Sep 14, 2024
Sneakers Movie Overview From a Security Architecture Perspective —
Last week, while enjoying some downtime on vacation, I decided to revisit the classic movie Sneakers (1992). As the credits rolled, my mind naturally drifted toward security architecture (as it does!), and I couldn’t help but analyze the vulnerabilities depicted in the film. Curious about how these issues could have been caught in the design phase, I teamed up with ChatGPT to break it all down. What follows is an in-depth look at the movie’s security flaws and how modern architecture could address them. Fair warning—this post is full of spoilers, so proceed with caution!
…
Jun 26, 2023
A Classical Account Takeover Case via Multiple Bypasses —
Introduction
Recently I found a password reset/recovery flaw in a program at Synack. The vulnerability is the classical password reset link manipulation via Host Header Injection but rather than the vulnerability itself, the way how I managed to exploit it might be interesting. As a summary, this write-up contains a CDN Bypass + Regex Bypass + Host Header Injection resulting an account takeover vulnerability.
…
Apr 3, 2021
RCE on Starbucks Singapore and more for $5600 —
Recon
After I found a critical vulnerability in Starbucks Singapore web application, I wanted to dig a little deeper and began to examine the com.starbucks.singapore Android app. Unfortunately, I did not find any weaknesses in the mobile application and I decided to focus on the application server on which the application interacts. The mobile application was interacting mostly to a REST API on the server, but I noticed that in some operations it is talking to an endpoint with the extension “.aspx”. I did not find any weaknesses in the endpoints here and tried to find more endpoints by directory scanning. I did not find any weaknesses in the endpoints I discovered and took a few weeks off.
…
Oct 7, 2020
6k$ Worth Account Takeover via IDOR in Starbucks Singapore —
Recon
While browsing Starbucks Singapore, I noticed a page loaded with content from a 3rd party site. Let’s call this site example.com in order not to disclose it. When I did some research on this site, I saw the same login page on card.starbucks.com.sg in the directory example.com/starbucks, and at this point I had two possibilities.
…