Hi Guys,

So, after a gap of around 8 months, I recently did some bug hunting with the hope that I could learn something, and eventually, it also fetches me a decent reward. This blog will be around not only what vulnerabilities I was able to find but I would also be drilling into specific tools that helped me here. As the title suggests, this is about a tale of not one or two but three vulnerabilities chained together which leads to account takeover. Let’s get into details —

Image for post
Image for post

As everything starts with a bit of recon, I ran a couple of tools to gather information about the target(redacted.com). Specifically for subdomain enumeration, I keep the following tools handy — aquatone, Sublist3r, subfinder and, altdns. On the top of it, I had a script that adds the found subdomain in the burp suite scope and enables spidering and passive scanning. It is always good to rely on multiple tools because there are always some edge cases that tools always miss out. Parallelly, I was trying to understand the application in general what all functionalities, pages, flow it has. It was an e-commerce website and to examine the authenticated pages, one needed to log in with OTP. And when there is OTP based login, the first thing which strikes everyone’s mind? Yes, you are right! …


The increased adoption of containers has given rise to a wide range of potential threats to microservices apps that run in containers. If you are working in an organization and your workload is over containers then this blog is more targeted for you. This is about how effectively you can secure containers by not just following a structured and more specific threat modeling approach but focussing on introducing tools at different stages of the model to prevent container security issues before you actually ship them.

Image for post
Image for post

Threat modeling is a structured process through which IT pros can identify potential security threats and vulnerabilities, quantify the seriousness of each, and prioritize techniques to mitigate the attack and protect IT resources. …


SECURITY

Security shouldn’t be treated as an after-thought

Image for post
Image for post
Design by Asif Jamal

When it comes to security, we always take it as the utmost priority. We strongly believe that “Security shouldn’t be treated as an after-thought”, it should be brought as close to engineers and as early in SDLC.

Aside from the general guidelines put forth in the CIS benchmark for all around information security, we have automated infrastructure scans for audit, compliance, automated penetration tests including both DAST and SAST, performing manual pen-testing as well and having strong firewalls at multiple layers.

We are immensely proud of the infrastructure security that we are able to build but there is a much bigger challenge that companies face — “Classic” security systems are more tend to be reactive in nature. …


Image for post
Image for post

Work-from-home culture slowly becoming a norm

With work-from-home culture slowly becoming a norm, IT companies around the globe are bringing in various new developments in its team engagement tools to cater to such needs and also to compete with every increasing popularity of Zoom.

Zoom which has recently come under the radar with hackers exploiting various misconfiguration in their tool and hence shifting the concerns towards their loosely tied security and privacy control measures. While Zoom is being highly criticized for all the security concerns that are being highlighted, other platforms such as Google Meet, Microsoft Skype, etc are using this opportunity to promote their product. …


Image for post
Image for post

Never leave your docker registry publicly exposed! Recently, I have been exploring dockers a lot in search of misconfigurations that organizations inadvertently make and end up exposing critical services to the internet. In continuation of my last blog where I talked about how a misconfiguration of leaving a docker host/docker APIs public can leak critical assets, here I’ll be emphasizing on how shodan led me to dozens of “misconfigured” docker registries and how I penetrated one of them.

Refining Shodan Search

I tried a couple of search filters to find out publicly exposed docker registry on shodan -

  1. port:5001 200 OK
  2. port:5000 docker 200…


Image for post
Image for post

Never leave your docker host publicly exposed!

For the last couple of months, I have been exploring various concepts of container security both from the perspective of attacking a container and defending the same. Containers have already taken a big space in the market. According to Docker, over 3.5 million applications have been placed in containers using Docker technology and over 37 billion containerized applications have been downloaded. One of the biggest advantages it brings is Modernizing Traditional Apps whether its a monolithic architecture or microservices. Moving to the containerized application brings its own security risk. I will be discussing in detail the various attack and defense strategies of Docker Container Security in the next blog. …


Image for post
Image for post

This blog is posted with the intention of a wake up call for the government to improve and strengthen its commitment towards responsible data practices and helps to highlight the below par security standards in the IT industry and bring to the attention, the importance of security and spread awareness among companies and government to take information security as importantly as any other branch. This blog is published informing both CERT-In and NCIIPC team multiple times.

During my journey to spread security awareness among Indian tech companies including private and government sectors and also in the wake of a recent hack that happened in Singapore where 1.5 million patients' records were leaked, I happened to find a serious security flaw in ORS Patient Portal which could have allowed anyone to access any patient details which included his/her full name, complete address, age, mobile number, appointments, UHID, partial Aadhar number, and disease (in some cases) too. …


A comprehensive blog by our security team explaining our in-house solution to deal with DNS outages

Image for post
Image for post
Design by Asif Jamal

Cloudflare is one of the most popular DNS and CDN service provider currently used by over 16 million internet sites. Every day, these sites utilize Cloudflare’s services for performance enhancement, DDoS mitigation, and more.

We do too.

So when Cloudflare suffered multiple outages, it affected websites around the globe. And Grofers was no exception.

The first outage happened on 24th June when Cloudflare proxy went down. The second outage happened on 2nd July, and this time the WAF was down for about half an hour. As a result, websites around the globe suffered outages with 502 Bad Gateway error message.

This downtime was good learning for…


Google’s email service is used by upwards of 1.5 billion people. The Google Calendar app, meanwhile, has been downloaded more than a billion times from the Play Store. Security researchers warned that threat actors are exploiting the popularity of both in order to target users with a credential-stealing attack — As published on forbes.com

Recently I came across an article which talked about how users of the Gmail service — Google Calendar are being targeted through the use of malicious and unsolicited Google Calendar notifications by automatic addition of invitation into a user’s calendar. This risk clearly talks about how misconfigured settings in google services by its users/clients can be exploited. …


Image for post
Image for post

Hi Guys,

Some months back, I published an article on “Exposed JIRA server leaks NASA staff and project data” in which I was able to find NASA staff details, their username, their email ids along with their internal project details which were getting leaked by one of their tools — JIRA which is an Atlassian task tracking systems/project management software used by around 135,000 companies and organization globally. The root cause behind the leak was the wild misconfiguration which was present in JIRA. …

About

Avinash Jain (@logicbomb_1)

Lead Infrastructure Security Engineer | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store