OWASP Top 10 – What are Different Types of XSS ?

Cross Site Scripting (XSS) is the most popular web application vulnerability. It is a code injection attack that allows attackers to execute malicious JavaScript code in user’s browser. In this approach of attack, the attackers exploit the vulnerability in a website that the user visits, hence the website itself deliver the malicious JavaScript to the […]

API Penetration Testing with OWASP 2017 Test Cases

Brief about API Penetration Testing: API Penetration Testing is one of the favourite attack surfaces, where the attacker can use to gain into further access to the application or server. During the blog reading, I’ve described the OWASP 2017 Test Cases which is applicable for a general application pen test. I’m going to cover basics […]

Tabnabbing – An art of phishing

This blog is about a technique used by attackers to perform phishing attack by using the Tabnabbing. Although, this was technique was invented long time ago, but there are very few articles on this. Hence, I thought to write something on this topic. What is tabnabbing?p Tabnabbing is a client side attack web based attack. […]

Web Services and API Penetration Testing Part #1

Hi Readers, today we will learn about another interesting part of web services and API penetration testing part, this revolves around Security assessments of web services. To start with let’s take a look at what web services are made of: A web service is software composed of standardized XML messaging system. The benefit of web […]

OWASP TOP 10: #4 | Insecure Direct Object Reference Vulnerability

tl;dr: I’m Pentester and recently I got my first pentest project and I’ve successfully executed with my senior colleague. As the application was developed to perform the financial operations, I had focus of finding Insecure Direct Object Reference Vulnerabilities. This blog will help you for having the understanding of the IDOR vulnerability. Insecure Direct Object […]

Automating Web Apps Input fuzzing via Burp Macros

Hi Readers, This article is about Burp Suite Macros which helps us in automating efforts of manual input payload fuzzing. While it may be known to many testers, this article is written for those who are yet to harness the power of burp suite’s macro automation. In my penetration testing career so far, while performing […]

OWASP Top 10 : Cross-Site Scripting #3 Bad JavaScript Imports

This blog covers Cross-Site Scripting (XSS) vulnerability from a different perspective. Generally, XSS is when the application takes user supplied JavaScript and displays it without escaping/encoding. In this blog, we will see how can XSS be exploited even if the application properly escapes/encodes the user inputted JavaScript using different methods. Exploiting XSS in this way can […]

OWASP TOP 10: Insufficient Attack Protection #7 – CAPTCHA Bypass

What is CAPTCHA? CAPTCHA is an acronym for “Computer Automated Public Turing test to tell Computers and Humans apart”. It is used to determine whether or not the user is human. Many times, a CAPTCHA is an image. A human has to solve it using the challenge response system. A human can usually read it […]

OWASP Top 10 Details About WebSocket Vulnerabilities and Mitigations

Socket in a Nutshell A socket is an endpoint of a network communication. A socket always comes in 2 parts: An IP address and a port. For example: When you visit www.securelayer7.net, your computer and the website’s computer are communicating using sockets (endpoints). The endpoint of the website will be: www.securelayer7.net:80 and endpoint of your […]

OWASP Top 10 : Cross-Site Scripting #2 DOM Based XSS Injection and Mitigation

What is a DOM (Document Object Model)? DOM is a W3C (World Wide Web Consortium) standard. It is a platform independent interface that allows programs and scripts to dynamically access and modify the structure of an document. The document can be HTML, XHTML or XML. Let us apply the above definition practically: Before modifying element using DOM: […]