E-Mail Address Validation Reasoning Table

After spending some time rummaging through the “Hacktivity” pages on the bug bounty site HackerOne, I’ve noticed that on occasion some sites will reject the registration of accounts that are associated with temporary e-mail addresses. This is perfectly understandable, especially if it’s the type of site that needs to require both unique and legitimate PII (Personally Identifiable Information) because it’s offering a financial service, for example. The ability to create accounts with false registration info will facilitate the activities of attackers wishing to test the site’s behavior patterns. …

Until recently, I wrongly assumed that servlets already patched for open HTTP Location: redirect vulnerabilities were a lost cause in the theater of web app exploitation (TL;DR Scroll down to see hyperlinks & DNS zone file entries.) Some instances of such server-side code are riper for attacking than one may initially think — depending upon many deployment details of course including: HTTP daemon, WAF’s and other middleware software configs, server-side coding, control flow as determined by CGI programming, etc. Under the contemporary state of web application vulnerability research, I only recommend malicious DNS record creation to be used as a…

Derek Callaway

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store