今日已更新 305 条资讯 | 累计 19865 条内容
关于我们

AI-Assisted AuthZ Review: Reading Permission Boundaries in Ory Kratos

fdjedkdls-spec 2026年07月04日 08:12 1 次阅读 来源:Dev.to

Second in a series on using AI to review authorization — not to spray reports. Companion reference: AuthZ Smell Catalog . 1. Why AuthZ review is not vulnerability spraying The cheapest thing an AI can do in security is generate suspicion. Point a model at a codebase and it will hand you fifty "possible IDORs" before you finish your coffee. Almost all of them are wrong — guarded three lines up, scoped at the data layer, or protected at a boundary the model never saw. That flood is exactly why several bug bounty programs spent 2026 tightening or pausing: they were drowning in confident, plausible, wrong reports. So this review inverts the usual loop. The AI's job is not to find bugs — it is to over-generate hypotheses cheaply . My job is to kill them. What survives that killing is the only thing worth a human's time, and the record of what died is more useful than the record of what lived. The artifact of an honest review is therefore not a finding. It's a kill table . 2. Target and scope Target: Ory Kratos — an open-source identity and user-management server (login, registration, recovery, verification, sessions, self-service settings). Source-available, Apache-2.0. Why Kratos: it is exactly the shape where authorization goes wrong — multiple identities, a public API and an admin API, and (in Ory's hosted product) multi-tenancy. If a boundary is fragile, this is where it shows. Scope of this write-up: source reading only , on the public repository, single-tenant OSS build. No hosted target was touched. Nothing here is an undisclosed finding — the point is the method and the boundary design , and where relevant, how the design held against the hypotheses I tested. This maps to the reproduction tiers we track: everything below is repo_only , and I say so explicitly rather than implying it reaches a live product. What this review does and does not claim. In this limited, repo-only review, the hypotheses I tested were killed. This is not a claim that Kratos has no vulner

本文内容来源于互联网,版权归原作者所有
查看原文