Chetan Conikee
Discovering life one second at a time.
The business of Authorization and Authentication flaws
business-logic
Ensuring security is one of the most daunting challenges that web applications are facing nowadays. Authentication and authorization are two main security fields that web applications must consider to be protected against unauthorized
Taxonomy of Business logic flaws
business-logic
In the previous article we defined and discussed Business Logic Flaws and its inherent risks. In software design, all the web applications can be modeled as set of use cases and workflows. A
Case Studies: Weak Crypto
ocular
For those who directly arrived to this post, I'd strongly suggest reading the following in sequence to gain context From Code to Code Property GraphFrom Code Property Graph to OcularA Whirlwind Tour of
Case Studies: Cookie Poisoning
ocular
For those who directly arrived to this post, I'd strongly suggest reading the following in sequence to gain context From Code to Code Property GraphFrom Code Property Graph to OcularA Whirlwind Tour of
Case Studies: Detecting Sensitive Data Leaks
ocular
For those who directly arrived to this post, I'd strongly suggest reading the following in sequence to gain context From Code to Code Property GraphFrom Code Property Graph to OcularA Whirlwind Tour of
A Whirlwind Tour of Ocular
ocular
In my study of learning styles, I came across the whole to part and part to whole concept. As with all learning style paradigms, this has a strong connection to communication styles, and
From Code Property Graph to Ocular
ocular
Information flow is fundamental to application security. We do not want sensitive information to reach untrusted principals (confidentiality), andWe do not want untrusted principals to corrupt trusted information (integrity)For example, it is
From Code to Code Property Graph
ocular
The most important security vulnerabilities thus far have been found via laborious code auditing. Also, this is the only way vulnerabilities can be found and fixed during development. However, as software production rates
Case Files: Your data has been breached, now what?
business-logic
Act 6— Your data has been breached, now what?In my previous post we witnessed how a flawed design pattern of session management across SaaS vendors led for an exploit to manifest. Type
Case Files: Pusher in Coinbase cookie
business-logic
In my previous post we witnessed how a bidding process can be abused in an online auction marketplace. All of us are guilty of using SaaS services in this cloud era. Our systems
Case Files: Outbidding
business-logic
In my previous post we witnessed a vendor partnership flaw that was exploited. Let us now situate ourselves in an online auction event. Online auctions offer buyers and sellers of a wide variety
Case Files: The dynamic duo Andrew and Allen exploit Nordstorm with their FatWallet
business-logic
Fast forward 2012, from my last post that enacted Citibank’s exploit from 1999. The actors in this story are Andrew and Allen Chiu and their plot to defraud Nordstorm via a channel
Case Files: Attack like its 1999 (Citibank) in 2012 (Signet/Jared jewelers, Molina Health)
business-logic
In the prior installment I discussed and described the definition of a business logic flaw. Let us now turn back time to 1999 and recount events leading to Citibank attack on approximately 360,
What is a Business logic flaw?
business-logic
With increase in standards of technology in past decade, the complexity of a software applications has increased exponentially. Unfortunately, this has also increased the number of attacks that have been launched on such