A Baker's Dozen Tricks I Wish I Had Known

After my first year of web app security, these are 12 things I wish someone would have told me when I was starting out.

There is almost no relation. Ranging from simple tricks to better ways to approach a problem.

  1. Create multiple accounts on a site and try and use the same credentials when using signing up and when updating. Look for a lack of checking for uniqueness.
  2. Check all links to a site's 3rd party accounts. At times the will be an account that has lapsed and their is remaining links from emails to footers pointing to it.
  3. Check file names on uploads. Linux allows some HTML to be used as a file name and some sloppy XSS can be gained with this trick.
  4. Check negative quantity cart values. Pay off your student loans early!
  5. Use Google to increase your attack plain inurl:& to find url parameters site:x.com -www to find subdomains.
  6. Social Media Link Smog
  7. CNAME: A company may create a subdomain of their normal site. Example google.com makes a health.google.com to point to ourhealthplan.com. Now their lazy employees can just visit the subdomain to find their health plans. Years later, Google switches health insurance and ourhealthplan.com goes out of business. Leaving their url to be purchased by no-good-teen-age-meme-makers, who now have a Google subdomain pointing to their cool new phishing site.
  8. If you find a bug in a 3rd party app (i.e. Jive Forums) check that 3rd party's site for a customer list to see if any of them are paying bug bounties.
  9. Find CMS errors for wide spread fun.
  10. Log out of check if session is stored on server
  11. Cross Site Tracing curl -vX TRACE "URL"
  12. Use public information. There is a rich community, that has an affinity for sharing information.
  13. Yandex > Google