Questions tagged [access-control]
A security mechanism which enforces policy describing which requesters may perform operations on specified objects. There are typically multiple types of operations. Common operations include: read, write, execute, append, create, and delete.
583 questions
1 vote
0 answers
82 views
Have there been any attempts at implementing declarative security in Go?
A recurring problem when implementing authorisation checks using procedural code is that you end up duplicating a lot of checks across your codebase and it is easy to forget to apply a check, or ...
- 136k
2 votes
0 answers
72 views
Step-up authentication with NGAC/Policy Machine architecture
NB> This is not technical question but rather attempt to grasp the model and its natural restrictions. I am thinking of Step-up authorization and Separation of Duty scenarios where either the same ...
- 21
2 votes
1 answer
85 views
Are control categories actually exclusive?
The four control categories are Technical, Managerial, Operational, and Physical, according to most sources about the Sec+ exam. Even this seems to be, for lack of a better term, controversial. Some ...
- 23
1 vote
1 answer
139 views
Does giving a user a Admin / Privileged account plus a standard account violate "Separation of Duties"?
Let's say a user requires admin privileges as part of their role for installation of required tooling. Would allowing them a separate admin account to perform these activities be best practice as ...
- 11
0 votes
0 answers
112 views
Why does IPsec use tunnel-mode for an external laptop? Could transport-mode be used? Why can't a gateway control access in transport-mode?
In an IPsec Secure gateway setup, why is tunnel-mode used when an external laptop wants to access an internal service protected by a firewall? Is tunnel-mode necessary or could transport-mode be used ...
- 137
0 votes
1 answer
1k views
is access token using SHA256 secure?
I want to create a server where after the user logs the server gives them a randomly generated access token that is hashed using SHA256, that I store in the database a long with an expiration date, I ...
- 73
0 votes
0 answers
124 views
compatability of Desfire EV1/2 readers and cards with a Doorking access control system
I am getting the idea that Doorking's ProxPlus cards and reader have a pre-defined encryption key in their reader. As these readers are wiegand devices and the software for the Doorking Access systems ...
1 vote
1 answer
626 views
CVSS3 Scope change question
Let's say I have an e-commerce organization. My organization has two security authorities A and B. The authority A manages access to data related to user orders, and the authority B manages access to ...
- 110
0 votes
1 answer
398 views
Is there a problem to store user permissions in the database instead of in a external auth service?
In AWS Cognito we could define a role/permissions as a custom attribute in the user pool, but we could have a User table and a caching database and fetch roles each time the user does a request. Of ...
0 votes
2 answers
2k views
What is a proper way to prevent parameter tampering and to make parameter secure
I'm developing a HTTP web server. I've used HTTPS as the protocol between client and server but I know that HTTPS can't prevent parameter tampering. As we know, we can set parameters in URL, in HTTP ...
- 361
2 votes
1 answer
332 views
Is this considered Privilege Escalation?
Suppose I have an Admin account and a normal user account. There is some functionality that is only accessible to the admin only, like promoting other users. In this scenario, I captured a request ...
1 vote
0 answers
289 views
Is it a good idea to combine DAC with RBAC in this way?
I am not an infosec professional, but I'm working on a project that requires designing and implementing a permission system for a customer. The system the customer proposes is as follows: Users are ...
- 11
3 votes
1 answer
371 views
Oauth: redirect uri validation [duplicate]
As per the below resource: https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/ we should validate the redirect url at 3 points: at time of app registration when the auth flow ...
- 313
3 votes
2 answers
222 views
Any obvious pitfalls of modeling access control policies using subject, scope, object?
Context A small web application with REST API and postgres as db, that has users, documents and teams. A user can do basic CRUD operations on document. A user is always a part of a team. A team is ...
- 33
1 vote
0 answers
840 views
Link that allows access to documents without authentication
I am testing an app and I found a link in source code that permit me to access a document without authenticating to the application on which that document is present. The url has a key in the get and ...
- 127