Open in app

Sign In

Write

Sign In

Jerry Shah (Jerry)
Jerry Shah (Jerry)

3.8K Followers

Home

About

Sep 15

Client-Side Cache Manipulation - The Voting Haunt

Summary Client-Side Cache Manipulation (CSCM) refers to a type of security vulnerability where an attacker can manipulate or tamper with the client-side cache mechanisms, such as browser cache or local storage, to gain unauthorized access or privileges within a web application. …

Infosec

4 min read

Client-Side Cache Manipulation - The Voting Haunt
Client-Side Cache Manipulation - The Voting Haunt
Infosec

4 min read


Jul 9

IDN Homograph Attack and Response Manipulation - The Rarest Case

Summary IDN stands for Internationalized Domain Name which is a system that allows domain names to be written and displayed in different scripts and character sets. It enables the use of non-ASCII characters, such as letters with diacritical marks (é, á, č, ŭ, í, ó) in domain names. …

Infosec

7 min read

IDN Homograph Attack and Response Manipulation - The Rarest Case
IDN Homograph Attack and Response Manipulation - The Rarest Case
Infosec

7 min read


May 18

Stored Iframe Injection & Permanent Open Redirection - Zero Day

Summary An iFrame is a way to embed a webpage within another webpage. It’s like a small window that shows content from a different website. Open redirection vulnerability allows attackers to redirect users from a legitimate website to an attacker’s controlled website. Description We have found a very unique vulnerability…

Infosec

5 min read

Stored Iframe Injection & Permanent Open Redirection - Zero Day
Stored Iframe Injection & Permanent Open Redirection - Zero Day
Infosec

5 min read


Apr 25

API Misconfiguration - Algolia API Key

Summary CRUD stands for Create, Read, Update, and Delete which are the four basic operations that are performed on data stored in a database. When building an API, these CRUD operations are often used for creating a basic interface for interacting with a database to perform these operations. These CRUD…

Infosec

5 min read

API Misconfiguration - Algolia API Key
API Misconfiguration - Algolia API Key
Infosec

5 min read


Apr 8

SQL Wildcard DoS - Hang Till Death

Summary SQL Wildcard DoS is about forcing the database to carry out CPU-intensive queries by using several wildcards. This vulnerability generally exists in search functionalities of web applications or in the functionalities where the data gets stored for e.g. searches, comments, image names, messages etc. …

Infosec

4 min read

SQL Wildcard DoS - Hang Till Death
SQL Wildcard DoS - Hang Till Death
Infosec

4 min read


Mar 15

LFI - An Interesting Tweak

Summary Local File Inclusion (LFI) is a type of web application vulnerability that allows an attacker to include and execute arbitrary files on the web server. An attacker can take advantage of this vulnerability by passing a malicious file path as a parameter, which could be a local file on…

Infosec

4 min read

LFI - An Interesting Tweak
LFI - An Interesting Tweak
Infosec

4 min read


Feb 2

IDOR - Inside the Session Storage

Summary IDOR stands for Insecure Direct Object Reference which is a vulnerability that falls under the broken access control category. In brief, this vulnerability arises when an application uses user-supplied input to access an object directly. …

Infosec

4 min read

IDOR - Inside the Session Storage
IDOR - Inside the Session Storage
Infosec

4 min read


Jan 19

API Misconfiguration - No Swag of SwaggerUI

Summary API misconfiguration refers to the improper or insecure setup of an application programming interface (API). This can include issues such as weak authentication, lack of input validation, or improper access controls. API misconfigurations can provide an attacker with unauthorized access to sensitive data or the ability to perform actions…

Info

4 min read

API Misconfiguration - No Swag of SwaggerUI
API Misconfiguration - No Swag of SwaggerUI
Info

4 min read


Dec 3, 2022

Account Takeover - Inside The Tenant

Summary : Account Takeover (ATO) is an attack using which an attacker cat take ownership of another person’s account. There are multiple ways for an account takeover attack, namely brute forcing credentials, credentials stuffing, response manipulation, password reset poisoning, social engineering and phishing, 2FA bypass attacks etc. Description : I…

Infosec

4 min read

Account Takeover - Inside The Tenant
Account Takeover - Inside The Tenant
Infosec

4 min read


Sep 29, 2022

Shodan Dorks - The God’s Eye

Summary : Shodan is a search engine for Internet-connected devices. It is different from search engines like Google and Bing because Google and Bing are great for finding websites but Shodan helps in finding different things like popular versions of Microsoft IIS, control servers for Malware, how many host are…

Infosec

12 min read

Shodan Dorks - The God’s Eye
Shodan Dorks - The God’s Eye
Infosec

12 min read

Jerry Shah (Jerry)

Jerry Shah (Jerry)

3.8K Followers

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Following
  • Vickie Li

    Vickie Li

  • Alessandro Butler

    Alessandro Butler

  • Inti De Ceukelaire

    Inti De Ceukelaire

See all (5)

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams