Questions tagged [access-control]
A security mechanism which enforces policy describing which requesters may perform operations on specified objects. There are typically multiple types of operations. Common operations include: read, write, execute, append, create, and delete.
583 questions
1
vote
0
answers
80
views
Have there been any attempts at implementing declarative security in Go?
A recurring problem when implementing authorisation checks using procedural code is that you end up duplicating a lot of checks across your codebase and it is easy to forget to apply a check, or ...
- 136k
2
votes
0
answers
70
views
Step-up authentication with NGAC/Policy Machine architecture
NB> This is not technical question but rather attempt to grasp the model and its natural restrictions.
I am thinking of Step-up authorization and Separation of Duty scenarios where either the same ...
- 21
2
votes
1
answer
84
views
Are control categories actually exclusive?
The four control categories are Technical, Managerial, Operational, and Physical, according to most sources about the Sec+ exam. Even this seems to be, for lack of a better term, controversial. Some ...
- 23
1
vote
1
answer
132
views
Does giving a user a Admin / Privileged account plus a standard account violate "Separation of Duties"?
Let's say a user requires admin privileges as part of their role for installation of required tooling. Would allowing them a separate admin account to perform these activities be best practice as ...
- 11
0
votes
0
answers
111
views
Why does IPsec use tunnel-mode for an external laptop? Could transport-mode be used? Why can't a gateway control access in transport-mode?
In an IPsec Secure gateway setup, why is tunnel-mode used when an external laptop wants to access an internal service protected by a firewall? Is tunnel-mode necessary or could transport-mode be used ...
- 137
0
votes
1
answer
1k
views
is access token using SHA256 secure?
I want to create a server where after the user logs the server gives them a randomly generated access token that is hashed using SHA256, that I store in the database a long with an expiration date, I ...
- 73
0
votes
0
answers
124
views
compatability of Desfire EV1/2 readers and cards with a Doorking access control system
I am getting the idea that Doorking's ProxPlus cards and reader have a pre-defined encryption key in their reader. As these readers are wiegand devices and the software for the Doorking Access systems ...
1
vote
1
answer
623
views
CVSS3 Scope change question
Let's say I have an e-commerce organization. My organization has two security authorities A and B. The authority A manages access to data related to user orders, and the authority B manages access to ...
- 110
0
votes
1
answer
389
views
Is there a problem to store user permissions in the database instead of in a external auth service?
In AWS Cognito we could define a role/permissions as a custom attribute in the user pool, but we could have a User table and a caching database and fetch roles each time the user does a request.
Of ...
0
votes
2
answers
2k
views
What is a proper way to prevent parameter tampering and to make parameter secure
I'm developing a HTTP web server. I've used HTTPS as the protocol between client and server but I know that HTTPS can't prevent parameter tampering.
As we know, we can set parameters in URL, in HTTP ...
- 361
2
votes
1
answer
330
views
Is this considered Privilege Escalation?
Suppose I have an Admin account and a normal user account. There is some functionality that is only accessible to the admin only, like promoting other users. In this scenario, I captured a request ...
1
vote
0
answers
287
views
Is it a good idea to combine DAC with RBAC in this way?
I am not an infosec professional, but I'm working on a project that requires designing and implementing a permission system for a customer. The system the customer proposes is as follows:
Users are ...
- 11
3
votes
1
answer
365
views
Oauth: redirect uri validation [duplicate]
As per the below resource: https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/
we should validate the redirect url at 3 points:
at time of app registration
when the auth flow ...
- 313
3
votes
2
answers
222
views
Any obvious pitfalls of modeling access control policies using subject, scope, object?
Context
A small web application with REST API and postgres as db, that has users, documents and teams. A user can do basic CRUD operations on document.
A user is always a part of a team. A team is ...
- 33
1
vote
0
answers
831
views
Link that allows access to documents without authentication
I am testing an app and I found a link in source code that permit me to access a document without authenticating to the application on which that document is present.
The url has a key in the get and ...
- 127