Authentication is who you are, it’s your identity. Authorization or access control on the other hand is what you’re allowed to do.

<aside> 💡 https://appsecexplained.gitbook.io/

</aside>

Authentication

• Identification
• Brute-force attacks
• Attacking MFA
• Authentication challenge walkthrough

Authorization

When a user can access functionality that they should not be able to access, we have broken access control, or broken authorization.

• Types of access controls:
• IDOR - Insecure Direct Object Reference
• Introduction to APIs
• Broken Access Control