Pingiskok

Yes, that's right. Thanks, I'm glad you liked the blog! You correctly noticed the jump from part 14 to part 17. The thing is, in articles 15 and 16 I was planning to release the tooling and testing methodology, but by the time of publication I realized they weren't good enough or comprehensive enough to share with a wide audience. I didn't want them to be published in such a raw state, so I'll release them later. I'm also planning to release a single unified web tool that will cover checks for most of the issues described in the articles that can be verified offline.

@pingiskok I guess it also goes back to the path traversal vulnerability so you can file:///dev/null and use no secret to sign the jwt! Great blog btw. Just a thing: it goes from part 14 to part 17 for some reason

Every JWT writeup online covers 2–3 attacks and stops. I got tired of jumping between 40 blog posts, so I wrote the whole thing. All in one place. rmrf.tips/en #infosec #appsec #bugbounty #websec #jwt

Great catch, you're right. In the jku/x5u article I really did focus on SSRF via HTTP(S) and cloud metadata, but I skipped file:// and other schemes, even though it's a classic. If the server uses a universal URL loader (Java URL/URLConnection, Python urllib.urlopen, PHP streams with allow_url_fopen), then jku: "file:/// etc/passwd" or x5u: "file:/// proc/self/environ" turn into clean LFI right through the JWKS parser. And what's especially interesting, this often bypasses the host whitelist, because the scheme is different and there's no host at all. Thanks for the feedback, and it's awesome that you actually read the stuff instead of just bookmarking it! ❤️ I'll add these things as a "P.S." when I'm putting out the next series of articles.

@pingiskok Very cool! Probably worth testing for path traversals in part 6 trying file:// in the jku too?

@longlivedoma I think I'll get to this a bit later. Right now I'm working on another series that you should enjoy. But business logic is a veeeery broad topic, so I'll think about how to fit it into a series of articles.

Anything like this for Business logic?

@xer0c @tributaryso This might be one of the best compliments I could have received. Glad it helped you!

@tributaryso's payment verification just got even more secure. This article had a few gems. Published yesterday. Security improvements 🚢'ed today x.com/pingiskok/stat… This is how we use it in Tributary: @xeroc/accepting-recurring-solana-payments-in-react-without-losing-your-mind-652583e8c91d" target="_blank" rel="nofollow noopener">medium.com/@xeroc/accepti… #buildinpublic

@0a_yso I'd like to clarify that all the material is written from scratch. However, the information in it was gathered from public sources and my own experience.

@pingiskok What did you use as a source? Your own experience or other's research?

@0a_yso Of course, 90% of it is based on other people's research. And yes, it was my mistake not to cite the sources in the articles from the start. I'm planning to fix this in the upcoming updates to the articles.

@RCristio93143 Thanks bro! Access control & business logic is a massive topic - hard to cover properly even in 20 posts, but I'll try to tackle it down the line. Right now I'm finishing another series that I think you'll really enjoy - stay tuned

@pingiskok Broo make some on access control issues and business logic