The most frequent vulns I found in 80+ pentests in 2022.

(thread)
1. Rate Limit Bypass

In more than half of the pentests I conducted, I found that there were no rate limits imposed on login functions or authentication mechanisms. This lack of rate limiting, combined with weak password policies, can lead to accounts being easily compromised.
2. Session Token not Invalidated upon Logout

This vuln is caused when the session token is not invalidated at user logout. If the validity of the token or the time to expiry is long, this can lead to the token being leaked, potentially resulting in a data breach or other vulns.
3. Missing Security Headers

When vulnerable to XSS, having a solid Content Security Policy can effectively prevent a large proportion of XSS attacks. This has not been the case in my pentests.
4. I made a video about these so that you can understand better.

For more tweets and threads: like, retweet, and follow me.

#pentesting #appsec #infosec #cybersecurity #bugbounty #hacking #ethicalhacking

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with 🇷🇴 cristi

🇷🇴 cristi Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @CristiVlad25

Jan 9
How to learn reverse engineering fast. A Practical approach.

(thread)
1. Go to crackmes.one and start playing with the challenges there.
2. Study from the book "Reverse Engineering for Beginners". You can do it for free at: beginners.re
Read 5 tweets
Jan 9
How about some AI straight into your terminal?
Just say: gpt3 <your_command>.

(thread) Image
1. Go to my GitHub and clone this repository.

github.com/CristiVlad25/g…
2. Copy gpt3.sh to /root or another convenient location.
Read 8 tweets
Jan 7
All of my top tips on #hacking now available as blogs. Read below.

(thread)
1. Top Skills of Elite Hackers

typefully.com/CristiVlad25/t…
2. You can't be an expert of All Hacking

typefully.com/CristiVlad25/y…
Read 14 tweets
Jan 7
Crush your goals (cyber or not) in 5 steps now.

(thread)
1. Define your goal

Without a clear and defined goal, it will be difficult to measure progress and determine whether or not you are successful.
2. Set a deadline

A deadline will help to keep you focused and motivated to achieve your goal.
Read 7 tweets
Jan 6
The Insider Weekly #3 - My Cyber 2023 | Fasting | chromeGPT. From this week's newsletter:

(thread)
1. How I kick-started 2023 with 3 pentests so far.
2. What I did to not gain weight during the holidays.
Read 5 tweets
Jan 5
Static and dynamic testing of Android apps. A quick guide:

(thread)
(static analysis) 1. Decompile the app to understand how the code works. Use jadx.
(static analysis) 2. Analyze the app's resources for potential hardcoded credentials or sensitive information.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(