Appsec

Authors: Berkay Aksaray, Emre Durmaz, Fatih Çelik, Tufan Güngör — — — — — — — — — — As the Trendyol Cyber Security team, our main responsibility is to investigate attack scenarios that threaten Trendyol and its customers, while also conducting research on scenarios that threaten national or international…

You’ll find hundreds of articles out there about how to get started on your InfoSec journey, but too often they focus on the purely technical aspect of the role. In reality, there is much more to making it in InfoSec than having technical chops. As an InfoSec professional, I want…

Lessons from the soccer field on embracing iterative skill development to better secure our products and enable our businesses — Longtime security experts often struggle with the idea of allowing software engineers to threat model their own systems. Their concern is that software engineers lack the necessary security expertise to assess a system for potential flaws and make informed decisions on how to address them. …

Good day fellow Hackers, today I wanted to share an interesting kind of IDOR that I found recently during my VAPT assessment. I hope you learn something new here. Background I was doing VAPT of a web application, it had two different URLs. Due to privacy concerns I have censored the…

Insecure Direct Object Reference [IDOR] Hello Hackers, welcome to my second blog on my latest vulnerability discovery in an Android application. This time, I discovered a vulnerability known as Insecure Direct Object Reference (IDOR). Introduction In the world of software security, identifying and mitigating vulnerabilities is crucial to ensuring the safety and integrity of user data…

OpenZeppelin Ethernaut Solutions — Ethernaut is a Capture The Flag (CTF) that hosts vulnerable Ethereum contracts. It’s a great way to learn about practical smart contract exploitation. If you want to follow along I recommend following the instructions outlined in “Hello Ethernaut”. If you want to learn more about Ethereum and smart contract I…

Introduction When someone thinks of a cyber attack, they typically think of a hacker breaking into a system and stealing data by exploiting known vulnerabilities in the target software. However, there’s another way to infiltrate software: supply chain attacks. As opposed to a traditional application flaw when an attacker finds a…

Hey everyone! I’m back with another cool write-up about a bug bounty report I submitted to a private program on HackerOne. Guess what? I got a $5,000 reward and they took care of it in just 30 minutes! I won’t go into the nitty-gritty of dependency confusion since there are…

In this article we discuss the risks of hardcoded credentials in source code and potential mitigations that can help eliminate those risks. The most notable of those being the increase, that hardcoded credentials create in the attack surface of an organization because of possible leakages and also the extent of…