00:01
Here, from the provided url, you can infer that it includes a parameter uid with the value 1241126841.
00:34
This suggests that the application may use the uid parameter for user identification for session management.
00:56
To test the application is using the uid parameter to enforce access controls in an unsafe way, you can try modifying the uid value in the url to see if you can access other user accounts or sensitive information.
01:23
Then enforcing access control using the user source ip address is fundamentally flawed because dynamic ip addresses shared networks, proxy servers, mobile networks.
02:03
Then, common access control methods, mandatory access control enforces access policies based on labels assigned to information in the user security clearance.
02:18
Then discretionary access control allows user to set access permissions on their own objects.
02:26
Then role -based access control, access is granted based on roles and users as assigned roles with specific permissions.
02:37
Then attribute -based access control, access decisions are based on attributes of the user target resource and the environment...