appsec.fyi · Sources

vaadata.com

8 curated AppSec resources from vaadata.com across 7 topics on appsec.fyi.

vaadata.com

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-11.

GraphQL 2 API Sec 1 AuthN 1 AuthZ 1 JWT 1 SQLi 1 XSS 1
Date Added Resource Excerpt
2026-04-11 2026What is Mass Assignment? Attacks and Security TipsAPI SecGuide to Mass Assignment vulnerabilities, also known as autobinding or object injection, detailing how attackers can manipulate HTTP request parameters to modify or create unintended object variables. It illustrates attacks, including privilege escalation via user profile modification on platforms like GitHub (2012) and GraphQL API exploitation, and provides prevention techniques such as implementing strict field whitelisting on the server-side, referencing OWASP for framework-specific solutions.
2026-04-10 2026Vaadata: Understanding OAuth 2.0 and its common vulnerabilitiesAuthNLibrary detailing OAuth 2.0, its function as an authorization protocol for resource access and delegated authentication, and common implementation vulnerabilities. It explains the roles of users, client applications, and authorization servers, and introduces OpenID Connect as an extension for standardized authentication using signed JSON Web Tokens (JWS) and claims. The resource highlights that while OAuth 2.0 and OIDC offer significant advantages, improper implementation can lead to security risks, emphasizing that vulnerabilities stem from how the protocols are applied rather than the protocols themselves.
2026-04-10 2026Vaadata: JWT vulnerabilities, common attacks and security best practicesJWTLibrary on JSON Web Token (JWT) vulnerabilities, covering their structure including JOSE header, payload, and signature. It details common attack vectors that exploit weak implementations and outlines security best practices for configuration and usage, emphasizing the importance of secure secret management for algorithms like HS256 and RS256.
2026-04-10 2026Exploiting Broken Access Control on GraphQLGraphQLWriteup detailing the exploitation of broken access control and IDOR vulnerabilities in GraphQL. It explains how to leverage GraphQL introspection, aided by tools like Burp's InQL extension and GraphQL Voyager, to identify and access sensitive data from other tenants. The writeup outlines a practical scenario involving pivoting from a project's assigned roles to another company's user data, emphasizing the need for robust authentication, authorization, and role-based access controls to prevent such breaches.
2026-04-10 2026Content Security Policy Bypass Techniques and Security TipsXSSSurvey of Content Security Policy (CSP) bypass techniques, detailing common misconfigurations and exploitation scenarios. It explains CSP directives like `script-src`, `object-src`, `img-src`, and fetch values such as `'self'`, `'unsafe-inline'`, and `'unsafe-eval'`. The survey covers vulnerabilities arising from improper use of wildcards, missing directives, and the exploitation of JSONP endpoints, offering practical advice for strengthening CSP implementation against attacks like XSS.
2026-04-03 2026Exploiting an SQL Injection with WAF BypassSQLiTool for bypassing Web Application Firewalls (WAFs) to exploit SQL injection vulnerabilities. The process involves identifying a potential SQL injection using Burp Suite, confirming it manually via Burp Repeater, and then configuring sqlmap with specific techniques (`--technique=B`), exclusion strings (`--not-string`), proxy settings (`--proxy`), and modifying the User-Agent header to evade WAF detection. This enables successful exploitation of boolean-based blind SQL injection flaws.
2026-04-03 2026GraphQL API Vulnerabilities, Common Attacks & Security TipsGraphQLLibrary detailing GraphQL API security, covering its structure, common attacks, and defensive measures. It explains the schema, object types, queries, and mutations, then delves into pentesting methodologies and tools. Key areas include endpoint discovery using fuzzing and wordlists like Seclists, schema enumeration, and leveraging GraphQL's introspection feature to reveal API structure. The resource highlights vulnerabilities inherent to APIs while emphasizing GraphQL-specific attack vectors.
2026-04-03 2026OWASP Top 10 #1: Broken Access Control and Security TipsAuthZGuide analyzing OWASP Top 10 #1, Broken Access Control. It details common exploit scenarios, including Insecure Direct Object References (IDOR) and Mass Assignment vulnerabilities. The guide provides practical advice and fixes for strengthening access control, differentiating between vertical, horizontal, and contextual controls, and explaining how authentication and session management contribute to overall security.