Information Security Blog

Hi, I hope you're well. In this article, I'm writing about how I found Reflected XSS in NCSC UK.  One of my friends messaged me in Facebook saying that he found Insecure Deserialization in NCSC UK. This got me curious and I also wanted to report a vulnerability to them but I wanted to do it quickly without digging too deep. So, I started with my usual recon flow. Reconnaissance At first, I enumerated subdomains using subfinder which returned about 682 subdomains.  $ cat domains.txt | subfinder -silent -recursive > subdomains.txt Then, I probed for HTTP Servers on port 80 and 443 using httprobe $ cat subdomains.txt | httprobe > probedSubdomains.txt I was interested in testing an application with login/registration feature, so, I took screenshot of all the domains to choose a target visually. $ gowitness file -f probedSubdomains.txt After gowitness ended running, I looked at the screenshots and found an interesting target. https://my.ncsc.gov.uk Starting the hunt I registe...

    In this blog, I am writing about how improperly configured cookie may lead to account takeover. The type of account takeover I'm writing about is only possible when you're in the same local network as victim. Before explaining the issue, I want to thank Veshraj Ghimire for reviewing this.   Misconfiguration #1:  Not using 'secure' flag while setting cookies What is 'secure' flag? The secure flag is a setting that can be specified when a cookie is created and sent from a web server to a client browser. When a cookie is marked with the secure flag, the client browser will only transmit the cookie back to the server over a secure HTTPS connection. If the secure flag is not set, the cookie will be sent over both secure and insecure connections, making it vulnerable to eavesdropping and tampering by malicious actors.   Misconfiguration #2:  Cookie scoped to all the subdomains     What do I mean by "cookie scoped to all the subdomains"? If yo...

      It has been a while since I published a post. So, I am writing this one to share one of my interesting finding while testing an e-wallet application.     I glanced at my Total Balance and I was wondering if there was a way for me to increase it arbitrarily. So, I thought Race Condition would help me here.  What is a Race Condition vulnerability? "A race condition vulnerability typically occurs when your application has access to the same shared data and attempts to change variables within it simultaneously ." - automox.com So, I loaded up Turbo Intruder in Burp Suite and attempted testing it. I failed. I couldn't exploit it.  I didn't want to give up this soon. I kept that fire bottled up and changed my approach. I realized that the 'Send Money' feature uses basic maths to reduce balance from the sender's account and add it to the receiver's account. So, the feature did the following operations:   function sendMoney(sender, receiver, amoun...