Discover and read the best of Twitter Threads about #securityexplained
Most recents (21)
#SecurityExplained S-101: CWE Top 25:
CWE-434: Unrestricted Upload of File with Dangerous Type
The software allows an attacker to upload or transfer harmful data that can be processed automatically within the product's environment.
1/
CWE-434: Unrestricted Upload of File with Dangerous Type
The software allows an attacker to upload or transfer harmful data that can be processed automatically within the product's environment.
1/
2/
This flaw could affect any software that allows users to upload files.
The arbitrary file upload weakness concerns improper or missing file type validation when uploading files.
This flaw could affect any software that allows users to upload files.
The arbitrary file upload weakness concerns improper or missing file type validation when uploading files.
3/
This flaw happens when an application fails to validate or verifies files incorrectly before uploading them to the system. This flaw is language independent. However, it is most common in ASP and PHP-based apps.
This flaw happens when an application fails to validate or verifies files incorrectly before uploading them to the system. This flaw is language independent. However, it is most common in ASP and PHP-based apps.
#SecurityExplained S-100: CWE Top 25:
CWE-306: Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a verified user identification or uses a considerable number of resources.
1/n
CWE-306: Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a verified user identification or uses a considerable number of resources.
1/n
2/n
This vulnerability is frequently introduced during the architecture and design phase of the application development process.
This vulnerability is frequently introduced during the architecture and design phase of the application development process.
3/n
A critical vulnerability in the online interface of McAfee Advanced Threat Defense is a real-world example of such a problem (CVE-2017-4052).
A critical vulnerability in the online interface of McAfee Advanced Threat Defense is a real-world example of such a problem (CVE-2017-4052).
1/
When the logic thinks that the final value will always be more significant than the original value, the software runs a calculation that can result in an integer overflow or wraparound.
When the logic thinks that the final value will always be more significant than the original value, the software runs a calculation that can result in an integer overflow or wraparound.
2/
When the calculation is utilized for resource management or execution control, this can introduce other flaws.
When the calculation is utilized for resource management or execution control, this can introduce other flaws.
#SecurityExplained S-91: CWE Top 25:
CWE-611: Improper Restriction of XML External Entity Reference
1/n
CWE-611: Improper Restriction of XML External Entity Reference
1/n
2/n
When an application executes an XML document that contains entities pointing to external URIs, CWE-611 vulnerabilities can occur.
When an application executes an XML document that contains entities pointing to external URIs, CWE-611 vulnerabilities can occur.
3/n
These URIs resolve to assets outside the application's control, resulting in potentially dangerous execution of activities prescribed by the external assets.
These URIs resolve to assets outside the application's control, resulting in potentially dangerous execution of activities prescribed by the external assets.
#SecurityExplained S-90: CWE Top 25: CWE-918: Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and obtains its contents, but it does not check that the request is routed to the correct destination.
1/n
The web server receives a URL or similar request from an upstream component and obtains its contents, but it does not check that the request is routed to the correct destination.
1/n
2/n
Malicious parties can use CWE-918, also known as server-side request forgeries (SSRF), to trick a server into making requests to obtain access to internal infrastructure, sensitive data, and more.
Malicious parties can use CWE-918, also known as server-side request forgeries (SSRF), to trick a server into making requests to obtain access to internal infrastructure, sensitive data, and more.
3/n
The use of URLs helps identify the attack surface for SSRF. Although sanitization and allow lists are two more effective techniques available, they can be challenging to manage.
The use of URLs helps identify the attack surface for SSRF. Although sanitization and allow lists are two more effective techniques available, they can be challenging to manage.
#SecurityExplained S-89: CWE Top 25: CWE-522: Insufficiently Protected Credentials
The product transfers or saves authentication credentials, but it does so improperly that it can be intercepted or retrieved by unauthorized individuals.
1/n
The product transfers or saves authentication credentials, but it does so improperly that it can be intercepted or retrieved by unauthorized individuals.
1/n
2/n
This flaw relates to an architectural security approach that has been misdesigned. Another form of credential attack uses flaws in how passwords are encoded, saved, and handled by a web application, network, or software system.
This flaw relates to an architectural security approach that has been misdesigned. Another form of credential attack uses flaws in how passwords are encoded, saved, and handled by a web application, network, or software system.
3/n
Risky development practices, such as storing passwords in insecure locations, storing credentials in plaintext, storing user passwords using poor or reproducible cryptographic techniques, or using hard-coded credentials, generate vulnerabilities....
Risky development practices, such as storing passwords in insecure locations, storing credentials in plaintext, storing user passwords using poor or reproducible cryptographic techniques, or using hard-coded credentials, generate vulnerabilities....
#SecurityExplained S-88: CWE Top 25: CWE-732: Incorrect Permission Assignment for Critical Resource
The product defines permissions for a security-critical resource so that unwanted actors can read or modify it.
1/n
The product defines permissions for a security-critical resource so that unwanted actors can read or modify it.
1/n
2/n
When a resource's permissions are set to allow access to a broader range of actors than is required, sensitive information may be exposed, or undesired parties may modify the resource.
When a resource's permissions are set to allow access to a broader range of actors than is required, sensitive information may be exposed, or undesired parties may modify the resource.
3/n
This is very risky when the resource is tied to program configuration, execution, or sensitive user data.
This is very risky when the resource is tied to program configuration, execution, or sensitive user data.
#SecurityExplained S-87: CWE Top 25: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
The product makes sensitive information available to someone who isn't explicitly permitted to access it.
1/n
The product makes sensitive information available to someone who isn't explicitly permitted to access it.
1/n
2/n
CWE-200 arises when confidential information (e.g., application systems and network information, user-supplied data such as names email addresses) is made available to individuals who are not authorized to see it.
CWE-200 arises when confidential information (e.g., application systems and network information, user-supplied data such as names email addresses) is made available to individuals who are not authorized to see it.
3/n
This flaw could be the outcome of various issues involving the disclosure of sensitive information.
When the following conditions exist, the information is considered sensitive:
This flaw could be the outcome of various issues involving the disclosure of sensitive information.
When the following conditions exist, the information is considered sensitive:
#SecurityExplained S-86: Vulnerable Code - 65
This code is vulnerable to NoSQL Injection attack.
User-provided data such as URL parameters and POST body content should always be considered untrusted and tainted.
1/n
This code is vulnerable to NoSQL Injection attack.
User-provided data such as URL parameters and POST body content should always be considered untrusted and tainted.
1/n
2/n
Applications that perform NoSQL operations based on tainted data can be exploited similarly to regular SQL injection bugs. Depending on the code, the same risks exist as with SQL injections: The attacker aims to access sensitive information or compromise data integrity.
Applications that perform NoSQL operations based on tainted data can be exploited similarly to regular SQL injection bugs. Depending on the code, the same risks exist as with SQL injections: The attacker aims to access sensitive information or compromise data integrity.
3/n
Attacks may involve the injection of query operators, JavaScript code, or string operations. This problem can be mitigated by using an Object Document Mapper (ODM) library or by validating user-supplied data based on its size or allowed characters.
Attacks may involve the injection of query operators, JavaScript code, or string operations. This problem can be mitigated by using an Object Document Mapper (ODM) library or by validating user-supplied data based on its size or allowed characters.
#SecurityExplained S-85: Vulnerable Code - 64
This code is vulnerable to Insecure Deserialization Attack.
User-provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted.
1/n
This code is vulnerable to Insecure Deserialization Attack.
User-provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted.
1/n
2/n
Deserialization based on data supplied by the user could result in two types of attacks:
Remote code execution attacks, where the structure of the serialized data is changed to modify the behavior of the object being unserialized.
Deserialization based on data supplied by the user could result in two types of attacks:
Remote code execution attacks, where the structure of the serialized data is changed to modify the behavior of the object being unserialized.
3/n
Parameter tampering attacks, where data is modified to escalate privileges or change for example quantity or price of products.
The best way to protect against deserialization attacks is probably to challenge the use of the deserialization mechanism in the application.
Parameter tampering attacks, where data is modified to escalate privileges or change for example quantity or price of products.
The best way to protect against deserialization attacks is probably to challenge the use of the deserialization mechanism in the application.
#SecurityExplained S-72: Vulnerable Code - 51
This code is vulnerable to SQL Injection attacks.
User-provided data, such as URL parameters, should always be considered untrusted and tainted.
1/n
This code is vulnerable to SQL Injection attacks.
User-provided data, such as URL parameters, should always be considered untrusted and tainted.
1/n
2/n
Constructing SQL queries directly from tainted data enables attackers to inject specially crafted values that change the initial meaning of the query itself. Successful database query injection attacks can read, modify, or delete sensitive information from the database ...
Constructing SQL queries directly from tainted data enables attackers to inject specially crafted values that change the initial meaning of the query itself. Successful database query injection attacks can read, modify, or delete sensitive information from the database ...
3/n
...and sometimes even shut it down or execute arbitrary operating system commands. The solution is to use prepared statements and to bind variables to SQL query parameters with dedicated methods like bindParam, which ensures that user-provided data will be properly escaped.
...and sometimes even shut it down or execute arbitrary operating system commands. The solution is to use prepared statements and to bind variables to SQL query parameters with dedicated methods like bindParam, which ensures that user-provided data will be properly escaped.
#SecurityExplained S-63: CWE - 20: Improper Input Validation [CWE Top 25]
The product/program does not validate or validate poorly or input that can disrupt a program's control flow or data flow.
1/N 🧵
The product/program does not validate or validate poorly or input that can disrupt a program's control flow or data flow.
1/N 🧵
2/N
When software fails to properly validate input, an attacker can construct it in a way that the rest of the application does not expect. As a result, components of the system may receive unwanted input, resulting in a change in control flow or even arbitrary code execution.
When software fails to properly validate input, an attacker can construct it in a way that the rest of the application does not expect. As a result, components of the system may receive unwanted input, resulting in a change in control flow or even arbitrary code execution.
3/N
The flaw appears during the Architecture and Design, as well as the implementation stages.
It allows to:
- Cause the Program to Stop
- Set Arbitrary Command Execution
- Cause Excessive Expenditure of Resources
- Read and Compromise Personal Information
The flaw appears during the Architecture and Design, as well as the implementation stages.
It allows to:
- Cause the Program to Stop
- Set Arbitrary Command Execution
- Cause Excessive Expenditure of Resources
- Read and Compromise Personal Information
#SecurityExplained S-61: CWE-787: Out-of-bounds Write
The Out-of-bounds Write is a software security vulnerability that occurs when the data is written beyond the boundaries (i.e. past the end, before the beginning) of the intended buffer.
1/n
The Out-of-bounds Write is a software security vulnerability that occurs when the data is written beyond the boundaries (i.e. past the end, before the beginning) of the intended buffer.
1/n
2/n
This weakness is also listed in the CWE TOP 25 (2021). This has been given the CWE ID as CWE-787
- This vulnerability could result in buffer overflows, memory corruption, the crash of the software or even a code execution.
This weakness is also listed in the CWE TOP 25 (2021). This has been given the CWE ID as CWE-787
- This vulnerability could result in buffer overflows, memory corruption, the crash of the software or even a code execution.
3/n
As per the cwe.mitre.org, The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
As per the cwe.mitre.org, The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
#SecurityExplained S-60: Introduction to CWE
According to the official description, the CWE™ (Common Weakness Enumeration) is a community-developed list of software and hardware weakness types.
[1/n🧵]
#AppSec #infosec #websecurity #cybersecurity #bugbountytips #Pentesting
According to the official description, the CWE™ (Common Weakness Enumeration) is a community-developed list of software and hardware weakness types.
[1/n🧵]
#AppSec #infosec #websecurity #cybersecurity #bugbountytips #Pentesting
2/n
It serves as a common language, a measuring stick for security tools, and as a line for weakness identification, mitigation, and prevention efforts. The list includes more than 924 Common Weaknesses in Software & Hardware.
It serves as a common language, a measuring stick for security tools, and as a line for weakness identification, mitigation, and prevention efforts. The list includes more than 924 Common Weaknesses in Software & Hardware.
3/n
There are multiple options available to look for a CWE such as:
- By Software Development
- By Hardware Design
- By Research Concepts
- External Mappings such as (CWE TOP 25, OWASP TOP 10, Software Fault Pattern Cluster and more)
There are multiple options available to look for a CWE such as:
- By Software Development
- By Hardware Design
- By Research Concepts
- External Mappings such as (CWE TOP 25, OWASP TOP 10, Software Fault Pattern Cluster and more)
#SecurityExplained S-59: Ruby ERB SSTI
Server-Side Template Injection (SSTI) vulnerabilities occur when user-supplied data is inserted into a template and insecurely evaluated as an expression by the template engine.
#appsec #bugbountytips
[1/n 🧵]
Server-Side Template Injection (SSTI) vulnerabilities occur when user-supplied data is inserted into a template and insecurely evaluated as an expression by the template engine.
#appsec #bugbountytips
[1/n 🧵]
This may allow an attacker to trick the template engine into evaluating an expression that could allow an attacker to execute system commands or get a shell
To look for template injection vulnerability, it is essential to enumerate and know if the template engine is in use.
2/n
To look for template injection vulnerability, it is essential to enumerate and know if the template engine is in use.
2/n
3/n
If the application uses a template engine, the next thing is to know what language-based template injection is used and what all classes and methods are accessible that could be chained together to perform the desired action.
If the application uses a template engine, the next thing is to know what language-based template injection is used and what all classes and methods are accessible that could be chained together to perform the desired action.
မိမိဖုန်းကိုလုံခြုံအောင်ဘယ်လိုထားမလဲ……
ဖုန်းလုံခြုံရေးအတွက် အရေးကြီးတဲ့ အချက်များကို မျှဝေပေးချင်ပါတယ် 👇👇👇
1/7
#WhatsHappeningInMyanmar
#Myanmar #securityexplained
#MyanmarWitness
#ဒစ်ဂျစ်တယ်လုံခြုံရေး
#မိုဘိုင်းဖုန်းလုံခြုံရေး
ဖုန်းလုံခြုံရေးအတွက် အရေးကြီးတဲ့ အချက်များကို မျှဝေပေးချင်ပါတယ် 👇👇👇
1/7
#WhatsHappeningInMyanmar
#Myanmar #securityexplained
#MyanmarWitness
#ဒစ်ဂျစ်တယ်လုံခြုံရေး
#မိုဘိုင်းဖုန်းလုံခြုံရေး
2/7
Important security tips for staying safe with a mobile phone in Myanmar.
#WhatsHappeningInMyanmar
#Myanmar #securityexplained
#MyanmarWitness
#ဒစ်ဂျစ်တယ်လုံခြုံရေး
#မိုဘိုင်းဖုန်းလုံခြုံရေး
Important security tips for staying safe with a mobile phone in Myanmar.
#WhatsHappeningInMyanmar
#Myanmar #securityexplained
#MyanmarWitness
#ဒစ်ဂျစ်တယ်လုံခြုံရေး
#မိုဘိုင်းဖုန်းလုံခြုံရေး
3/7
Important security tips for staying safe with a mobile phone in Myanmar.
#WhatsHappeningInMyanmar
#Myanmar #securityexplained
#MyanmarWitness
#ဒစ်ဂျစ်တယ်လုံခြုံရေး
#မိုဘိုင်းဖုန်းလုံခြုံရေး
Important security tips for staying safe with a mobile phone in Myanmar.
#WhatsHappeningInMyanmar
#Myanmar #securityexplained
#MyanmarWitness
#ဒစ်ဂျစ်တယ်လုံခြုံရေး
#မိုဘိုင်းဖုန်းလုံခြုံရေး
#securityexplained S-32: Account Takeover Methodologies
A thread on my Account Takeover Methodologies 🧵
[1/n]
#appsec #infosec #webappsec #bugbountytips #bugbounty #hacking #Coding #security #development #securecoding #learn365 #securityexplained
A thread on my Account Takeover Methodologies 🧵
[1/n]
#appsec #infosec #webappsec #bugbountytips #bugbounty #hacking #Coding #security #development #securecoding #learn365 #securityexplained
[2/n]
An account takeover usually refers to gaining persistent access to the victim user's account and performing all the authentication actions as a victim would be able to do. The severity of account takeover issues is usually considered between High to Critical.
An account takeover usually refers to gaining persistent access to the victim user's account and performing all the authentication actions as a victim would be able to do. The severity of account takeover issues is usually considered between High to Critical.
[3/n]
However, it also depends upon the complexity and likelihood of the attack.
In general, the account takeover is not a "vulnerability class" itself but an impact result of a vulnerability.
However, it also depends upon the complexity and likelihood of the attack.
In general, the account takeover is not a "vulnerability class" itself but an impact result of a vulnerability.
#SecurityExplained S-7: My Methodology to Test Premium Features
Premium Features are not widely tested by the crowd due to the involvement of a purchase factor. However, the person who often invests in the premium account is less likely to go disappointed.
(1/n)🧵
Premium Features are not widely tested by the crowd due to the involvement of a purchase factor. However, the person who often invests in the premium account is less likely to go disappointed.
(1/n)🧵
Below is my methodology to test for the Premium features:
[Without Purchase]
1. Fuzzing the API endpoints to find out the endpoints that are accessible to premium users.
(2/n)
[Without Purchase]
1. Fuzzing the API endpoints to find out the endpoints that are accessible to premium users.
(2/n)
2. Comparing the difference in the freemium vs premium accounts and creating a threat map of functionalities available in the premium account to make sure if it's really worth an investment.
(3/n)
(3/n)
#securityexplained
S-6: Bypassing Biometrics in iOS with Objection
Many applications in iOS platform provides a functionality to enable touch/face ID to act as an added layer of protection to the application. However, it is possible to bypass this layer.
(1/n)
S-6: Bypassing Biometrics in iOS with Objection
Many applications in iOS platform provides a functionality to enable touch/face ID to act as an added layer of protection to the application. However, it is possible to bypass this layer.
(1/n)
(2/n)
If the attack has "physical access" to the device, there are multiple options to bypass the checks, however, one of the simplest methods is to use "Objection".
Before, performing the attack ensure that the Frida is running. Also, the Objection must be installed.
If the attack has "physical access" to the device, there are multiple options to bypass the checks, however, one of the simplest methods is to use "Objection".
Before, performing the attack ensure that the Frida is running. Also, the Objection must be installed.
(3/n)
# How to perform the attack:
1. Run the following command: objection --gadget <package_name_here>
2. In the objection run following command: ios ui biometrics_bypass
# How to perform the attack:
1. Run the following command: objection --gadget <package_name_here>
2. In the objection run following command: ios ui biometrics_bypass
#SecurityExplained S-5: Bypassing Privileges & Other Restrictions with Mass Assignment Attacks.
As per OWASP's definition: Software frameworks sometimes allow developers to automatically bind HTTP request parameters into program code variables or ...
(1/n)
As per OWASP's definition: Software frameworks sometimes allow developers to automatically bind HTTP request parameters into program code variables or ...
(1/n)
objects to make using that framework easier on developers. Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended.
(2/n)
(2/n)
(3/n)
There are multiple attacks that can be executed by exploiting this vulnerability such as escalating privileges, bypassing business logic, manipulating payloads and bypassing client-side checks.
There are multiple attacks that can be executed by exploiting this vulnerability such as escalating privileges, bypassing business logic, manipulating payloads and bypassing client-side checks.
#SecurityExplained S-1: Web Testing Methodology
The below thread contains an overview of my pentesting methodology on the web application targets:
1. Initially, before starting with the engagement, I start with "Scoping" .........
(1/n)
The below thread contains an overview of my pentesting methodology on the web application targets:
1. Initially, before starting with the engagement, I start with "Scoping" .........
(1/n)
(2/n)
where I go through the details shared by the client to understand the scope and see if the testing is feasible as per the given timeline. During this phase, I also check if the application is accessible and credentials (if required) are working properly.
where I go through the details shared by the client to understand the scope and see if the testing is feasible as per the given timeline. During this phase, I also check if the application is accessible and credentials (if required) are working properly.
(3/n)
If any of the things from "Step-1" are blocking, I reach out to the concerned person and request to unblock the blocking items.
2. Next, I start browsing the application while letting the traffic flow through Burp Suite to populate the "Target" menu.
If any of the things from "Step-1" are blocking, I reach out to the concerned person and request to unblock the blocking items.
2. Next, I start browsing the application while letting the traffic flow through Burp Suite to populate the "Target" menu.
