Collaborate Disseminate
I’m a security-conscious developer looking to improve the security of my web application. I’ve been researching Broken Object Level Authorization (BOLA) vulnerabilities and want to ensure that my application is not vulnerable to this type … Continue reading Testing for Broken Object Level Authorization (BOLA) vulnerabilities
I’m testing the following /event/insert API endpoint which I believe may be vulnerable to a MongoDB injection. Specifically, I’m concerned about any/all injections that would overwrite or delete records in my Mongo location_history collect… Continue reading Is this vulnerable to a nosql injection?
A man from New York City has admitted to computer hacking and associated crimes after being caught with a laptop containing hundreds of thousands of stolen payment card details.
Read more in my article on the Hot for Security blog. Continue reading Hacker pleads guilty after arriving on plane from Ukraine with a laptop crammed full of stolen credit card details
Interesting vulnerability:
…a special lane at airport security called Known Crewmember (KCM). KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips.
The KCM process is fairly simple: the employee uses the dedicated lane and presents their KCM barcode or provides the TSA agent their employee number and airline. Various forms of ID need to be presented while the TSA agent’s laptop verifies the employment status with the airline. If successful, the employee can access the sterile area without any screening at all…
Organizations using Fortra’s FileCatalyst Workflow are urged to upgrade their instances, so that attackers can’t access an internal HSQL database by exploiting known static credentials (CVE-2024-6633). “Once logged in to the HSQLDB, t… Continue reading Critical Fortra FileCatalyst Workflow vulnerability patched (CVE-2024-6633)
I’m doing a website PT lab and I’m trying to figure out SQL vulnerability in MariaDB.
After some scanning I found the /api/ path, and one of them gives the desired SQL
I found out that ‘ gives me the desired SQL error:
My request:
GET /api… Continue reading MariaDB SQL Injection
I am working on a project involving an input form where customers enter their name and email to start a conversation with support. The form works well, but I’ve noticed some issues with the ‘Name’ input field. Specifically, I can use devel… Continue reading Addressing Potential JavaScript Injection Vulnerabilities
I’m currently testing the search feature on a website, and I’ve encountered an interesting behavior. The site displays the search query in the page itself, even if it’s an XSS payload (although it doesn’t trigger any XSS). Here are the det… Continue reading Understanding Search Behavior on a Website [URL Encoding and Query Handling] [closed]
VMware warns that authenticated malicious users could enter specially crafted SQL queries and perform unauthorized read/write operations in the database.
The post VMware Patches Critical SQL-Injection Flaw in Aria Automation appeared first on SecurityW… Continue reading VMware Patches Critical SQL-Injection Flaw in Aria Automation
I have a database in which most or maybe even all columns are empty. Yet I have to gain access to the database via a user called Tom.
I found out that the table is called users and the query the server sends when logging in is:
SELECT user… Continue reading MySQL Injection with a incomplete database [closed]