Copilot license is required for execution. → github.blog |
| 2026-06-08 2026 | Bypassing Administrator Protection by Abusing UI Access intermediate 18 min read Bug Bounty | Writeup detailing bypasses of Windows Administrator Protection by abusing UI Access. This vulnerability stems from the UAC UIPI bypass mechanism, allowing processes with the UI Access flag to interact with higher integrity windows. The research uncovered multiple bypasses by exploiting this feature, particularly when a UI Access process is created with a High integrity level. This enables limited users to potentially compromise administrator processes by sending messages or, if at the same integrity level, using window hooks for DLL injection. → projectzero.google |
| 2026-06-08 2026 | A Deep Dive into the GetProcessHandleFromHwnd API advanced 14 min read Bug Bounty | Reference detailing the `GetProcessHandleFromHwnd` API's evolution, tracing its implementation from a user-mode function in `oleacc.dll` utilizing Windows hooks in Vista to a kernel-mode function `NtUserGetProcessHandle` in `win32kfull.sys` in Windows 10. The analysis highlights discrepancies between documentation and actual behavior, including UAC bypass possibilities and integrity level checks enforced by the kernel function. → projectzero.google |
| 2026-06-08 2026 | The sorry state of skill distribution news 9 min read AI | Analysis of skill scanners reveals critical vulnerabilities in agentic system security. Testing bypassed defenses in ClawHub, Cisco's agent skill scanner, and skills.sh integrations, employing techniques like file truncation and .pyc bytecode poisoning. These bypasses highlight static analysis limitations against adversaries who can repeatedly tweak attacks, demonstrating that current scanners struggle to detect malicious skills embedded in archives or disguised as bytecode, echoing supply-chain attack patterns seen in incidents like the xz-utils backdoor. → blog.trailofbits.com |
| 2026-06-08 2026 | WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine intermediate 7 min read API Sec | Library for fuzzing WebSocket messages with custom Python code, WebSocket Turbo Intruder extends the Burp Suite engine to exploit protocol-specific vulnerabilities. It includes a fast attack engine for high-volume testing against single targets, and features HTTP middleware for automating scans with tools like Burp Suite Pro. The library supports custom Python scripts with decorators like `@MatchRegex`, `@Pong`, and `@PingPong`, and offers a THREADED engine for race condition testing by opening multiple simultaneous connections. It also includes workarounds for Socket.IO testing, including handling the `EIO` parameter and detecting server-side prototype pollution. → portswigger.net |
| 2026-05-11 2026 | Devastating 'Dirty Frag' exploit leaks out gives immediate root access on most Linux machines since 2017 no patches available no warning given Copy Fail-like vulnerability had its embargo broken news 7 min read | Tool that provides immediate root access on most Linux machines since 2017 due to the Dirty Frag vulnerability. This local privilege escalation exploit leverages a zero-copy operation in IPSec-related modules, specifically affecting "xfrm-ESP Page Cache Write" and "RxRPC Page-Cache Write." Distributions like Ubuntu, Arch, RHEL, and Fedora are impacted. Mitigation involves disabling esp4, esp6, and rxrpc kernel modules. The exploit code is available via a GitHub repository for testing. |
| 2026-05-06 2026 | Zero-Auth Flaw Exposes DoD Contractor to Cross-Tenant Data Access news 2 min read API Sec | Library of techniques to bypass API authorization, exemplified by the zero-authorization flaw in Schemata’s API that exposed DoD contractor data. This vulnerability, discovered by the Strix AI agent, allowed unprivileged users to access cross-tenant data, including service member records and sensitive military training materials, by failing to enforce organizational scoping and tenant isolation on its API. → cybersecuritynews.com |
| 2026-05-04 2026 | Critical MOVEit Automation auth bypass vulnerability fixed (CVE-2026-4670) news 2 min read | Writeup of CVE-2026-4670, a critical authentication bypass in Progress Software's MOVEit Automation, enabling unauthorized administrative control and data exposure. This vulnerability, along with a privilege escalation flaw (CVE-2026-5174), affects specific older versions and can be exploited via low-complexity attacks by unauthenticated or authenticated attackers, respectively. Upgrading to patched versions 2025.1.5, 2025.0.9, or 2024.1.8 is strongly advised to remediate these issues. → helpnetsecurity.com |
| 2026-05-02 2026 | CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments news 6 min read | Analysis of CVE-2026-31431, nicknamed "Copy Fail," details a high-severity Linux kernel vulnerability affecting Red Hat, Ubuntu, SUSE, and AWS Linux. This logic flaw in the AF_ALG module allows local unprivileged users to gain root privileges by corrupting the kernel page cache, impacting cloud workloads and Kubernetes clusters. The exploit, a small script leveraging the splice() system call and AF_ALG, enables container breakout and lateral movement, posing a significant risk to multi-tenant environments. Microsoft Defender provides detection insights, mitigation recommendations, and hunting guidance. → microsoft.com |
| 2026-04-30 2026 | Escape AI Pentesting Agents 2.0 news 12 min read | Library for agentic pentesting, offering a multi-agent architecture with a coordinator agent orchestrating specialized agents for tasks like reconnaissance, XSS detection (including reflected, stored, DOM-based, CSP bypasses, and framework-specific attacks), and application crawling. This system chains multiple techniques, adapts strategies in real-time, and produces evidence-rich findings with executable proof and reasoning traces, designed to improve upon traditional DAST scanner limitations and provide programmable security gates for CI/CD pipelines. → securityboulevard.com |
| 2026-04-22 2026 | Rights Management Approaches: ACL, RBAC, ABAC, ReBAC beginner 3 min read | Guide on access control models, including ACL, RBAC, ABAC, and ReBAC, for defining architectural security requirements. It covers practical guidance, trade-offs like UX friction and latency, and discusses Google's Zanzibar system as a canonical source for ReBAC. The guide offers phased roadmaps for implementation, focusing on inventory, RBAC baselines, context rules, and continuous verification, while highlighting common antipatterns and metrics for operational control. |
| 2026-04-22 2026 | OPA, Cedar, OpenFGA: Why Are Policy Languages Trending Right Now? news 9 min read | Library for understanding policy languages like OPA (Rego), Cedar, and OpenFGA, which are trending for Identity and Access Management (IAM) due to increasing authorization complexity. These declarative languages offer readable, performant, and auditable ways to manage fine-grained access controls across microservices, databases, and evolving user requirements, including AI agents. The article discusses authorization challenges, layered architectural principles for decision-making, and the benefits of policy-as-code. |
| 2026-04-22 2026 | OPA vs OpenFGA: A Technical Comparison of Policy Engines intermediate 11 min read | Reference comparing Open Policy Agent (OPA) and OpenFGA, two distinct policy engines. OPA, a CNCF project, uses Rego for centralized, rule-based access control, excelling in complex attribute-based decisions and infrastructure authorization like Kubernetes admission control. OpenFGA, based on Google's Zanzibar model, employs a tuple-based relationship approach for fine-grained, object-level permissions and hierarchical access, suitable for collaborative features and social network-style sharing. The comparison details their core concepts, architectural differences, and use case scenarios. |
| 2026-04-22 2026 | Implementing Google Zanzibar: A Demonstration of Its Basics intermediate 13 min read | Library demonstrating Google Zanzibar fundamentals, focusing on its Relationship-Based Access Control (ReBAC) model. The entry explores Zanzibar's data model, relationship tuples with examples like `file123#owner@alice`, and provides a PostgreSQL implementation for storing these tuples, illustrating concepts such as ownership and membership. |
| 2026-04-22 2026 | How to Protect Your API with OpenFGA: ReBAC Concepts to Practical Usage intermediate 13 min read | Library introducing Relation-Based Access Control (ReBAC) via OpenFGA, an open-source implementation of Google's Zanzibar concepts. It details ReBAC principles, contextual conditions, and attribute-based access, offering practical examples for protecting APIs and managing complex authorization logic. The library covers ReBAC concepts, OpenFGA's features like time-based and status-driven permissions, and contrasts its approach with traditional methods such as RBAC and ABAC, highlighting benefits in maintainability and scalability. |
| 2026-04-22 2026 | How Google Drive Models Authorization: A Look into Zanzibar intermediate 7 min read | Library implementing Google's Zanzibar authorization system, which utilizes relationship-based access control (ReBAC) to manage permissions for services like Google Drive. Zanzibar centers on user-resource relationships rather than roles, enabling complex, nested access models with high availability and low latency through its globally distributed database and consistency protocol, which employs timestamps and "zookies" to ensure accurate permission checks in distributed environments. |
| 2026-04-22 2026 | Common Bug Bounty Vulnerabilities: A Technical Deep Dive for Hunters in 2026 intermediate 7 min read | Reference outlining common bug bounty vulnerabilities, detailing techniques and tools such as local LLM integration with Ollama for response analysis, Burp Suite extensions like Authz and Turbo Intruder for IDOR testing, Interactsh for SSRF callbacks, sqlmap for SQL injection, InQL for GraphQL fuzzing, and Burp's DOM Invader for XSS, alongside methods for exploiting business logic flaws. |
| 2026-04-22 2026 | CVE-2026-32877 - Red Hat Security Advisory news | CVE-2026-32877 - Red Hat Security Advisory |
| 2026-04-22 2026 | CVE 2026: When Identity Breaks and Legacy Code Bites Back news 5 min read | Analysis of CVE-2026-24858, a critical Fortinet SSO logic flaw, and CVE-2026-24061, an argument injection in GNU InetUtils' telnetd, highlighting early 2026's vulnerability landscape dominated by legacy code exploits and advanced Agentic AI threats. The analysis details the mechanics and exploit logic for both, emphasizing the reduced exploitation windows and the need for continuous, AI-driven validation to combat automated exploitation. → penligent.ai |
| 2026-04-22 2026 | What is Google Zanzibar? beginner 8 min read | Library detailing Google Zanzibar, a consistent, global authorization system that implements relationship-based access control (ReBAC). It explains namespaces, relation tuples with the format `<object>#<relation>@<user>`, schema configuration, and the 'zookie' for user-specified consistency. The system leverages Google's Spanner database and employs layered caches and request hedging for scalability and performance, offering core API methods for read, write, watch, check, and expand operations. |
| 2026-04-19 2026 | Broken Access Control: The Quiet Killer in Web Applications beginner | Broken Access Control: The Quiet Killer in Web Applications → infosecwriteups.com |
| 2026-04-19 2026 | Broken Access Control: The Silent Web Vulnerability beginner | Broken Access Control: The Silent Web Vulnerability |
| 2026-04-19 2026 | Broken Access Control: The 40% Surge in 2025 news 10 min read | Library for identifying and preventing broken access control vulnerabilities, a pervasive and critical application security risk that surged in 2025. This library addresses common weaknesses like vertical and horizontal privilege escalation, Insecure Direct Object References (IDOR), forced browsing, and missing function-level access control, which attackers exploit to gain unauthorized data access. It is designed to mitigate the impact of these flaws, which are exacerbated by rapid development cycles, complex architectures, and the introduction of vulnerabilities from AI-generated code. |
| 2026-04-19 2026 | OWASP Top 10 2025 — A01 Broken Access Control beginner 3 min read | Reference detailing OWASP Top 10 2025 A01: Broken Access Control, the most prevalent vulnerability. It highlights common weaknesses like insecure direct object references, privilege escalation, JWT manipulation, CORS misconfigurations, and force browsing. Prevention strategies emphasize server-side enforcement, deny-by-default principles, robust access control mechanisms, and proper session management with short-lived JWTs or refresh tokens. The document also mentions related CWEs such as CWE-200, CWE-201, CWE-918 (SSRF), and CWE-352 (CSRF), and provides example attack scenarios. → owasp.org |
| 2026-04-16 2026 | Enhancing OAuth 2.0 Security with PKCE: Deep Dive advanced 4 min read | Walkthrough of OAuth 2.0 integration with PKCE, detailing how Omnissa Intelligence uses the Proof Key for Code Exchange extension to prevent authorization code interception attacks when connecting with External Partner services. The process involves `code_verifier`, `code_challenge`, and `code_challenge_method=S256` to securely exchange authorization codes for access tokens, safeguarding against session hijacking and man-in-the-middle attacks. |
| 2026-04-16 2026 | Attacks via OAuth Authorization Code Injection intermediate AuthN | Attacks via OAuth Authorization Code Injection |
| 2026-04-16 2026 | Security Benchmarking Authorization Policy Engines: Rego, Cedar, OpenFGA advanced 9 min read | Framework for dynamically evaluating authorization policy engines, including Rego, Cedar, OpenFGA, and Teleport ACD. This system automates security benchmarking and robustness testing by executing predefined test cases in isolated Docker containers for each engine, comparing actual results against expected outcomes to identify potential threats and vulnerabilities. |
| 2026-04-16 2026 | Privilege Escalation by JWT Token Manipulation intermediate | Privilege Escalation by JWT Token Manipulation |
| 2026-04-16 2026 | JWTs Under the Microscope: Exploiting Auth Weaknesses - Traceable intermediate 7 min read | Library for identifying and exploiting JWT authentication weaknesses. It details vulnerabilities like Improper JWT Signature Validation, JWT Algorithm Confusion, JWT Weak Secret, and attacks leveraging KID fields (SQL Injection, SSRF, Path Traversal), JKU/X5U misuse, X5T collisions, and payload manipulation leading to Broken Object Level Authorization (BOLA) and Broken Functional Level Authorization (BFLA), as well as JWT Expired Token issues. |
| 2026-04-16 2026 | Privilege Escalation via IDOR and ACL Bypass in SaaS intermediate | Privilege Escalation via IDOR and ACL Bypass in SaaS |
| 2026-04-16 2026 | Organization Takeover via Privilege Escalation (IDOR) intermediate | Organization Takeover via Privilege Escalation (IDOR) |
| 2026-04-16 2026 | Horizontal Privilege Escalation via IDOR intermediate | Horizontal Privilege Escalation via IDOR |
| 2026-04-16 2026 | Fine-Grained Authorization: Technical Guide for Microservices intermediate 6 min read | Guide to fine-grained authorization for microservices, moving beyond traditional RBAC to Relationship-Based Access Control (ReBAC). It details the limitations of RBAC in dynamic environments and advocates for centralized policy engines like Open Policy Agent (OPA) and Zanzibar-inspired systems (e.g., OpenFGA). The guide provides a practical roadmap for implementation, focusing on auditing relationships, centralizing the source of truth, and iteratively decoupling authorization logic from individual services. |
| 2026-04-16 2026 | RBAC vs ABAC vs ReBAC: How to Choose Access Control Models beginner 12 min read | Library comparing Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Relationship-Based Access Control (ReBAC). It details how RBAC, while simple, suffers from "Role Explosion" due to complexity in systems like AWS IAM and Kubernetes. ABAC is presented as a solution, using attributes and dynamic evaluation instead of static roles, exemplified by OPA and AWS IAM's Condition blocks. ReBAC principles are also touched upon, particularly in the context of Azure's resource hierarchy inheritance. |
| 2026-04-15 2026 | Privilege Elevation Dominates Massive Microsoft Patch Update news 4 min read | Library of patches addressing Microsoft's April 2026 update, which included 165 CVEs, with a significant portion being elevation-of-privilege bugs. Key vulnerabilities detailed include CVE-2026-32201 (a SharePoint Server spoofing zero-day actively exploited), CVE-2026-33825 (a Defender privilege escalation zero-day), CVE-2026-33824 (a critical RCE in Windows IKE Service Extensions), and CVE-2026-33827 (a rare unauthenticated RCE in Windows secure tunneling). The update also featured numerous fixes for Microsoft Edge and Chromium. → darkreading.com |
| 2026-04-14 2026 | Critical etcd Auth Bypass Flaw Lets Attackers Access Sensitive Cluster APIs Without Authorization news 2 min read | Library for etcd, the distributed key-value store powering Kubernetes, addresses CVE-2026-33413, an 8.8 CVSS critical authentication bypass. Discovered by the AI security agent Strix, this flaw allows unauthorized users to invoke sensitive cluster management APIs like Maintenance.Alarm, KV.Compact, and Lease.LeaseGrant without valid credentials, potentially leading to data loss, denial of service, or system compromise. The vulnerability was fixed in etcd's March 2026 security update. → cyberpress.org |
| 2026-04-11 2026 | RBAC vs ABAC vs PBAC - Styra beginner 5 min read | Library comparing Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC). It details RBAC's traditional role-centric limitations, ABAC's attribute-driven flexibility, and PBAC's policy-as-code approach. The resource highlights how Styra DAS leverages PBAC and OPA for unified authorization, bridging policy formulation and implementation challenges. |
| 2026-04-11 2026 | Policy as Code: Fine-Grained Authorization intermediate 10 min read | Library detailing Policy as Code for fine-grained authorization, featuring discussions on Rego for Open Policy Agent (OPA), AWS Cedar, and OpenFGA. The resource highlights the practice of defining policies with code for dynamic and adaptable management, distinguishing between validation and authorization, and emphasizing how policy languages abstract API complexities for easier rule definition and enforcement. Experts Jimmy Ray and Omer Zuarets share insights on applying policy as code in cloud-native security and simplifying policy implementation through tooling. |
| 2026-04-11 2026 | Policy Engine Showdown: OPA vs OpenFGA vs Cedar intermediate 17 min read | Reference to a panel discussion comparing application policy engines OPA, OpenFGA, and Cedar. The session, "Policy Engines Showdown," featured engineers discussing the strengths, trade-offs, and practical considerations of each engine, including OpenFGA's ReBAC model, Cedar's policy-driven approach, and OPA's multipurpose flexibility. The goal was to help developers select the best decision engine for their specific use cases, highlighting that suitability depends on implementation needs rather than a single "winner." The discussion also touched upon tools like OPAL for policy synchronization. |
| 2026-04-11 2026 | ReBAC Authorization Academy - Oso beginner 19 min read | Library exploring Relationship-Based Access Control (ReBAC) for application security, using the GitClub example to illustrate how permissions can be organized based on relationships between resources like users, repositories, and issues. It contrasts ReBAC with Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), highlighting how ReBAC can elegantly handle data ownership scenarios where users need specific permissions on resources they created or are directly associated with. The library guides developers to leverage existing data structures to define these relationships, providing a natural and intuitive authorization model that complements traditional RBAC. |
| 2026-04-11 2026 | RBAC vs ABAC vs PBAC - Oso beginner 12 min read | Library for implementing consistent, maintainable authorization across distributed systems. It details Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC), showcasing how Oso's Polar language enables declarative definition and enforcement of RBAC and ABAC through PBAC. This approach centralizes authorization logic into a single policy engine, ensuring uniform decisions based on user roles, attributes, and contextual data, enhancing auditability and simplifying evolution of access control policies across microservices. |
| 2026-04-11 2026 | RBAC vs ABAC vs ReBAC - Oso beginner 6 min read | Reference detailing RBAC, ABAC, and ReBAC access control paradigms, comparing their strengths and limitations for applications. It highlights RBAC's role-based assignments, ABAC's attribute-driven policies, and ReBAC's relationship-based permissions. The document explains how these models can be combined for fine-grained authorization and suggests Oso as a tool to simplify implementation. |
| 2026-04-11 2026 | Fine Grained Authorization using SpiceDB for RAG intermediate 5 min read | Library implementing fine-grained authorization for RAG using SpiceDB. This resource details how to integrate SpiceDB with Pinecone, Langchain, and OpenAI to enforce relationship-based access control (ReBAC) on document retrieval for AI applications. It covers schema definition, relationship writes, and querying authorized resources to pre-filter vector database searches, enhancing both security and efficiency in enterprise AI. |
| 2026-04-11 2026 | Relationship-Based Permissions in SpiceDB intermediate 6 min read | Library for managing application permissions using Relationship-Based Access Control (ReBAC). SpiceDB, inspired by Google's Zanzibar, stores relationships between subjects and resources to efficiently answer permission queries. It supports robust write patterns, including two-phase commits with relational databases and streaming commits via systems like Kafka, ensuring data consistency. Alternatively, relationships can be stored solely within SpiceDB, simplifying application logic and enabling schema-driven permission computation. Asynchronous updates are also an option for applications tolerating less strict consistency. |
| 2026-04-11 2026 | Introduction to Google Zanzibar beginner 21 min read | Reference on Google Zanzibar, an authorization system developed to manage permissions across Google's vast product suite, detailing its relationship-based access control (ReBAC) model. It explains how Zanzibar overcomes the limitations of application-specific authorization, addresses the "new enemy problem" through external consistency guarantees, and scales to handle billions of users and trillions of objects with low latency. The resource also highlights how open-source tools like SpiceDB can be used to implement similar systems, drawing parallels to Google's internal infrastructure and the significance of the 2019 Zanzibar research paper. |
| 2026-04-11 2026 | OpenFGA: Open-Source Engine for Access Control beginner 2 min read | Library for relationship-based access control, OpenFGA is an open-source, high-performance engine inspired by Google’s Zanzibar system. It allows developers to define and enforce fine-grained permissions with support for multiple storage backends, including PostgreSQL and MySQL, and offers APIs and SDKs in Java, Node.js, Go, Python, and .NET. OpenFGA integrates relationship-based, role-based, and attribute-based access control models, and includes a CLI, playground, and Terraform provider for easier management and testing. Notable adopters include Auth0 and Grafana Labs. → helpnetsecurity.com |
| 2026-04-11 2026 | Announcing OpenFGA news 7 min read | Library for fine-grained authorization, OpenFGA, is an open-source engine inspired by Google's Zanzibar. It allows developers to model complex access control rules, integrate them consistently across applications, and manage permissions efficiently at scale. OpenFGA features an expressive modeling language, HTTP APIs for checking and writing permissions, and supports various integrations with identity providers and proxies, addressing security, compliance, and privacy needs for modern collaborative and social applications, effectively tackling OWASP's top risk: broken access control. |
| 2026-04-11 2026 | Authorization Concepts - OpenFGA beginner 2 min read | Reference detailing OpenFGA's approach to authorization, explaining Fine-Grained Authorization (FGA) and contrasting Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), Policy-Based Access Control (PBAC), and Relationship-Based Access Control (ReBAC). It highlights ReBAC as a superset of RBAC and a solution for ABAC scenarios, noting OpenFGA extends ReBAC with Conditions and Contextual Tuples, drawing parallels to Google's Zanzibar system. |
| 2026-04-11 2026 | Cedar Policy Language Complete Guide intermediate 2 min read | Library for fine-grained authorization, Cedar is an open-source policy language built in Rust that decouples access control from application logic. It supports RBAC, ABAC, ReBAC, and *BAC models, and is designed for simplicity, expressiveness, and performance, allowing for modular and reusable authorization policies. Cedar's evaluation logic prioritizes `forbid` statements, ensuring requests are denied if any matching `forbid` policy exists. |
| 2026-04-11 2026 | Amazon Verified Permissions - Cedar intermediate 4 min read | Library for externalizing authorization and centralizing policy management, Amazon Verified Permissions leverages the Cedar policy language to enable developers to build secure applications and align with Zero Trust principles. It accelerates development by decoupling authorization from business logic, streamlining security with intuitive, policy-based access controls that support common frameworks. This service helps protect resources, manage user access according to the principle of least privilege, and facilitates granular authorization decisions. Users include TELUS for smart home device permissions, Grosvenor Engineering Group for building asset access, and STEDI for protecting healthcare transaction endpoints. → aws.amazon.com |
| 2026-04-11 2026 | Cedar Policy Language Reference intermediate 5 min read | Reference for Version 4.5 of the Cedar policy language, used for writing authorization policies and making decisions. Cedar decouples business logic from authorization, allowing applications to query an engine for "allow" or "deny" decisions based on policies, entities, context, and a schema. This separation simplifies updates and testing, as security teams can modify policies without touching application code. Cedar supports attributes, logical operators, and dynamic evaluation for fine-grained control, role-based access control (RBAC), and attribute-based access control (ABAC), with features like fast, scalable, and bounded-latency evaluation. |
| 2026-04-11 2026 | Basic ABAC with OPA and Rego - AWS intermediate 3 min read | Library demonstrating basic Attribute-Based Access Control (ABAC) with OPA and Rego. It provides example Rego code snippets for a fictional Payroll microservice, illustrating how to enforce policies such as "Employees can read their own salary" and "Employees can read the salary of anyone who reports to them," utilizing external data for manager-report relationships. |
| 2026-04-11 2026 | OPA Rego Language Tutorial beginner 11 min read | Tutorial on Rego, the declarative policy language for Open Policy Agent (OPA), detailing its fundamental constructs and mechanisms. Learn how Rego's logic-based syntax enables codifying rules for authorization, configuration validation, and data filtering, particularly within Kubernetes and Envoy. The tutorial covers writing Rego policies, including decisions, variable assignments, and using the "some" keyword for iterating over data structures, along with best practices for effective policy authoring. |
| 2026-04-11 2026 | What is Open Policy Agent (OPA)? beginner 6 min read | Library for managing cloud-native policies, Open Policy Agent (OPA) offers a unified, context-aware approach by decoupling policy enforcement from application code. It uses the Rego policy language for expressive, declarative rules, enabling security and compliance through policy-as-code, consistency across Kubernetes, microservices, and CI/CD pipelines, and efficient updates via a centralized policy library. → wiz.io |
| 2026-04-11 2026 | OPA: Best Practices for Secure Deployment - CNCF intermediate 11 min read | Library for secure Open Policy Agent (OPA) deployment, focusing on preventing vulnerabilities like remote calls and Windows UNC path exploits by emphasizing separation of policy code from application code, decoupling schema and data through external sources, and structured data management. It highlights best practices derived from large-scale OPA usage, including techniques for restricting sensitive built-ins and leveraging tools like OPAL for synchronized policy and data updates. |
| 2026-04-11 2026 | Kubernetes RBAC Best Practices beginner 10 min read | Reference detailing Kubernetes RBAC best practices, emphasizing the importance of the principle of least privilege (PoLP) and regular permission reviews. It highlights the risks of misconfigured RBAC, citing the "RBAC Buster" attack, and recommends tools like Open Policy Agent (OPA) for automating policies and Wiz for auditing. The entry also covers using namespaces for scope limitation, auditing RBAC events, securing sensitive operations, and integrating with external identity providers. → wiz.io |
| 2026-04-11 2026 | Kubernetes RBAC Good Practices beginner 6 min read | Reference on Kubernetes RBAC best practices, detailing how to minimize privilege escalation risks by assigning least privilege to users and service accounts. It highlights dangerous permissions such as `cluster-admin`, `system:masters`, `nodes/proxy`, `escalate`, `impersonate`, and direct access to the CSR API and service account tokens. The document also advises against granting broad permissions to create workloads, PersistentVolumes, or modify namespaces, emphasizing the importance of reviewing default access and periodic audits. |
| 2026-04-11 2026 | NIST SP 800-162: Guide to ABAC beginner | NIST SP 800-162: Guide to ABAC |
| 2026-04-11 2026 | Authorization Testing Automation Cheat Sheet - OWASP intermediate 10 min read | Cheat sheet offering a methodology for automating authorization tests by formalizing an authorization matrix in XML. This approach enables the creation of integration tests that validate access controls for REST services across different logical roles like ANONYMOUS, BASIC, and ADMIN. The process involves defining roles, services with their associated permissions, and test payloads to ensure new feature additions or modifications do not conflict with existing authorization definitions. → cheatsheetseries.owasp.org |
| 2026-04-11 2026 | Access Control Cheat Sheet - OWASP intermediate | Access Control Cheat Sheet - OWASP → cheatsheetseries.owasp.org |
| 2026-04-11 2026 | Authorization Cheat Sheet - OWASP intermediate 18 min read | Cheatsheet providing guidance for robust authorization logic, addressing concerns like Broken Access Control, a top OWASP 2021 vulnerability. It details implementing "Least Privileges" by granting only necessary permissions and adopting a "Deny by Default" approach for all requests, emphasizing the need for validation on every interaction to prevent unauthorized access to resources, which can impact confidentiality, integrity, and availability. → cheatsheetseries.owasp.org |
| 2026-04-10 2026 | BLA9:2025 Broken Access Control - OWASP beginner 2 min read | Reference detailing BLA9:2025 Broken Access Control, a critical OWASP Top 10 vulnerability. It explains how missing role checks, flawed logic trusting client-supplied parameters, overly broad permissions, and identifier tampering (BOLA) enable attackers to perform unauthorized operations. Examples include Gitlab branch deletion vulnerabilities and privilege escalation in hay-kot mealie v2.2.0, mapping to CWEs like CWE-863 and CWE-862, and referencing CVEs such as CVE-2021-39931 and CVE-2023-3290. → owasp.org |
| 2026-04-10 2026 | Broken Access Control: 40% Surge in 2025 news | Broken Access Control: 40% Surge in 2025 |
| 2026-04-10 2026 | Defending Against Broken Access Control beginner 10 min read | Library for defending against Broken Access Control (BAC), the #1 threat (A01:2021) in the OWASP Top 10. This vulnerability occurs when applications fail to enforce authorization, allowing unauthorized users to access data or functions. Learn about common attack techniques like Horizontal and Vertical Privilege Escalation, Parameter Tampering, IDOR, Data Exposure, API Abuse, and BOLA. The resource highlights real-world examples such as the Optus data breach and the Kia vehicle control vulnerability, emphasizing the critical need for robust server-side authorization. |
| 2026-04-10 2026 | Why Broken Access Control Dominates OWASP Top 10 in 2026 beginner 7 min read | Library for building secure applications, focusing on mitigating Broken Access Control (BAC) and Broken Object Level Authorization (BOLA). It highlights how traditional SAST and DAST tools struggle with these logic flaws, contrasting them with technical vulnerabilities like SQL Injection. The library advocates for centralized authorization logic using the Policy Decision Point (PDP) and Policy Enforcement Point (PEP) pattern, and promotes Policy as Code (PaC) with tools like Auth0 FGA, OpenFGA, and OPA to manage authorization policies externally from application code. |
| 2026-04-10 2026 | Broken Access Control: How to Detect and Prevent beginner 7 min read | Library of techniques for detecting and preventing broken access control vulnerabilities, the most impactful risk category in the OWASP Top 10. This resource details exploitation methods like vertical and horizontal privilege escalation, insecure direct object references (IDOR), and bypasses via predictable identifiers, parameter tampering, and path variations, offering best practices to mitigate these widespread security weaknesses. → invicti.com |
| 2026-04-10 2026 | OWASP A01: Broken Access Control Risks and Prevention beginner 16 min read | Library detailing OWASP A01: Broken Access Control risks and prevention. This resource clarifies the distinction between authentication and authorization, highlights the importance of the principle of least privilege (PoLP) and Role-Based Access Control (RBAC), and provides a Python Flask code snippet demonstrating secure RBAC implementation. It further explains how vulnerabilities manifest through techniques like URL manipulation and parameter tampering, and identifies common failure scenarios such as Insecure Direct Object References (IDOR) and missing function-level access control. |
| 2026-04-10 2026 | OWASP-TOP-10 A01:2025 Broken Access Control beginner 2 min read | Library detailing Broken Access Control, a critical OWASP Top 10 risk where applications fail to enforce user restrictions. This resource highlights how attackers can exploit missing or client-side enforced authorization checks, using tools like Burp Suite to directly access backend administrative endpoints. It demonstrates the vulnerability through a case study of an application trusting client-side role validation, leading to unauthorized data access, privilege escalation, and account compromise, and emphasizes implementing server-side authorization and the principle of least privilege for mitigation. |
| 2026-04-10 2026 | OpenClaw: Authorization Bypass and Privilege Escalation intermediate 7 min read | Library detailing authorization bypass and privilege escalation vulnerabilities within multi-user OpenClaw deployments, specifically addressing session context bleed. This failure mode allows standard users to execute actions with administrative privileges by exploiting weaknesses in how user identity is bound to requests, especially under asynchronous conditions. The article explains how this can lead to persistence through unauthorized job creation, impacting systems that rely on session context for RBAC, and references CWE-287 and CWE-284. → penligent.ai |
| 2026-04-10 2026 | CVE-2025-67274: Broken Access Control in aangine news IDOR | CVE-2025-67274: Broken Access Control in aangine |
| 2026-04-10 2026 | CVE-2026-33312: BOLA in Vikunja news 4 min read IDOR | Writeup detailing CVE-2026-33312, a Broken Object Level Authorization (BOLA) vulnerability in Vikunja versions 0.20.2 through 2.1.x. This Incorrect Authorization flaw allows read-only users to permanently delete project background images by exploiting an authorization check designed only for read permissions within the `RemoveProjectBackground` function. The vulnerability, categorized under CWE-863, is fixed in version 2.2.0. |
| 2026-04-10 2026 | BOLA Vulnerability - Vulnsy beginner 5 min read | Writeup on Broken Object Level Authorization (BOLA), the top OWASP API Security Top 10 risk, detailing how attackers exploit API endpoints that expose object identifiers without proper authorization checks. It covers BOLA's impact on unauthorized data access and modification, simple exploitation methods, and advanced techniques like using predictable IDs or GraphQL introspection. Remediation steps include implementing centralized authorization, using UUIDs, and robust testing with tools like Burp Suite and OWASP ZAP. |
| 2026-04-10 2026 | BOLA: API Attack & Prevention - StackHawk intermediate 13 min read API Sec | Library detailing Broken Object Level Authorization (BOLA), the OWASP API Security Top 10's persistent #1 risk. BOLA vulnerabilities, also known as Insecure Direct Object Reference (IDOR), occur when APIs fail to verify user permissions for specific data objects, allowing attackers to access or modify sensitive information like financial or medical records by altering predictable identifiers in API requests. The article explains BOLA's root causes, including over-reliance on object identifiers, lack of ownership verification, and insufficient authorization focus, alongside practical examples and prevention strategies. |
| 2026-04-10 2026 | What is BOLA - Imperva beginner 6 min read | Guide to Broken Object Level Authorization (BOLA), a top OWASP API security risk. BOLA occurs when applications fail to verify user authorization for specific data objects, allowing access to sensitive information or unauthorized actions. The guide details how attackers identify vulnerabilities by manipulating object references, such as sequential IDs in URLs or GraphQL mutations, leading to data breaches and compliance failures under regulations like GDPR and HIPAA. Prevention strategies include applying proper access controls, mapping users to accessible objects, implementing robust authentication, using non-guessable IDs, and leveraging API gateways. → imperva.com |
| 2026-04-06 2026 | 2026 SANS Identity Threats Report: Why Attacks Still Work news 5 min read | Report summarizing the 2026 SANS Identity Threats & Defenses Survey, revealing that while identity security solutions are widely deployed, identity-related breaches persist due to a mismatch between defenses and attack methods. The survey highlights challenges in containment post-detection and the increasing reliance on legitimate credentials obtained via compromised browsers, MFA fatigue, and token-based access, emphasizing that credential exposure upstream of authentication is the root cause of ongoing attacks, not authentication failures themselves. |
| 2026-04-06 2026 | Exposing Security Blind Spots in GCP Vertex AI advanced 11 min read | Writeup on double agents in GCP Vertex AI, detailing how a misconfigured Per-Project, Per-Product Service Agent (P4SA) with excessive default permissions can be exploited. This research demonstrates obtaining privileged access to consumer project data and restricted Google-owned Artifact Registry repositories, including proprietary container images for the Vertex AI Reasoning Engine, by compromising a single service agent and exfiltrating its credentials. → unit42.paloaltonetworks.com |
| 2026-04-06 2026 | Critical Access Control Risks in Simple Membership CVE-2026-34886 news 10 min read | Advisory detailing CVE-2026-34886, a critical broken access control vulnerability in WordPress Simple Membership plugin versions 4.7.1 and earlier. This flaw allows unauthenticated users to execute privileged actions, potentially leading to unauthorized access, data manipulation, or site compromise. Immediate remediation involves updating to version 4.7.2 or higher, with temporary workarounds including plugin disabling, server-level blocking of PHP execution, or WAF virtual patching. Developer recommendations focus on implementing robust capability checking, nonce verification, and REST API permission callbacks. |
| 2026-04-06 2026 | Security Update: Vulnerability Disclosures and Ongoing Hardening - LiteLLM news 2 min read | Library updates address critical and high-severity vulnerabilities in LiteLLM, including authentication bypass via OIDC cache collision (CVE-2026-35030), privilege escalation through /config/update (CVE-2026-35029), and password hash exposure with pass-the-hash login (GHSA-69x8-hrgq-fjj8). These fixes, along with an ongoing audit by Veria Labs and a new bug bounty program, enhance the security posture of the proxy. |
| 2026-04-03 2026 | Broken Authentication and IDOR – A Big but Solvable Problem | Inspectiv beginner 5 min read | Reference detailing common application security vulnerabilities, specifically Broken Authentication and Insecure Direct Object Reference (IDOR). It highlights attack vectors like credential stuffing, brute force, and session hijacking, alongside IDOR exploits through predictable identifiers. Mitigation strategies discussed include Multi-Factor Authentication (MFA), server-side validation, least privilege access controls, and using non-sequential identifiers. The resource emphasizes the importance of continuous external validation through bug bounty programs and dynamic application security testing to detect these prevalent threats. |
| 2026-04-03 2026 | Exploiting Broken Access Control Vulnerability for Bounty intermediate | Exploiting Broken Access Control Vulnerability for Bounty |
| 2026-04-03 2026 | Broken Access Control Testing Software for Web Apps | Penti AI intermediate 1 min read | Tool for autonomous broken access control vulnerability testing; Penti's AI agents discover, reproduce, and prioritize exploitation paths like insecure direct object references and weak tenancy boundaries, then human experts verify impact. The platform offers clear evidence and developer-ready remediation for authorization checks, object scoping, and tenancy isolation, integrating into the SDLC to test for horizontal and vertical privilege escalation. |
| 2026-04-03 2026 | WSTG Methodology: Web Penetration Testing | Haxoris beginner 4 min read | Guide detailing the OWASP Web Security Testing Guide (WSTG) methodology for comprehensive web application penetration testing. It covers information gathering, configuration, authentication, session management, authorization, input validation (including XSS and SQL Injection), cryptography, and business logic flaws, aiming to uncover threats like IDOR and SSRF. The guide emphasizes a systematic approach, using tools like Burp Suite, and provides detailed reports with remediation steps and a free retest. |
| 2026-04-03 2026 | Insecure Direct Object Reference (IDOR) Attack Guide | Hackviser beginner 7 min read IDOR | Guide to Insecure Direct Object Reference (IDOR) vulnerabilities, detailing manual testing techniques across URL parameters, POST bodies, HTTP headers, cookies, and file access. It covers automated discovery using tools like Burp Suite and ffuf, scripting with Python, and various attack vectors including numeric, UUID, hash-based, parameter pollution, and mass assignment bypasses, as well as blind IDOR exploitation. |
| 2026-04-03 2026 | OWASP Top 10 #1: Broken Access Control and Security Tips beginner 9 min read | Guide analyzing OWASP Top 10 #1, Broken Access Control. It details common exploit scenarios, including Insecure Direct Object References (IDOR) and Mass Assignment vulnerabilities. The guide provides practical advice and fixes for strengthening access control, differentiating between vertical, horizontal, and contextual controls, and explaining how authentication and session management contribute to overall security. → vaadata.com |
| 2026-04-03 2026 | Primer on Broken Access Control Vulnerabilities and How to Find Them beginner 11 min read | Writeup on broken access control vulnerabilities, which have become the top OWASP Top 10 vulnerability. It details vertical and horizontal privilege escalation, including techniques like insecure direct object references (IDOR), lack of protection over sensitive functionality (e.g., direct URL access to admin pages), inadequate parameter-based access control (e.g., manipulating `admin=true` parameters), and misconfigured platform-level controls that can be bypassed with custom HTTP headers or alternative HTTP methods. |
| 2026-04-03 2026 | Horizontal and Vertical Privilege Escalation Explained | Blue Goat Cyber beginner 3 min read | Reference detailing medical device cybersecurity requirements, focusing on FDA submissions, SPDF development, SBOMs, and threat modeling. It emphasizes the importance of understanding device operation, real-world threats, and supply chain risks, referencing standards like ISO 14971, FDA Guidance, UL 2900, and AAMI TIR57 to ensure compliance and patient safety. |
| 2026-04-03 2026 | Broken Access Control - Vertical Privilege Escalation Writeup intermediate 8 min read | Writeup detailing the identification and exploitation of Broken Access Control vulnerabilities, specifically focusing on Vertical Privilege Escalation. It provides a walkthrough of PortSwigger labs, demonstrating techniques such as discovering admin URLs via robots.txt, source code analysis, manipulating cookie parameters to elevate privileges, and modifying request parameters like `roleid` using Burp Suite to gain administrative access and delete users. |
| 2026-04-03 2026 | Access Control Vulnerabilities and Privilege Escalation | PortSwigger beginner 9 min read | Reference detailing access control vulnerabilities and privilege escalation, explaining vertical and horizontal controls, context-dependent mechanisms, and common vulnerabilities such as unprotected functionality, parameter-based bypasses, and platform misconfigurations involving headers like `X-Original-URL` and `X-Rewrite-URL`. It also covers URL-matching discrepancies, including case insensitivity and the `useSuffixPatternMatch` option in Spring. → portswigger.net |
| 2026-04-03 2026 | Insecure Direct Object References (IDOR) | PortSwigger beginner 2 min read IDOR | Reference on Insecure Direct Object References (IDOR), an OWASP Top Ten vulnerability type where applications misuse user-supplied input to access objects directly. It details how attackers can exploit this, leading to horizontal or vertical privilege escalation by altering parameters to access other users' data, such as in database queries (e.g., `customer_account?customer_number=132355`) or static files (e.g., `/static/12144.txt`). → portswigger.net |
| 2026-04-03 2026 | IDOR - HackTricks beginner 6 min read | Reference detailing Insecure Direct Object Reference (IDOR) and Broken Object Level Authorization (BOLA) vulnerabilities, which occur when applications expose user-controllable identifiers to access internal objects without proper authorization checks. The resource highlights exploitation techniques using parameters in paths, queries, JSON bodies, headers, and cookies, including examples with sequential IDs and common tools like `curl` and `ffuf`. It discusses real-world breaches such as the McHire applicant data exposure and the Carlsberg media leak, emphasizing that encoding does not inherently provide security and advocating for server-side object-level authorization and unpredictable identifiers like UUIDv4. → book.hacktricks.xyz |
| 2026-04-03 2026 | Testing for Privilege Escalation | OWASP WSTG intermediate 5 min read | Guide detailing privilege escalation testing within the OWASP Web Security Testing Guide. It covers techniques for identifying and exploiting vulnerabilities that allow users to gain unauthorized access to more resources or functionality. Specific methods include manipulation of user groups, profiles, condition values, and IP addresses, as well as bypassing authorization schemas by switching session identifiers. The guide also provides examples of how to test for vertical and horizontal privilege escalation. → owasp.org |
| 2026-04-03 2026 | Testing for Insecure Direct Object References | OWASP WSTG beginner 4 min read | Guide for testing Insecure Direct Object References (IDOR), a vulnerability where direct object access is granted based on user-supplied input. It details how attackers can bypass authorization by modifying parameters used to retrieve database records, perform operations, access file system resources, or invoke application functionality. The guide recommends mapping object reference points, assessing access controls, and using multiple test user accounts with different object ownership and privileges to identify and exploit IDOR flaws. → owasp.org |
| 2026-04-03 2026 | Top HackerOne Reports - Authorization Bypass intermediate 63 min read | Reports from HackerOne highlight prevalent authorization bypass vulnerabilities, including email confirmation flaws leading to privilege escalation in Shopify and Line Corporation, and request smuggling on `admin-official.line.me`. Several reports detail IDOR vulnerabilities affecting sensitive data access on platforms like TikTok and LinkedIn, and privilege escalation techniques on systems including GitLab and Ubiquiti Inc. Other critical findings involve OAuth grant bypasses, blind SSRF, and improper access control leading to account takeovers, data leaks, and administrative control for various vendors. |
| 2026-04-03 2026 | Broken Authentication: Advanced Exploitation Guide | Intigriti advanced 9 min read | Guide to exploiting broken authentication vulnerabilities, this resource covers identifying and exploiting common and advanced flaws. It details techniques like forced browsing, utilizing default credentials, and leveraging lack of rate limiting for brute-forcing. The guide also explains how input validation issues, such as SQL injection, can lead to authentication bypasses, providing examples for practical application. → intigriti.com |
| 2026-04-03 2026 | How To Find Broken Access Control Vulnerabilities in the Wild | HackerOne intermediate 7 min read | Guide to finding Broken Access Control (BAC) vulnerabilities, explaining concepts like Insecure Direct Object Reference (IDOR) and covering identifier types such as numeric, user-chosen, natural keys, composite keys, UUIDs, and hashes. It details the permissions mapping technique for identifying BAC flaws by creating lists of user roles and application actions, and highlights the prevalence of BAC bugs as the OWASP Top 1 vulnerability. → hackerone.com |
| 2026-04-03 2026 | BugQuest 2026: 31 Days of Broken Access Control | Intigriti intermediate 7 min read IDOR | Collection of 31 posts detailing broken access control (BAC) vulnerabilities, covering OWASP A01:2025 concepts, authentication versus authorization distinctions, and various authorization models like RBAC. It explores discovery techniques including content discovery with ffuf, JavaScript enumeration, API documentation mining, GraphQL introspection, and mobile application analysis. Specific exploitation methods discussed include request method tampering, HTTP parameter pollution, static keyword swapping, JWT algorithm confusion, and second-order attacks, alongside practical examples like IDOR and URL-matching discrepancies. → intigriti.com |
| 2026-04-03 2026 | Authn vs. authz: How are they different? beginner AuthN | Authentication (authn) refers to identity, while authorization (authz) has to do with permissions. Learn about the difference between authn vs. authz in more detail. |
| 2026-03-01 2026 | gadievron/raptor: Raptor turns Claude Code into a general-purpose AI offensive/defensive security agent. By using Claude.md and creating rules, sub-agents, and skills, and orchestrating security tool usage, we configure the agent for adversarial thinking, and perform research or attack/defense operations. advanced 7 min read AI | Library for autonomous security research, RAPTOR orchestrates static analysis, binary analysis, LLM-powered vulnerability validation, exploit generation, and patch writing. It integrates Semgrep and CodeQL for scanning and utilizes LLMs for vulnerability analysis, generating Proof-of-Concepts, and creating patches. RAPTOR supports multiple LLM providers and can leverage Z3 for constraint analysis to improve accuracy and prioritize reachable exploits. It offers project management features for organizing findings and tracking progress across multiple runs. |
| 2026-01-21 2026 | OAuth 2.0 Course for Beginners beginner AuthN | Course on OAuth 2.0 for beginners, explaining the authorization framework's use of access tokens for delegated access and passwordless integration with third-party apps. It covers key concepts like the four OAuth roles (Resource Owner, Client, Auth Server, Resource Server), the importance of PKCE, and practical implementation details for building authorization and resource servers, alongside client applications. The 2-hour video tutorial also addresses debugging common issues such as JWKS and Axios errors, concluding with a summary of best practices and repository setup. |
| 2025-10-22 2025 | Beyond credentials: weaponizing OAuth applications for persistent cloud access | Proofpoint US intermediate 7 min read AuthN | Tool for automating the creation of malicious second-party OAuth applications within compromised cloud environments. This tool, developed by Proofpoint researchers, demonstrates how threat actors can achieve persistent access, even after user credentials are reset or multi-factor authentication is enforced, by registering internal applications with chosen API scopes such as Mail.Read and offline_access. The research highlights a real-world attack vector already exploited by threat actors, offering a technical analysis of the automated process for application registration, secret generation, and token harvesting. |
| 2025-09-05 2025 | Authentication Explained: When to Use Basic, Bearer, OAuth2, JWT & SSO | daily.dev beginner AuthN JWT | Guide to authentication and authorization mechanisms, detailing the differences and use cases for Basic, Bearer, OAuth2, JWT, and SSO. It explains authorization models such as RBAC, ABAC, and ACL, highlighting how real-world applications like GitHub and Stripe combine them. The entry emphasizes selecting appropriate models and token types based on application complexity and security needs. |
| 2024-10-03 2024 | Automate your API hacking with Autorize intermediate 6 min read API Sec AuthN | Library that automates API security testing by detecting broken object level authorization (BOLA) and other access control issues. Autorize, a Burp Suite extension, functions by sending modified requests with low-privileged, high-privileged, and unauthenticated user tokens to APIs. It then analyzes responses for discrepancies, flagging potential vulnerabilities like "Bypassed!" enforcement statuses. Users can configure interception filters, integrate with Burp's Repeater, and fine-tune enforcement detectors to identify issues such as unauthorized access to administrative functions by checking for 401 status codes. → danaepp.com |
| 2024-09-16 2024 | Automating the CORS Vulnerability Scan intermediate API Sec Bug Bounty | When conducting a bug bounty, automating your scanning process not only saves time but ensures you don’t miss common vulnerabilities. One… |
| 2023-09-21 2023 | Attacking and Defending Azure & M365 intermediate | Attacking and Defending Azure & M365 https://ift.tt/0F6sIRP |
| 2023-09-03 2023 | GitHub - dirkjanm/adidnsdump: Active Directory Integrated DNS dumping by any authenticated user intermediate AuthN | Tool for Active Directory Integrated DNS record enumeration and export, enabling reconnaissance of internal networks. By default, any authenticated Active Directory user can perform zone transfers, and this application facilitates that capability. It can be installed via pip or from source, requiring impacket and dnspython. The tool supports direct network use and proxychains, with an option for DNS over TCP. |
| 2023-09-01 2023 | Spraying the Microsoft Cloud intermediate AuthN | Adversaries continue to probe and make entry via the cloud perimeter of organisations. Multi-Factor Authentication (MFA) and additional… |
| 2023-05-21 2023 | Authentication authorization and security in SharePoint intermediate 4 min read AuthN | Reference on SharePoint authentication and authorization, detailing its role-based security model and support for Windows authentication (including NTLM and Kerberos) and ASP.NET forms-based authentication. It highlights claims-based identity as a core feature, enabling cross-platform authentication and integration with external identity systems, and explains how membership and role providers are utilized to manage user identities and group memberships. |
| 2023-05-09 2023 | Seven Common Ways To Bypass Login Page intermediate AuthN | Seven Common Ways To Bypass Login Page https://ift.tt/8PI0ers |
| 2023-04-13 2023 | OWASP Proactive Controls 2023/2024 v1 beginner API Sec AuthN | OWASP Proactive Controls 2023/2024 v1 https://ift.tt/xVAnFY5 → docs.google.com |
| 2023-03-29 2023 | skills/secure-code-game beginner 1 min read Bug Bounty | Library for learning secure coding through an interactive in-editor game. Season 4 focuses on securing Agentic AI, teaching how to protect Agentic Workflows and Multi-Agent Communications through five progressive levels. Players can start quickly from their browser, with no AI or coding experience required. The game runs instantly in GitHub Codespaces, with over 10,000 players participating from industry and academia. |
| 2022-04-14 2022 | Favorite tweet by @Jhaddix intermediate Bug Bounty | Favorite tweet: 🧵Another hacker story thread!🧵 === Penetrating a Porn Site === How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities. Here's how I did... |
| 2022-01-10 2022 | At DevSecCon24 find out how to build a Security Champions programme to scale your team beginner 5 min read | Talk from DevSecCon24 detailing how to build a successful Security Champions program. It emphasizes strategic planning, executive sponsorship, careful selection of passionate developer champions, and clearly defining their role as liaisons, not security experts. The talk also covers organically rolling out the program, starting small, and measuring success through both qualitative adoption and quantitative data. |
| 2021-11-10 2021 | How to Control Access to Your Amazon Elasticsearch Service Domain intermediate 12 min read | Reference for controlling access to Amazon OpenSearch Service (formerly Amazon Elasticsearch Service) domains. It details how to leverage AWS Identity and Access Management (IAM) through resource-based policies and identity-based policies. The entry also covers authentication strategies, including IP-based restrictions and Signature Version 4 signing, with examples for both Python and Java. → aws.amazon.com |
| 2021-10-29 2021 | Improvements to Burp Suite authenticated scanning intermediate 4 min read Burp | Library improvements in Burp Suite 2021.9.1 enhance authenticated scanning by better handling iframes, animated elements, JavaScript-driven redirections, nested SVGs within buttons, and multi-select elements, leveraging the Burp Suite Navigation Recorder for complex login sequences. → portswigger.net |
| 2021-09-14 2021 | IAM Vulnerable intermediate 7 min read | Tool for creating a vulnerable-by-design AWS IAM privilege escalation playground. Using Terraform and your AWS credentials, it deploys over 250 IAM resources to facilitate learning and exploitation of 31 unique privilege escalation paths, referencing techniques pioneered by Spencer Gietzen and applicable to tools like Cloudsplaining and Pacu. |
| 2021-09-10 2021 | IAM Vulnerable - An AWS IAM Privilege Escalation Playground intermediate 12 min read Bug Bounty | Library for automating the creation of intentionally vulnerable AWS IAM configurations, allowing security practitioners to practice identifying and exploiting privilege escalation paths. It deploys over 250 IAM resources using Terraform, including users, roles, and policies, to simulate 31 unique escalation test cases, building upon research from Spencer Gietzen and Gerben Kleijn. The library supports modular deployment, offering free resources by default and optional non-free resources like EC2 instances and Lambda functions for more complex scenarios. |
| 2021-09-07 2021 | Automating Authorization Testing: AuthMatrix Part 1 intermediate 2 min read Bug Bounty | Library for automating authorization testing. This resource, AuthMatrix Part 1, introduces a technique for comprehensively testing application authorization by creating custom matrices to cover all possible user role and permission combinations, effectively identifying and mitigating authorization bypass vulnerabilities. → whiteoaksecurity.com |
| 2021-07-28 2021 | Chaining password reset link poisoning IDOR and information leakage to achieve account takeover at api.redacted.com advanced Bug Bounty IDOR | This report details a method to achieve account takeover at api.redacted.com by chaining three vulnerabilities. The attacker first exploits password reset link poisoning, then an Insecure Direct Object Reference (IDOR) flaw, and finally leverages information leakage. These combined vulnerabilities allow for unauthorized access to user accounts. No bounty payout amount is mentioned. |
| 2021-07-19 2021 | AWS IAM Role Chaining intermediate | AWS IAM Role Chaining allows one IAM role to assume another IAM role. This enhances security by enabling temporary, limited-privilege credentials to be granted for specific tasks. Instead of managing separate policies for every user and service, roles can be chained together, where Role A assumes Role B. This promotes the principle of least privilege, reducing the potential attack surface. The primary benefit is improved security and streamlined credential management within AWS environments. |
| 2021-06-30 2021 | Forbidden You dont have permission to access / on this server Error beginner 4 min read | Reference on resolving the Apache "Forbidden – You don’t have permission to access / on this server" error. This guide addresses common causes such as incorrect file/directory permissions, misconfigurations in Apache's main configuration files, and improperly formatted .htaccess files. Solutions include recursively adjusting file permissions with `chmod 755` for directories and `chmod 644` for files, modifying ownership with `chown`, and ensuring `AllowOverride All` is set in Apache's `<Directory>` directives. |
Frequently Asked Questions
- What is broken access control?
- Broken access control occurs when an application fails to enforce restrictions on what authenticated users are allowed to do. This can lead to unauthorized access to other users' data, privilege escalation to admin roles, or performing actions outside the user's intended permissions — such as modifying or deleting resources they should not have access to.
- What is the difference between authentication and authorization?
- Authentication verifies identity (who are you?), while authorization determines permissions (what can you do?). A user can be properly authenticated but still access resources they shouldn't if authorization checks are missing or flawed. Many critical vulnerabilities arise from this distinction being overlooked.
- How do you test for authorization vulnerabilities?
- Test by accessing resources with different user roles, manipulating tokens or session cookies, changing IDs in API requests, and attempting to reach admin endpoints as a regular user. Tools like Autorize (Burp extension) automate this by replaying requests with different session tokens to detect missing authorization checks.
Weekly AppSec Digest
Get new resources delivered every Monday.