Learn About Cross Site Request Forgery aka CSRF

Overview Cross Site Request Forgery is a vulnerability which is very commonly found in many web applications these days. And it is also included in the OWASP Top 10 List of Common Web application vulnerabilities. Before i start with the technical explanation, let me give you a lay-man example of the CSRF attack, just to […]

Password Reset OTP Bypass Critical Vulnerability in YesBank Banking Application

I am a customer of YesBank and I hold my savings account with them. I also use the YesBank’s online banking application and I strongly feel that they need to look into security of the application of the bank. So, as a responsible client, I disclosed the vulnerability to YesBank which I recently found in their […]

Learn About Race Conditions Vulnerability

To learn about Race Conditions Vulnerability, let us start with an example – Imagine yourself in a bus, where all the seats are occupied and several people are standing. Now, the destination of one of the passengers seated has arrived. He gets down the bus leaving his seat vacant. You see that vacant seat and […]

Everything about the CSV Excel Macro Injection

CSV Excel Macro Injection, also known as Formula Injection or  CSV Injection, is an attack technique which we use in the day to day penetration testing of the application. CSV injection is a vulnerability which affects applications having the export spreadsheets functionality. These spreadsheets generate dynamically from invalidated or unfiltered user inputs. Modern web applications offer […]

Google Cloud Print ClickJacking Vulnerability

Last weekend, I had a chance to use the Google cloud print service and found Clickjacking vulnerability. Obviously, X-Frame-Options response header was missing as shown in the below image. According to the new Google bug bounty program, if clickjacking vulnerability is performed using two clicks will not be considered for VRP or bug. That’s why […]

vBulletin SQL Injection Exploit in the Wild CVE-2016-6195

vBulletin SQL Injection Exploit is released. On June 18th, vBulletin forum pushed a patch for the SQLi injection, which is still working on the number of the website according to our research. If you’re using a version of vBulletin 4 older than 4.2.2, the cyber criminal could probably hack you. Moreover, they could most probably […]

Firefox 47.0 Memory Access violation Crash – FIXED

We were working on Firefox browser automation for opening some of the URL for the malware analysis. We used the combination of python and selenium to perform automation and the After few mins, we stumble upon a Firefox crash, which was causing the memory access violation crash as shown in the following image. After few […]

MongoDB security – Injection attacks with php

Before we move on to the MongoDb injections, we must understand what MongoDb exactly is and why we prefer it over other databases. As MongoDb does not use SQL people assumed it is not vulnerable to any kind of injection attacks. But believe me, no one is born with inbuilt security aspects. We have to […]