Exploiting Your Application
A couple of years ago, I worked as a software tester where I did mostly manual and some automated testing. This position was a lot of fun because I was basically given permission to find any way to completely obliterate a software system as an end user.
I would spend hours feeding these systems absurd inputs to try to find bugs and vulnerabilities. However, when building my own applications, I sort of lose this mindset. I’m no longer trying to penetrate and break the systems I build. My code is either tested by the unit tests or with a light smoke test before merging and deploying.
A couple of days ago, someone I work with mentioned that they had added some security to the code they were working on. This got me thinking, “Are the APIs in the application I’m working on secured?”
It’s not something I really thought about–I guess I had just assumed everything was locked down. Nope! While there was some user validations on a higher level, I wasn’t verifying that the data the user was sending or requesting actually belonged to that user.
For example, we have two users named Jane and John who both have some user information on the server. Jane and John don’t know about each other, but either of them could brute force the servers with random requests until they got something that didn’t belong to them.
While this method may not be the most effective for Jane or John, it’s still a vulnerability that needed to be addressed–and addressed it has been.
Adding security isn’t much work, but it’s a very important task when building out a server-side application. In addition to this, be sure to seek out additional vulnerabilities in your application! You’re most familiar with how it works, and it’s best that you find these things than someone with ill intent.