Most of the Corporates do not focus on their internal security. They think that they are secure because their internal assets are accessible by internally. But Red Team Members know very well that How can attacker exploit internal infrastructures.
Voice over Internet Protocol (VoIP) has seen rapid implementation over the past few years. Most of the organisations which have implemented VoIP are either unaware or ignore the security issues with VoIP and its implementation. Like every other network, a VoIP network is also susceptible to abuse.
Possible attacks against VoIP:
Price Manipulation is a test case for Price Tampering. Generally, Penetration testers change the amount value of the product (i.e., shoes, tshirt, flight ticket, etc) from Rs.XXXX (or $XXXX) to Rs1 (or $1) in price tampering . And Sometimes, Penetration Testers change the Currency format means from Dollar to INR or others.
So, Here I am not gonna talk about above cases here. I found a unique case for price manipulation. I am not gonna paste here any POCs, Requests and Response. If you will have a doubt then contact me on Twitter or Linkedin.
I tested an E-Commerce web application. I tried all cases for price manipulation but got no success like I tried to change the product’s original amount value to 1 but it gave me error and I tried to change the currency format like Dollar to INR but got no success. …
Hi Infosec guys!!!! Hope you are doing well. If you are here then you are interested in learning more n more. This finding is not unique for some 1337 infosec guys but most of the guys do not test this case.
I tested an e-commerce application with my checklist specific to E-Commerce Application. I found many vulnerability on that application such as OTP in response, Price manipulation, Quantity manipulation, etc.
Here, I will talk about adding amount in Wallet and How did I misuse it to get thousands of Dollar bounty bug. I will use www.redacted.com as Target’s Host.
I created an account and go to the wallet section. I had 0 INR at starting. …
Hi folks, I tested an application that was too vulnerable. So, I thought about writing Account takeover test cases. I will not disclose the name of the company. In this writeup, I will use “company” as a company name.
I had two registered account and one unregistered account:
Victim : email@example.com (registered)
Attacker : firstname.lastname@example.org (registered)
Dummy: email@example.com (unregistered)
# 1. Account Takeover through Sign-up functionality.
Note: Verification mails were not sending by the website.
a. I filled all details such as first name, last name, password, confirm password, email(with unregistered email, let’s say firstname.lastname@example.org).
I filled email@example.com because on each keystroke of email’s input field, a function was sending a request just to check the email is already registered or not. ( I also changed the response of checking email’s request of registered email from false to true, just only to bypass but there was no success). …
I was doing freelancing for a company. In that company, They have private dashboard for their employees, from where Employees can modify his/her personal details. Managers, HR and Chief & Officers roles can see the personal details of any employee and communicate to them but no other employees can see other employee’s personal details.
What are you thinking now?
Now all that I need, was to search Victim Employee’s ID and Here is the option where I can search the details on dashboard:
When I clicked on the Victim Employee’s name, then I got some details but employee’s ID(11131) was main for the exploitation. …
Here we discuss about Vulnerability assessment and penetration testing and reporting tools.
Assessments are typically performed according to the following steps:
Types of penetration testing:
A penetration test target may be a White box (which provides background and system information) or Black box (which provides only basic or no information except the company name). A Grey box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor). …
In this write-up, you will get to know about #CTF, Challenges, Tools for solving the #CTF challenges, Practice Platforms, Resources and Youtube Channels for #CTFs
What is #CTF?
#CTF is the abbreviation for “Capture The Flag”. #CTFs are the challenges in which you just find the #Flag from your #Hacking Skills. The goal of CTF is just finding the Flags.
There are three common types of CTFs : i) Jeopardy Style CTFs, ii) Attack-Defense Style CTFs & iii) Mixed Style CTFs.
Jeopardy Style CTF :
#Jeopardy-style CTFs has a couple of questions (tasks) in range of categories. For example, Web, Forensic, Crypto, Binary or something else. Team can gain some points for every solved task. More points for more complicated tasks usually. The next task in chain can be opened only after some team solve previous task. Then the game time is over sum of points shows you a CTF winner. …
Hi all, I am a cyber security enthusiast.
I was thinking to start write-ups and now i am writing my first write-up. I am very excited to share my knowledge and help the community.
In this write-up, you will get to know about my ways to gather the resources and methodologies and learn new things.