1
00:00:00,210 --> 00:00:02,490
Authentication and authorization testing.

2
00:00:03,330 --> 00:00:09,180
So authentication and authorization are in other great function that modern Web applications provide

3
00:00:09,180 --> 00:00:09,490
to it.

4
00:00:10,290 --> 00:00:16,030
Authentication is the process of proving the identity of the user or any entity.

5
00:00:16,740 --> 00:00:21,900
So that means that users prove that they are who they say they are, and then the application allows

6
00:00:21,900 --> 00:00:24,090
them to view and interact with the content.

7
00:00:24,090 --> 00:00:24,370
Right.

8
00:00:25,080 --> 00:00:31,070
Nowadays, especially, authentication mechanisms are not just used for accessing content.

9
00:00:31,800 --> 00:00:36,150
It's also used to personalize content of just about any application.

10
00:00:36,720 --> 00:00:45,570
So your account on a Web application is starting to be a strong vector that corresponds to your real

11
00:00:45,570 --> 00:00:48,630
world existence, your identity.

12
00:00:49,350 --> 00:00:50,070
So guess what?

13
00:00:50,070 --> 00:00:54,740
This makes the authentication, of course, way more important today.

14
00:00:55,900 --> 00:01:01,720
But for you and me, there are a wide range of technologies available to implement authentication mechanisms

15
00:01:03,430 --> 00:01:10,690
so far, HTML form based authentication is the most used one, and in general, Web applications authenticate

16
00:01:10,720 --> 00:01:13,390
users with a username and password.

17
00:01:14,050 --> 00:01:17,420
But this can vary due to the application security needs.

18
00:01:18,310 --> 00:01:24,160
So then after authentication, the application grants permission to users in order to perform several

19
00:01:24,160 --> 00:01:29,920
actions, such as viewing files, executing something or whatever it may be.

20
00:01:30,640 --> 00:01:35,350
So that's why in this action, we are also going to cover authorization problems.

21
00:01:35,940 --> 00:01:43,870
OK, authorization is the process of determining what resources a user service or application has permission

22
00:01:43,870 --> 00:01:49,030
to access so it can be defined as an access policy of resources.

23
00:01:49,450 --> 00:01:55,120
Authentication and authorization are closely related concepts, but they are not the same.

24
00:01:55,630 --> 00:02:03,820
The first term proves the identity of a user website or any entity in any context, but authorization

25
00:02:03,820 --> 00:02:08,500
verifies the privileges granted to the authenticated identity.

26
00:02:08,910 --> 00:02:15,310
So, for example, once you log into your bank account, you're only authorized to transfer money from

27
00:02:15,310 --> 00:02:16,570
your accounts, for instance.

28
00:02:16,570 --> 00:02:18,700
Right, if you can do it with another account.

29
00:02:18,730 --> 00:02:22,500
This means that there's a serious authorization problem.

30
00:02:22,870 --> 00:02:29,860
So in the section we're going to talk about password policy problems, password related issues and brute

31
00:02:29,860 --> 00:02:31,060
forcing passwords.

32
00:02:31,600 --> 00:02:34,090
Also some problematic usage of captious.

33
00:02:34,540 --> 00:02:37,030
And then we're going to cover some authorization problems.