Kevin

Framework Problems

April 25, 2026425 words

  • Authorisation Failures
    • Permissions for editing own profile and others'
    • Admins being able to edit/create/delete/privilege escalate to SuperAdmins
      • admin creating superadmin
      • admin self escalating to superadmin
      • admin updating someone to superadmin
      • admin deleting a superadmin
      • admin modifying a superadmin
    • Permissions updating instantly after change
    • Session and other token deactivation after user deletion
    • Code not matching spec/comments
  • Local login:
    • Proper hashing, salting
    • Length checking
  • Entra/OIDC Issues
    • Entra: oid is guid for a user across Azure platform, sub is only unique per application
    • OIDC: sub+iss combined is the only identifier that can be used as guid
    • Usage of implicit flow (idtoken), switch to auth code flow. Is idtoken hash verified
  • Lack of HTML Sanitisation
    • eval(), Function(), HTMLScriptElement
    • getElementById().onclick, getElementById().onmouseover
    • window.location access XSS
    • (outerHTML|innerHTML|markupstring|@Html\.Raw|\|raw|eval\(|document\.write|document\.domain|onevent|innerText|dangerouslySetInnerHTML|insertAdjacentHTML)
    • (add\(|after\(|append\(|animate\(|insertAfter\(|insertBefore\(|before\(|html\(|prepend\(|replaceAll\(|replaceWith\(|wrap\(|wrapInner\(|wrapAll\(|has\(|constructor\(|init\(|index\(|jQuery.parseHTML\(|\$\.parseHTML\(|ng-app)
  • Ineffective Security Headers/CORS policy
    • Use SRI
    • new Function usage.

  • Disabled SSL for server-side https

  • Docker:

    • docker-compose.yml: security_opt: - no-new-privileges:true
    • Dockerfile: up-to-date base image, USER non-root

  • Missing Request Size Controls

  • Missing Rate-Limiting

    • .*(x-forwarded-for|x-real-ip|ipaddress)
    • Incorrect usage of X-Forwarded-For, Get the last IP if 1 proxy, second last if 2 proxy etc.

  • Insufficient File Upload Validations

    • Randomise filenames
    • Limit filesize
    • Limit allowed extensions
    • Virus scanner

  • User Enumeration

    • Returning 404 Not Found before 401 Unauthorised
    • Forgot password email enumeration

  • Lack of Input Sanitisation

    • Must be done in backend

  • SSRF

  • Equal times comparison (api keys)

  • Info leak through logs

    • (log|warn|error)\(.*(.*\$|{|[+,])`
    • [=({$]\s*(err|ex)\S*\.

  • Hardcoded secrets (if one found, search entire src)

    • have secrets ever been committed?
    • .gitignore includes .env

  • Weak Cookie Security Settings

  • SQL Injection Vulnerability

    • ExecuteSqlRawAsync() (in .NET)

  • JSON/XML deserialiser

    • JSON.parse(data)

  • Enabled Source Maps in Production

  • Weak random

  • Misconfiguration (tsconfig, next.config.js etc.)

  • Audit dependancies

  • Global error catching, restart after unrecoverable crash.

Programming Problems

  • try-catch either swallowing or not handling properly
    • catch\s*\(.*\)
  • [JS/TS] using ==/!= instead of ===/!==
    • [^!=]={2}[^=]
  • [.NET] public/protected/private classes/variables

Mobile

  • Disable cleartext traffic at network_security_config.xml
  • Enable ProGuard/R8
  • SSL Pinning
  • iOS: NSAllowsArbitraryLoads, NSAllowsLocalNetworking

run

  • [JS/TS] Linter
    • npx eslint . --ignore-pattern "**/*.js" --quiet
  • SCA, npm, snyk.io
  • SAST, semgrep, opengrep, DAST
    • semgrep ci --exclude="*.js" --exclude-rule="javascript.browser.security.insecure-document-method.insecure-document-method" 
  • check TLS config, ssllabs

tips

  • when vulnerability is found, check commit for other code edits
React to this post
👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

You'll only receive email when they publish something new.

More from Kevin
All posts