Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re cryptographically random)

Authorization vulnerabilities continue to be one of the largest and most difficult to remediate classes of vulnerabilities that affect web applications. Compared to other vulnerability classes like XSS or SQL injection, there are no frameworks or design patterns which can be used to prevent authorization flaws at a fundamental level (although this is an area … Continue reading Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re cryptographically random)