InfoSec Write-ups - Medium-- Cross Site Scripting allows an attacker to inject malicious javascript code in the web application through some parameters and can be escalated further to perform attacks such as cookie stealing , session hijacking etc.Types of XSS:Reflected XSSStored XSSDOM Based XSSHow it all started?I recently got an invite for a private program on BugCrowd and I … Continue reading Automating xss identification with Dalfox & Paramspider

InfoSec Write-ups - Medium-- HTTP Headers : Web App Security BasicsHTTP headers let the client and the server pass additional information with an HTTP request or response. An HTTP header consists of its case-insensitive name followed by a colon, then by its value.Example:Strict-Transport-Security: max-age=31536000Some HTTP headers that are indirectly related to privacy and security, can also be considered … Continue reading HTTP Headers : Web App Security Basics

InfoSec Write-ups - Medium-- TryHackMe: GamingServer Write-upBeginners CTF ChallengeThis is a write-up of GamingServer, a THM beginner-level challenge. Without any delay, let’s connect to our THM OpenVPN network and boot our machine.Task 1 Boot2RootScan your network using Nmap.nmap -A <machine-ip>Nmap scan results2. There are two open ports. Let us see what is in the HTTP(80) port.http page3. Looks like … Continue reading TryHackMe: GamingServer Write-up

InfoSec Write-ups - Medium-- Welcome folks! We are going to do Gotta Catch’em All CTF on TryHackMe.Continue reading on InfoSec Write-ups » View original article on InfoSec Write-ups - Medium

InfoSec Write-ups - Medium-- FluxCloud FrontlineHack.lu WriteupThe challenge FluxCloud Frontline (web, hard) was part of the amazing Hack.lu CTF. It took a friend and me, both playing for the team FAUST, two evenings to crack the great challenge.In the following, I describe the plain solution and leave out the many rabbit holes we stepped into.The ChallengeWith … Continue reading FluxCloud Frontline — Writeup

InfoSec Write-ups - Medium-- Secure monitoring of networks using ELK stack, Packetbeat and SuricataContinue reading on InfoSec Write-ups » View original article on InfoSec Write-ups - Medium

InfoSec Write-ups - Medium-- Insecure Direct Object Reference falls under the category for Broken Access Controls as per OWASP TOP 10 (2017 Edition). This issue usually occurs due to weak implementation of the application’s access control logics which links an identifier or an object to a particular asset say user_id parameter defines which user’s data … Continue reading Accidental Observation to Critical IDOR

InfoSec Write-ups - Medium-- Insecure Direct Object Reference falls under the category for Broken Access Controls as per OWASP TOP 10 (2017 Edition). This issue usually occurs due to weak implementation of the application’s access control logics which links an identifier or an object to a particular asset say user_id parameter defines which user’s data … Continue reading Accidental Observation to Critical IDOR

InfoSec Write-ups - Medium-- Bypassing WAF to do advanced Error-Based SQL InjectionDuring penetration testing, I faced with a website which on this article I will name it as http://domain.comWhile browsing the website, I didn’t see any single Parameter, even though the website was built with PHP. I quit browsing and started to Google Dorking.Google Dorking to … Continue reading Bypassing WAF to do Error-Based SQL Injection

InfoSec Write-ups - Medium-- TryHackMe Skynet machine walkthroughContinue reading on InfoSec Write-ups » View original article on InfoSec Write-ups - Medium