Bug Hunting and API Issues: Exploring the World of Technical Debt

While these bugs may not be incredibly complex or technical, they shed light on the significance of addressing technical debt.

In this mini-series we chat about the about bugs I’ve actually found. Many of the bugs are not technically complex and are more like business logic errors and access control issues rather than flasher XSS or RCEs.

Read the Docs: The Art of Discovering Hidden Vulnerabilities

Diving deep into a security vulnerability around discovering specific software versions and dependencies. Leveraging queries and investigating a multi-part form in GraphQL, unlocking the potential for uncovering vulnerabilities. This story highlights the bug-hunting process and showcases how seemingly insignificant details can lead to valuable insights.

Thinking CRUD: Navigating Access Control Vulnerabilities

This bug explores the world of create, read, update, and delete (CRUD) operations in RESTful APIs. By examining a real-life scenario involving access control, I shed light on the importance of carefully examining the permissions and visibility of resources. I showcase how populating forms and retrieving information from private resources could potentially lead to valuable insights regarding access control vulnerabilities.

Quizzical: Balancing Performance and Security

The final story takes us on a journey into mobile app security. I examine a quiz app that offers limited opportunities for finding vulnerabilities. However, by investigating the app's batching technique and analysing the data exchanged between the client and server, I uncover a subtle business logic error. This story emphasises the need to balance performance optimisations and security measures.