Husband, Father and Veteran
A hacker serving people by
for the glory of God.
Ermahgerd, Werb Verlns
[omg, web vulnerabilities]
1: Common, easily discovered weaknesses
that reduce a web application's information
Transport Layer Security (TLS)
• The "S" in HTTPS.
• Prevents eavesdropping and tampering attacks
by providing end-to-end encryption.
• Uses long-term asymmetric encryption to
establish short-term symmetric encryption.
• Standards change at the pace of technology.
• Testing this is actually hard, so use...
• Provide the browser with information.
– Often as behavioral instructions.
• Good headers (when configured properly):
– X-Frame-Options: DENY
– Strict-Transport-Security: max-age=31536000;
– X-XSS-Protection: 1; mode=block
– Content-Security-Policy: default-src 'self';
– Cache-Control: private, no-cache, no-store, max-
• Bad headers:
• Adding and removing headers requires minimal
• Validate with https://securityheaders.io/.
• Flags that instruct the browser how to treat the
– Restrict the cookie to TLS encrypted connections.
• Never a good reason not to use these.
• Minor configuration change or minimal code.
• The ability to enumerate user information
through variable responses from requests using
valid and invalid information.
• Response variations include error messages,
lockouts, query string parameters, spacing,
timing, anything really.
• Can exist anywhere the application formulates
a response based on user-specific information.
– Login, account recovery, registration, messaging,
• Be consistent.
– Not always easy to do.
Insecure Direct Object Reference (IDOR)
• The ability to access information belonging to
other users by tampering with direct object
• Not always an integer.
– GUIDs, encoded DORs, etc.
– Almost always indicates an IDOR issue.
• One of the most common and easily
exploitable flaws, yet impossible for scanners to
• Check ownership of the referenced object.
Missing Function Level Access Control
• The ability to access higher privilege
functionality by force browsing to obscured
• Access controls in the view must match the
access controls on the controller.
• Another common and easily exploitable flaw
that is impossible for scanners to find.
• Check the permission level of the requested
• An application should NEVER be able to tell a
user their password.
• Encoding != Encryption != Hashing
• Key management for encryption is hard.
– Access to the cipher usually means access to the
• Not all hashing algorithms are created equal.
– Fast hashing vs. Adaptive hashing
• Design storage systems assuming eventual
• TLS - https://www.ssllabs.com/ssltest/
• Response Headers - https://securityheaders.io/
• Cookie Flags - Developer tools.
• User Enumeration - Check known goods vs.
• Insecure Direct Object Reference - Change the
• Missing Function Level Access Control - Force
• Password Security - Look for evidence.