Tuesday, 26 September 2017

Yandex IMAP Brute Forcing(No Rate Limit For Login Attempts)

Hello Guyzssss,

I am not in bug bounty so much, But while using one of the yandex service, I found that there was no Rate Limit Deployed for login attempts on their IMAP Authentication.

Means user can perform multiple attempts on their IMAP Service, Which is responsible to access yandex mail on other accounts.Just like others.

Like gmail users can import yandex emails(Account) using IMAP Authentication.

Sunday, 23 April 2017

Pentesting Node.js Application : Nodejs Application Security


Pentesting Node.js Application : Nodejs Application Security

Hello folks, Today we will see how we can do Pentesting Of NodeJS Application : Attacking NodeJS Application.

As we know that Javascript is a very common and important language and also a light wight which do our most of task very easily.

But we also know that, Great efficiency comes with great risk. Node JS is a kind of server side programming language derived from JS.

According to Wiki

Node.js is an open-source, cross-platform JavaScript run-time environment for executing JavaScript code server-side. Historically, JavaScript was used primarily for client-side scripting, in which scripts written in JavaScript are embedded in a webpage's HTML, to be run client-side by a JavaScript engine in the user's web browser. Node.js enables JavaScript to be used for server-side scripting, and runs scripts server-side to produce dynamic web page content before the page is sent to the user's web browser. Consequently, Node.js has become one of the foundational elements of the "JavaScript everywhere" paradigm,[4] allowing web application development to unify around a single programming language, rather than rely on a different language for writing server side scripts.


Today we will see some of the vulnerabilities which can be exploited in Node.JS application. We will also take a look on the source code for better understanding.

iOS Application Pentesting Part 5 : Insecure HTTP Data Transit



Just like Transmitting Sensitive Credentials Over HTTP, Application which used HTTP to communicate with their server and don`t using any kind of encryption are vulnerable to this issues.

In iGoat application, there is a simple demonstration that username & password passed in application is transmitting over http and without any encryption as result an attacker can capture/sniff those packages and could hijack victim`s account.

Sunday, 16 April 2017

iOS Application Pentesting Part 4 : Installing iGoat Application

Picture taken from : https://www.owasp.org/index.php/OWASP_iGoat_Project

To perform hands on practice and learning we will use iGoat iOS Application part of OWASP Security Project. You can find their Github page here. This Mobile Application is designed as vulnerable for Security Professionals and learner to enhanced their Skills over iOS Application Pentesting.

This project is Maintained by following folks.
Swaroop
masbog
mtesauro
DinisCruz

Here is the Project Details



For later practices we will install this application XCode and run it, But i recommended you to use a Physical device while performing pentesting.

Featured post

Yandex IMAP Brute Forcing(No Rate Limit For Login Attempts)

Hello Guyzssss, I am not in bug bounty so much, But while using one of the yandex service, I found that there was no Rate Limit Deploye...

Popular Posts