Cyber Security Universe

In the ever-expanding realm of the internet, web applications have become the backbone of our digital interactions. From shopping to banking, communication to entertainment, we rely on these applications for countless tasks. However, the convenience they offer comes hand in hand with a growing concern - the security of our data and information. Let's take a concise journey through the state of web application security in today's fast-paced digital landscape. The Growing Threat Landscape As technology advances, so do the methods of cyber attackers. Today, web applications are targeted by a myriad of threats, from the classic SQL injection attacks to the sophisticated zero-day vulnerabilities. The rise of APIs, mobile apps, and cloud services has broadened the attack surface, making it imperative for security measures to adapt in order to thwart these evolving threats. The Shifting Paradigm: Beyond the Perimeter Defense Gone are the days when a strong perimeter defense was enough...

Web application file upload RCE are very common and multiple bypasses for the existing mitigations are available. In this part-3 of blog series of how to check the web application vulnerability with Burp Community Edition, I will cover one of the bypass technique. This blog will be very helpful while performing the web application security assessment( VAPT) manually. In this part of the blog, we will cover a file upload vulnerability with High impact severity. Please refer the audit guidelines below Audit Guideline Concept- Linux has a file name restriction of 255 characters/bytes. If you attempt to create a file that has more than 255 characters in its name, then it will truncate the characters after that 255 characters. So now we have to upload a file named like this: fffffffffff......fffffffffff.php .jpeg where the length of green highlighted part is exactly 255. Uploading this would bypass the extension restriction at the client and server end, but when storing the file at server, ...

"Today I have read Hacker attacked the cyber security world with new attack. Who is Hacker? What is cyber security?" These type of news is very common now-a-day and same question comes to your mind. So this article is for newbie like you or person who want to know cyber security from scratch and related words or terms used. (This list will be updated regularly)

The blog is part-2 in continuation to basically cover how to check the web application vulnerability with Burp Community Edition. This blog will be very helpful while performing the web application security assessment( VAPT) manually. In this part of the blog, we will cover a few vulnerabilities with High impact severity. Please refer the audit guidelines below for serious vulnerabilities. IP Spoofing (Bypass Whitelisting) Audit Guideline Try to access the application from any network except the whitelisted one. Capture the base request in the burp community and send the request to the repeater. Add X-Forwarded-For in the request and the IP that has whitelisted for application access. Observe the application will respond normally. Hence, bypassed the whitelisting to access the application. Proof of Concept Request without X-Forwarded-For Header Request with X-Forwarded-For Header Account Takeover via Forgot Password — A Practical Attack Scenario of Host Header...

The blog basically covers how to check to web application vulnerability with Burp Community Edition. This blog will be very helpful while performing the web application security assessment manually. In this part of the blog, we will cover a few vulnerabilities with High impact severity. So here is the blog.

Introduction In today's hyper-connected world, the realm of cybersecurity has become more critical than ever. As cyber threats evolve and grow in sophistication, organizations and individuals must equip themselves with advanced cybersecurity skills to safeguard their digital assets. Whether you aspire to be a cybersecurity professional or simply want to enhance your online security knowledge, this blog will delve into the essential skills required for advanced cybersecurity. Deep Technical Knowledge A solid foundation in technical skills forms the bedrock of advanced cybersecurity. Understanding networking protocols, operating systems, and programming languages allows professionals to comprehensively analyze and protect complex IT infrastructures. Proficiency in areas such as penetration testing, vulnerability assessment, and malware analysis is crucial to identify and mitigate potential security risks effectively. Threat Intelligence Advanced cybersecurity practitioners must posse...

Content Spoofing is an injection in which user input is reflected as it is in the application response which can be used in phishing attacks. During the recon phase, I found itunesconnect.apple.com , a subdomain of apple and after digging into it, I had observed that the content of the error key parameter was reflecting back to the page as shown below Payload - https://itunesconnect.apple.com/login?errorKey=This%20message%20can%20be%20changed%20by%20attacker.%20This%20is%20content%20spoofing%20till%20now.%20Let%20try%20to%20exploit%20it%20further. With normal inline Cross-Site Scripting(XSS) payloads, the application was giving a blank pop-up. After trying different scenarios, I have observed that dangling markup injection is possible on the vulnerable parameters (errorKey) Let’s understand the concept of Dangling Markup Injection Dangling markup injection is very useful where we can’t find a way to execute our JavaScript due to input filters, content security policy,...