Sony Announce Bug Bounty Program For PlayStation

Sony have recently launched their bug bounty program for PlayStation. Security researchers and bug bounty hunters can now report any bugs affecting PlayStation-related devices expecting great rewards. PlayStation Bug Bounty Program Reportedly, Sony has recently introduced a dedicated bug bounty program covering PlayStation related devices. The program launched on HackerOne – the popular bug bounty platform – will cover vulnerabilities affecting PlayStation 4 console, operating system, and related accessories, as well as the PlayStation Network. However, any bugs in PlayStation 1, 2, and 3 are out of the scope of…

Read More

What is Input Validation Attacks?

Input validation attacks occur in much the same way buffer overflows do. Effectively, a programmer has not sufficiently reviewed the input from a user (or attacker, remember!) before passing it onto the application code. In other words, the program will choke on the input or, worse, allow something through that shouldn’t get through. The results can be devastating, including denial of service, identity spoofing, and outright compromise of the system, as is the case with buffer overruns. In this section, we take a look at a few input validation attacks…

Read More

What is XML Vulnerability?

XML Vulnerability

An XML External Entity (XXE) vulnerability involves exploiting how an application parses XML input, more specifically, exploiting how the application processes the inclusion of external entities included in the input. To gain a full appreciation for how this is exploited and its potential, I think it’s best for us to first understand what the eXtensible Markup Language (XML) and external entities are. Also Read :- CSRF, XSS A metalanguage is a language used for describing other languages, and that’s what XML is. It was developed after HTML in part, as…

Read More

Open Redirection

Open Redirection

According to the Open Web Application Security Project, an open redirection occurs when an application takes a parameter and redirects a user to that parameter value without any conducting any validation on the value. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it, abusing the trust of a given domain to lead users to another. The malicious website serving as the redirect destination could be prepared to look like a legitimate site and try to collect personal / sensitive information. Check out…

Read More

Cross-Site Request Forgery

Cross-Site Request Forgery

A Cross-Site Request Forgery, or CSRF, attack occurs when a malicious website, email, instant message, application, etc. causes a user’s web browser to perform some action on another website where that user is already authenticated, or logged in. Often this occurs without the user knowing the action has occurred. A successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is the administrator account, a CSRF attack can compromise the entire web application. The impact of a CSRF attack…

Read More

CRLF Injection

CRLF Injection

What is CRLF? When a browser sends a request to a web server, the web server answers back with a response containing both the HTTP headers and the actual website content. The HTTP headers and the HTML response (the website content) are separated by a specific combination of special characters, namely a carriage return and a line feed. They are also known as CRLF. The server knows when a new header begins and another one ends with CRLF, which can also tell a web application or user that a new…

Read More

HTTP Parameter Pollution

HTTP Parameter Pollution

HTTP Parameter Pollution, or HPP, occurs when a website accepts input from a user and uses it to make an HTTP request to another system without validating that user’s input. This can happen one of two ways, via the server (or back end) and via the client side. On StackExchange, SilverlightFox provides a great example of a HPP server side attack; suppose we have the following website, https://www.example.com/transferMoney.php, which is accessible via a POST method taking the following parameters: amount=1000&fromAccount=12345 When the application processes this request, it makes its own…

Read More

HTML Injection

HTML Injection

Hypertext Markup Language (HTML) injection is also sometimes referred to as virtual defacement. This is really an attack made possible by a site allowing a malicious userto inject HTML into its web page(s) by not handling that user’s input properly. In otherwords, an HTML injection vulnerability is caused by receiving HTML, typically via someform input, which is then rendered as-is on the page. This is separate and distinct frominjecting Javascript, VBScript, etc. HTML injection is a type of injection issue that occurs when a user is able to control an…

Read More

Cross Site Scripting

Cross Site Scripting

Cross site scripting, or XSS, involve a website including unintended Javascript code which is subsequently passes on to users who then execute that code via their browsers. A harmless example of this is: This will create the Javascript function alert and create a simple popup with the letters XSS. Now, in previous versions of the book, I recommended you use this example when reporting. That is, until a very successful hacker told me it was a “terrible example”, explaining that often the receiver of a vulnerability report may not understand…

Read More

SQL Injection

SQL Injeciton

SQL Injection Attacks uses SQL websites or web applications. It relies on the strategic injection of malicious code or script into extisting queries. This malicious code is drafted with the intention of revealing or manipulating data that is stored in the tables within the database. SQL Injection is a powerfull and dangerous attack. It identifiers the flaws and vulnerabilities in a website or application. The fundamental concept of SQL injection is to inject commands to reveal sensitive information from the database. Hence. it can result to a high profile attack.…

Read More