The most frequent vulns I found in 80+ pentests in 2022.
(thread)
(thread)
1. Rate Limit Bypass
In more than half of the pentests I conducted, I found that there were no rate limits imposed on login functions or authentication mechanisms. This lack of rate limiting, combined with weak password policies, can lead to accounts being easily compromised.
In more than half of the pentests I conducted, I found that there were no rate limits imposed on login functions or authentication mechanisms. This lack of rate limiting, combined with weak password policies, can lead to accounts being easily compromised.
2. Session Token not Invalidated upon Logout
This vuln is caused when the session token is not invalidated at user logout. If the validity of the token or the time to expiry is long, this can lead to the token being leaked, potentially resulting in a data breach or other vulns.
This vuln is caused when the session token is not invalidated at user logout. If the validity of the token or the time to expiry is long, this can lead to the token being leaked, potentially resulting in a data breach or other vulns.
3. Missing Security Headers
When vulnerable to XSS, having a solid Content Security Policy can effectively prevent a large proportion of XSS attacks. This has not been the case in my pentests.
When vulnerable to XSS, having a solid Content Security Policy can effectively prevent a large proportion of XSS attacks. This has not been the case in my pentests.
4. I made a video about these so that you can understand better.
For more tweets and threads: like, retweet, and follow me.
#pentesting #appsec #infosec #cybersecurity #bugbounty #hacking #ethicalhacking
For more tweets and threads: like, retweet, and follow me.
#pentesting #appsec #infosec #cybersecurity #bugbounty #hacking #ethicalhacking
• • •
Missing some Tweet in this thread? You can try to
force a refresh
