A nice topic. I usually just summarize it as Authentication authenticates i.e checks the data you entered, while the authorization is to check whether you have permission to perform a task or not.
Something interesting I have seen: Allowing a user to edit themselves but not restricting fields they can modify via the backend (UI doesn't show). Then any user can escalate roles/permissions if stored using user information.
I think you have authorization issues in your video, at 0:57 email addresses are not blurred while they are blurred later, and we are probably not authorized to see them
@@aim2986 yes, when I commented, everything was clearly visible, now it's blurred. It's possible to do it with some RUclips tools when the video is already uploaded and public
Please do Log4Shell next. Everyone's out there talking about how you can use it to launch notepad or calculator on Minecraft players' computers but I'd love to know about the real nasty things you can do using an RCE vulnerability that basically allows you to run custom Java code on vulnerable systems.
I am not sure that undocumented exposed APIs are necessarily as innocuous as portrayed. (The "prefiltered" ones are well described) Why? Attack surface; a general principle I usually follow that if you don't need, don't expose it - just in case it is relevantly buggy, etc.
I lost count of how many google sponsored videos you made by now. Good for you man. Guter Kontent Junge
DIESE KOMMENTARSEKTION IST NUN EINHEIT DER BUNDESREPUBLIK DEUTSCHLAND. 🇩🇪🇩🇪🇩🇪🇩🇪🇩🇪🇩🇪🇩🇪
@@BenjaminAster Lol ja
A nice topic. I usually just summarize it as Authentication authenticates i.e checks the data you entered, while the authorization is to check whether you have permission to perform a task or not.
Something interesting I have seen:
Allowing a user to edit themselves but not restricting fields they can modify via the backend (UI doesn't show). Then any user can escalate roles/permissions if stored using user information.
Thanks, this is really helpful!
Authorization: do you have the authority to do that?
Authentication: are you the authentic __ ?
Good example with change email. Simple but I didn't see it coming
A good devs avoid the confusion by using the name "Auth".
/s
Seriously, a good fine grained authorization manager are hard to find for my use case.
Like always @liveroverflow content is informative and substantial for any Security Aspirant.
Cmon google, hire this guy already!
I think you have authorization issues in your video, at 0:57 email addresses are not blurred while they are blurred later, and we are probably not authorized to see them
Where it is blurred later?
@@aim2986 for example on 2:16 the username is blurred but it's not hard to guess it's the same one as shown in 1:02
@@aim2986 yes, when I commented, everything was clearly visible, now it's blurred. It's possible to do it with some RUclips tools when the video is already uploaded and public
Finding vulnerabilities in RUclips videos, a whole new business
In fact, there is an ML model that can recover text from blurred form. Now the proper way is a solid black rectangle.
Great work on the SUDO videos, you might find your self working for Apple after this..Congratulations.
developers who just call both of them auth 😌
Or we call them AuthZ and AuthN. Clear as day.
Please do Log4Shell next. Everyone's out there talking about how you can use it to launch notepad or calculator on Minecraft players' computers but I'd love to know about the real nasty things you can do using an RCE vulnerability that basically allows you to run custom Java code on vulnerable systems.
check John Hammond :)
Anything you can do with a java app- keylogger, bootstrap non-java executables, etc
Google's mouthpiece is back!!!
Awesome explanation thanks
5:54 can I file a bug report? :) The documentation there has a typo, it should say "because the documentation explicitly requires the OWNER role".
i authenticate AND authorize this video ❤
Hey! Make a video about the log4j vulnerability!
did i just watch a 10 min google ad?
authentication vs authentication or authentication vs authorization?
I am not sure that undocumented exposed APIs are necessarily as innocuous as portrayed. (The "prefiltered" ones are well described) Why? Attack surface; a general principle I usually follow that if you don't need, don't expose it - just in case it is relevantly buggy, etc.
@1:00 - you forgot to blure out email address ⚠️⚠️⚠️
I think you should make a video or series on car unlocking.
0:58 hide mails
But you can change the UI to get access to the API?!
Push!
⚡👌🏻
Why no comments
nazi?
Why the fuck would anyone just "trust google's judgement"