#hack100days : Day 11 : More JuiceShop. Explored business logic. Managed to break the server a couple of times. Error checking and handling is hard. #getsmart #infosec #WebAppPentesting

If you want to know how to hack into websites, I recommend reading attack narratives / methodology walkthroughs from folks like @gaz & @albinowax .

Gareth ( @gaz ) goes into detail on his approach and coordination with James ( @albinowax ), his initial prodding, his attempts, his initial failures, his pivots, his initial possible successes and then, finally, his sussing out how to get his exploits to work.

It's a wonderful guide in how to approach and become a website hacker with a current usecase as the example.

Read the narrative and follow @gaz and @albinowax .

https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

#hacking #TeachMeToHack #WebAppPentesting #infosec

Lol, when a bunch of hackers migrate to new services, they tend to kick the tires a bit 😂​.

Here, some hackers found a way to steal Mastodon passwords by manipulating the way Mastodon allows (and sidestepping the way Mastodon protects) HTML imbedded into posts.

It also highlights the ways that third party plugins (here Glitch, found on the Mastodon server infosec(dot)exchange and others) introduce interesting attack vectors that core maintainers don't initially control (thoughts go out to Wordpress).

The hackers then reported the issues to the Mastodon team and the Glitch team so they could issue security patches.

Big shoutout for finding/reporting the vuln:

• @gaz
• @albinowax

Kudos to the Mastodon & Glitch teams for coordinating and issuing a timely security patch.

I expect we'll see a lot of more of these initially (this is good, means the website is getting more secure).

Takeaways:

• Users: Consider changing your Mastodon password. Implement Multi-Factor Authentication.
• Admins: Update to the latest Mastodon version. Update any plugins as well.

Full writeup here: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

#infosec #WebAppPentesting #hacking #BugHunting

#hack100days : Day 4a : Finished off sections 5 and 6 of PWST. #infosec #WebAppPentesting

Want to web app pentest Mastodon but don't want to spin up a server yourself?

Alex Stamos ( @alex ) has spun up the mastodon server: cybervillains(dot)com just for this purpose.

Description: This server was specifically built as a playground for security professionals to understand the security, privacy and safety issues of Mastodon. Unstable and crazy, as social media should be.

Check it out: https://cybervillains.com/explore

____
#infosec #WebAppPentesting

To this! It's looks like @alex has set up a Mastodon instance that can be messed around with as a sort of lab environment (is that right, Alex?!) - Perhaps a valid target for web app pentesting and bug research for Mastodon?

(HT @JoshCGrossman for the tip!)

Talk to @alex to be sure and for more information.

But here's the link to the server:
https://cybervillains.com/explore

_____
#WebAppPentesting #VulnerabilityResearch #Mastodon

So @jerry has brought together all these hackers, all these information security professionals, all these web application penetration testers...

...and put them together on an open sourced web application.

Look, I ain't telling you to hack this specific server. But I am telling you to have fun with the software (IN YOUR OWN LAB ENVIRONMENT!!!)

Anyhoo... information on how to report vulnerabilities within Mastodon here: https://github.com/mastodon/mastodon/security/policy

_______
#WebAppPentesting #infosec #FOSS #VulnerabilityResearch

Still looking for new people to follow on mastodon so if you like any of the following areas interact with this tweet and I'll give you a follow

#infosec #WebAppPentesting #NetworkPentesting #python3 #golang #burpsuite #powershell #privilegeEscalation #tryHackMe

#introduction time,

Hello All, my name is Marco. I'm a father and husband and I've been in the Software/IT industry for over 25 years now wearing many hats ranging from #programmer, #analyst, #consultant, team lead, #educator, #LinuxAdmin, #OracleDBA, QA test #automation specialist but it wasn't until 2018 that I truly followed my passion of #hacking.

I'm currently a #penetrationtester for a local company where I focus mainly on the corporate side of things but have a variety of different challenging assignments that keep me engaged in continual learning. I really enjoy #WebAppPentesting (#SEC542 / #GWAPT), #Android hacking, #WiFiHacking, #recon and I'm expanding into #Networkpentesting. I occasionally dabble in #Bugbounty and enjoy following the scene to keep up-to date on the latest tools and techniques the community has to offer! When I'm not on my computer, I'm spending time with my family or walking my dog with my wife enjoying the great Canadian air and one day hope to get back to restoring my #Trans-Am and taking it to the #WoodwardDreamCruise.

I don't post often but when I do, it will be related to #pentesting, #hacking, or anything that I feel will help the InfoSec community.

Cheers!
Marco