Discover and read the best of Twitter Threads about #AppSec

Most recents (14)

#learn365 Day-31: Captcha Bypass Techniques

Captcha is widely adapted by the applications to avoid automated attempts on specific functionality, commonly on the Authentication forms to avoid brute-force attacks.

#bugbountytips #appsec #infosec #Pentesting

(1/n)
(2/n)
However, it is possible to bypass Captcha, and sometimes if the function is critical, it can be paid well in terms of bounties.

1. Missing Server-Sides Validation
- Some apps send Captcha Parameters on the client-side but they do not validate this on the server side.
(3/n)
- Simply, Remove the "Captcha" parameters and see if the request is processed successfully.
- If yes, you can now use this request to perform your brute-force or rate-limiting attempts.
Read 10 tweets
#learn365 Day-30: Common Business Logic Issues (Wrap)

(Cont'd...)
9. Parameter Tampering
- Tamper Payment or Critical Fields to manipulate their values
- Add multiple fields or unexpected fields by abusing HTTP Parameter Pollution & Mass Assignment
#bugbountytips #appsec
(1/n)
(2/n)
- Response Manipulation to bypass certain restrictions such as 2FA Bypass

10. App Implementation Logic Abuse
- If an app accepts JSON data, try changing content type to XML and see if the XML data is being processed, it can be left vulnerable to XXE or XML-based attacks.
(3/n)
- If an application is using the DELETE method to delete a resource but there is no CSRF protection, try converting the method to GET/POST and add an additional parameter like ?method=delete
Read 7 tweets
#learn365 Day-29: Common Business Logic Issues (Part - 2)

(cont'd...)
5. Premium Feature Abuse
- Try forcefully browsing the areas or some particular endpoints which come under premium accounts.

#bugbountytips #AppSec #infosec #pentest

(1/n)
(2/n)
- Pay for a premium feature and cancel your subscription. If you get a refund but the feature is still usable, it's a monetary impact issue.
- Some applications use true-false request/response values to validate if a user is having access to premium features or not.
(3/n)
- Try using Burp's Match & Replace to see if you can replace these values whenever you browse the app & access the premium features.
- Always check cookies or local storage to see if any variable is checking if the user should have access to premium features or not.
Read 8 tweets
How many of you will agree that @PortSwigger @PortSwiggerRes @burpsuite is the best #Web #AppSec #bugbounty Tool available on the internet?

This thread includes some of the best Burp Extensions, which I personally love.

#pentest #security #infosec #bugbounty
Turbo Intruder

Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
portswigger.net/bappstore/9aba…

#pentest #security #infosec #bugbounty
Retire.js
This extension integrates Burp with the Retire.js repository to find vulnerable JavaScript libraries.
portswigger.net/bappstore/3623…

#pentest #security #infosec #bugbounty
Read 20 tweets
#learn365 Common Business Logic Issues: Part-1

I'll try to cover some of the interesting business logic flaws that I usually test and have encountered so far today & in the next couple of days. Feel free to add more if you know any.
#bugbountytips #appsec #websecurity

(1/n)
(2/n)

1. Review Functionality
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
(3/n)
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
- Try to see if the same user can post multiple ratings for a product. This is an interesting endpoint to check for Race Conditions.
Read 9 tweets
#learn365 Day-21: GraphQL Vulnerabilities (Part-2)
1. Information Disclosure via Error Messages
- Similar to the normal information disclosure via error triggering.
- Provide malformed or unexpected input within GraphQL queries.

#BugBountyTips #appsec #infosecurity

(1/n)
(2/n)
- Sometimes you may observe verbose error messages revealing sensitive information.

2. GraphQL Denial of Service
- Due to an improper limit on the maximum query depth, it might be possible to perform a denial of service in graphql implementation.
(3/n)
- Nest a query to unlimited depth and send this query on a GraphQL endpoint to observe anything suspicious.
- A good example: owasp-skf.gitbook.io/asvs-write-ups…

3. Insecure Direct Object Reference
- Similar to normal API like IDORs
- A good example: owasp-skf.gitbook.io/asvs-write-ups…
Read 4 tweets
#learn365 Day-20: GraphQL Series Part - 1
- GraphQL is a query language for the underlying API.
- A single endpoint can be used as a query API to perform all the actions including Create, Read, Update & Delete.

#bugbountytips #appsec #infosec

(1/n)
(2/n)
- GraphQL has its own type of system that’s used to define the schema of an API. The syntax for writing schemas is called Schema Definition Language (SDL).

# A GraphQL operation can be of type:
1. query (a read-only fetch)
2. mutation (a write followed by fetch)
(3/n)
3. subscription (a long‐lived request that fetches data in response to source events.)
- A GraphQL document can contain one or more of these operations (i.e multiple queries/mutations/subscriptions).
- Mutations queries modify data in the data store and returns a value.
Read 9 tweets
#learn365 Day-12: Unicode Normalization
This attack is hard to explain w/o proper graphics. Please refer to the references mentioned for a detailed explanation. This is a really good attack vector to try and consider while doing PT/BB.
(1/n)
#bugbountytips #AppSec #infosec
(2/n)
Unicode to ASCII Transformation is a two-step process.

1. Normalization: Where the characters are converted to a standardized form
2. Punycoding: Where the Unicode is turned into ASCII

There are two overall types of equivalence between characters:......
(3/n)
1. Canonical Equivalence: Characters are assumed to have the same appearance and meaning when printed or displayed.

2. Compatibility Equivalence: This is a weaker equivalence, in that two values may represent the same abstract character but can be displayed differently.
Read 6 tweets
#Learn365 Day-11: Cache Poisoned Denial of Service (CPDos)
AIO Resource: cpdos.org
- One of a kind of Web Cache Poisoning attack that affects the resources used by an application to create a denial of service situation.

#bugbountytips #AppSec #infosec

(1/n)
(2/n)
# Working

The working of this attack is theoretically very simple to understand:

1. The attacker sends a request to the server containing a malicious header with a malicious value. This can be any random header.
ex: x-mal-example: tohackthehacker
(3/n)
2. This request is first processed by the intermediate cache server to check if the copy exists.
3. The cache server forwards the attacker's request with malicious headers to the origin server as it doesn't store a fresh copy of the requested resource.
Read 16 tweets
#Learn365 Day-6: Cross-Site Leaks

Goldmine to Learn: xsleaks.com

Cross-Site Leaks/XS-Leaks is a less explored security issue that usually comes from Side-Channel Attacks. I found this an interesting vector but unusual.

(1/n)

#BugBountyTips #infosec #AppSec
(2/n)
This basically utilizes the web's core principle of composability in order to determine & extract useful information.

XS-Leaks take advantage of small pieces of information that are exposed during interactions between websites.
(3/n)
Cross-Site Oracle.

This can be considered as a querying mechanism. The information used for this attack is of binary form and called Oracles. It usually has an answer of "Yes" or "No". You can say True or False.
Read 11 tweets
From now until Christmas, I will try to share something from my notes / research every day - most of them are old but might still be useful to remember #XMas2020 #AppSec #Web #HTTP
"max-forwards" http header:
- limit the number of proxies a request can traverse.
- not hop-by-hop
- can't go in the Trailer header

Some usage example:
old: securiteam.com/securityreview…
old: counting servers (proxies) in the middle
new: portswigger.net/research/crack… Image
In something like JS
/*/ comment /*/
is the same as
/* comment */
, makes sense, right? But MSSQL sees it as
/* comment /*...
more interestingly, if you want to close it, you need 2 */
This is important when injections go into multiple places and newline is involved! Image
Read 26 tweets
We are just starting our session @hasgeek. @abh1sek talking about data breaches and how they happen.

hasgeek.com/rootconf/data-…

Join the live stream on the webpage.

#datasecurity
Thank you @hasgeek for giving us this amazing platform to talk about what we love most #datasecurity #appsec
#cloudsecurity
Agenda for the session
Read 29 tweets
🔎 I took a closer look at some #government #apps related to🦠#COVID19 that are just springing up like mushrooms. If you find an app/country missing in the [thread] below, please let me know!
#tracking #surveillance #appsec #Virucy
🇵🇱 Home Quarantine (Kwarantanna domowa): Can access 📸, phone/serial no., knows about the 📲 you placed or got etc.
Tracking with @Facebook Analytics, @Google @Firebase, @Microsoft @VSAppCenter Analytics.
play.google.com/store/apps/det…
Broadcast receivers exported. Possible SQL injections (CWE-89). Sensitive information stored in cleartext (CWE-312) and into Log Files (CWE-532). Using MD5 and Java Hash algorithm (CWE-327). Use of insufficiently Random Values (CWE-330). Insecure WebView implementation (CWE-749).
Read 38 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!