OWASP TOP 10: #4 | Insecure Direct Object Reference Vulnerability

tl;dr: I’m Pentester and recently I got my first pentest project and I’ve successfully executed with my senior colleague. As the application was developed to perform the financial operations, I had focus of finding Insecure Direct Object Reference Vulnerabilities. This blog will help you for having the understanding of the IDOR vulnerability. Insecure Direct Object […]

Automating Web Apps Input fuzzing via Burp Macros

Hi Readers, This article is about Burp Suite Macros which helps us in automating efforts of manual input payload fuzzing. While it may be known to many testers, this article is written for those who are yet to harness the power of burp suite’s macro automation. In my penetration testing career so far, while performing […]

OWASP Top 10 : Cross-Site Scripting #3 Bad JavaScript Imports

This blog covers Cross-Site Scripting (XSS) vulnerability from a different perspective. Generally, XSS is when the application takes user supplied JavaScript and displays it without escaping/encoding. In this blog, we will see how can XSS be exploited even if the application properly escapes/encodes the user inputted JavaScript using different methods. Exploiting XSS in this way can […]

OWASP TOP 10: Insufficient Attack Protection #7 – CAPTCHA Bypass

What is CAPTCHA? CAPTCHA is an acronym for “Computer Automated Public Turing test to tell Computers and Humans apart”. It is used to determine whether or not the user is human. Many times, a CAPTCHA is an image. A human has to solve it using the challenge response system. A human can usually read it […]

OWASP Top 10 Details About WebSocket Vulnerabilities and Mitigations

Socket in a Nutshell A socket is an endpoint of a network communication. A socket always comes in 2 parts: An IP address and a port. For example: When you visit www.securelayer7.net, your computer and the website’s computer are communicating using sockets (endpoints). The endpoint of the website will be: www.securelayer7.net:80 and endpoint of your […]

OWASP Top 10 : Cross-Site Scripting #2 DOM Based XSS Injection and Mitigation

What is a DOM (Document Object Model)? DOM is a W3C (World Wide Web Consortium) standard. It is a platform independent interface that allows programs and scripts to dynamically access and modify the structure of an document. The document can be HTML, XHTML or XML. Let us apply the above definition practically: Before modifying element using DOM: […]

OWASP Top 10 : Penetration Testing with SOAP Service and Mitigation

SOAP Overview: Simple Object Access Protocol (SOAP) is Connection or an interface between the web services or a client and web service. SOAP is operated with application layer protocols like HTTP, SMTP or even with the TCP for message transmission. Figure 1  SOAP Operation It is developed in xml language, which uses Web Service Description […]

OWASP TOP 10: Security Misconfiguration #5 – CORS Vulnerability and Patch

What is the meaning of an origin? Two websites are said to have same origin if both have following in common: Scheme (http, https) Host name (google.com, facebook.com, securelayer7.net) Port number (80, 4567, 7777) So, sites http://example.com and http://example.com/settings have same origin. But https://example.com:4657 and http://example.com:8080/settings have different origins. The ‘Same Origin Policy’ restricts how a script […]

OWASP TOP 10 Cross-Site Request Forgery #8 – About CSRF Vulnerability and Fix

Overview OWASP TOP 10 Cross-Site Request Forgery #8 is a vulnerability which is very commonly found in many web applications these days. And it is also included in the OWASP Top 10 List of Common Web application vulnerabilities. Before I start with the technical explanation, let me give you a lay-man example of the CSRF […]