One misbound identity. One exposed internal path. Two routes to total compromise. In this season finale of Hacked & Secured: Pentest Exploits & Mitigations, we break down two real-world findings that show how small trust assumptions can unravel entire systems: nOAuth (SSO account misbinding) — Multi-tenant SSO auto-linked accounts by email instead of a stable subject/issuer identifier. With a crafted identity on a controlled domain, an attacker could land a valid session as another us...
All content for Hacked & Secured: Pentest Exploits & Mitigations is the property of Amin Malekpour and is served directly from their servers
with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.
One misbound identity. One exposed internal path. Two routes to total compromise. In this season finale of Hacked & Secured: Pentest Exploits & Mitigations, we break down two real-world findings that show how small trust assumptions can unravel entire systems: nOAuth (SSO account misbinding) — Multi-tenant SSO auto-linked accounts by email instead of a stable subject/issuer identifier. With a crafted identity on a controlled domain, an attacker could land a valid session as another us...
Ep. 1 – Breaking OTP Security, Exploiting Static Domains & Privilege Escalation via Role Misconfigurations
Hacked & Secured: Pentest Exploits & Mitigations
19 minutes
9 months ago
Ep. 1 – Breaking OTP Security, Exploiting Static Domains & Privilege Escalation via Role Misconfigurations
What if your OTP security wasn’t secure at all? What if a static domain—something most people ignore—could lead to full account takeover? And what if flawed role management allowed admins to escalate privileges? In this episode of Hacked & Secured: Pentest Exploits & Mitigations, we break down three real-world security failures that turned minor oversights into critical exploits: Leaking OTPs in API responses – Breaking authentication at the source.Static domain to account takeover – ...
Hacked & Secured: Pentest Exploits & Mitigations
One misbound identity. One exposed internal path. Two routes to total compromise. In this season finale of Hacked & Secured: Pentest Exploits & Mitigations, we break down two real-world findings that show how small trust assumptions can unravel entire systems: nOAuth (SSO account misbinding) — Multi-tenant SSO auto-linked accounts by email instead of a stable subject/issuer identifier. With a crafted identity on a controlled domain, an attacker could land a valid session as another us...
