- VayFul®
- Posts
- AppSec Monday: RedTeaming, Mobile Apps Hacking, GraphQL Security, SAML Signature Bypass, Phone number OTP flaw leads ATO, CSPBypass Tool, Lamborghini Carjackers Lured by $243M Cyberheist
AppSec Monday: RedTeaming, Mobile Apps Hacking, GraphQL Security, SAML Signature Bypass, Phone number OTP flaw leads ATO, CSPBypass Tool, Lamborghini Carjackers Lured by $243M Cyberheist
Cybersecurity — For Security Professionals
Hey! James here.
Today’s edition is all about Application Security and offensive tactics:
📝 SAML Signature verification bypass, Change phone number OTP flaw leads ATO, Red Teaming in the age of EDR.
🔥 Password Pusher, CSPBypass, Lamborghini Carjackers Lured by $243M Cyberheist, Hackers targeted Android users by exploiting 0-day.
🧠 Three Ways to Hack Mobile Apps, To 10 GraphQL security checks for developer, Security Best practices for production Apps.
And more…
First time reading? Sign up here.
📰 Top Security News
Lamborghini Carjackers Lured by $243M Cyberheist (Krebsonsecurity)
New Gmail Security Alert For 2.5 Billion Users As AI Hack Confirmed (Forbes)
Hackers targeted Android users by exploiting zero-day bug in Qualcomm chips (Techcrunch)
📝 Best Of Blogs
SAML Signature verification bypass allows logging into any user (with specific conditions) [25000$ Bounty] (HackerOne)
Change phone number OTP flaw leads to any phone number takeover [2000$ Bounty] (HackerOne)
Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation (Fox-it)
🧠 Learning Resources
Three Ways to Hack Mobile Apps (John Hammond)
Top 10 GraphQL Security Checks for Every Developer (Akto)
Security Best Practices for Production Applications (GeeksforGeeks)
🛠️ Tools
CSP Bypass search - Search for existing CSP bypass gadgets that allow you to gain XSS.. (GitHub)
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. (GitHub)
PasswordPusher: 🔐 Securely share sensitive information with automatic expiration & deletion after a set number of views or duration. (GitHub)
⚡️ Misc
Google Online Security Blog: Using Chrome's accessibility APIs to find
security bugs (Google Blog)
The Role of Security and Authorization in DDD (Permit)
🎯 Favorite Quote
“You will face many defeats in life, but never let yourself be defeated.“
- Maya Angelou
💡 ABOUT VAYFUL®
Vayful® is a cybersecurity newsletter that curates the best cybersecurity news, research, tools, blogs, talks, tutorials, and learning resources — specially handpicked for security professionals. The content is curated with love by security professionals.
Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here!
Did someone forward this email to you? Become a subscriber!
Have feedback or questions? Just hit reply and let us know.