Friday, 29 June 2018

cPanel WebDisk Android App 4.0 : Backup Vulnerability




cPanel WebDisk Android App 4.0 : Backup Vulnerability

Hello folks,

This vulnerability is regarding an Insecure Data Storage & Security Miss-Congiguration, which can be achieve using Android Backup Functionality.

We all know that many of the mobile application stored user credentials or any sensitive data into device itself as clear text format. which ideally not a good practice.

But many of us might know that to access that data we need root privileges or require some special conditions like debugging to be enable. So still if the mobile application is storing sensitive data in clear text its not an issues. Many Security Teams & Bug Bounty Programs Specially exclude this kind of vulnerability where Root/JailBroken conditions required to exploit a vulnerability.

Tuesday, 26 September 2017

Yandex IMAP Brute Forcing(No Rate Limit For Login Attempts)

Hello Guyzssss,

I am not in bug bounty so much, But while using one of the yandex service, I found that there was no Rate Limit Deployed for login attempts on their IMAP Authentication.

Means user can perform multiple attempts on their IMAP Service, Which is responsible to access yandex mail on other accounts.Just like others.

Like gmail users can import yandex emails(Account) using IMAP Authentication.

Sunday, 23 April 2017

Pentesting Node.js Application : Nodejs Application Security


Pentesting Node.js Application : Nodejs Application Security

Hello folks, Today we will see how we can do Pentesting Of NodeJS Application : Attacking NodeJS Application.

As we know that Javascript is a very common and important language and also a light wight which do our most of task very easily.

But we also know that, Great efficiency comes with great risk. Node JS is a kind of server side programming language derived from JS.

According to Wiki

Node.js is an open-source, cross-platform JavaScript run-time environment for executing JavaScript code server-side. Historically, JavaScript was used primarily for client-side scripting, in which scripts written in JavaScript are embedded in a webpage's HTML, to be run client-side by a JavaScript engine in the user's web browser. Node.js enables JavaScript to be used for server-side scripting, and runs scripts server-side to produce dynamic web page content before the page is sent to the user's web browser. Consequently, Node.js has become one of the foundational elements of the "JavaScript everywhere" paradigm,[4] allowing web application development to unify around a single programming language, rather than rely on a different language for writing server side scripts.


Today we will see some of the vulnerabilities which can be exploited in Node.JS application. We will also take a look on the source code for better understanding.

iOS Application Pentesting Part 5 : Insecure HTTP Data Transit



Just like Transmitting Sensitive Credentials Over HTTP, Application which used HTTP to communicate with their server and don`t using any kind of encryption are vulnerable to this issues.

In iGoat application, there is a simple demonstration that username & password passed in application is transmitting over http and without any encryption as result an attacker can capture/sniff those packages and could hijack victim`s account.

Featured post

cPanel WebDisk Android App 4.0 : Backup Vulnerability

cPanel WebDisk Android App 4.0 : Backup Vulnerability Hello folks, This vulnerability is regarding an Insecure Data Storage ...

Popular Posts