Practical guide to landing your first CyberSec job as a fresh grad



My plan to land my first cybersecurity job was a promising one, I just had to acquire cybersecurity skills and apply to my favourite company to get hired. It wasn't until I applied to all top companies in earth, moon & mars that I realized even getting shortlisted for an interview can be a daunting task.

This was back in January 2017, I was at complete rock bottom, had 0 offers in hand and knew nothing about job hunting. Fast forward 8 months later, I had at least 7 job offers in hand and was starting my career with a Big 4 auditing firm, but most importantly I had learnt the methods & principles required for a victorious job hunt. Till this day I still use them to land myself interview opportunities with top companies such as Facebook, Microsoft, Amazon, HackerOne etc.

Students come from different backgrounds and it is very difficult to generalize a job-hunting approach for all but to cover the majority of the strategies I would consider the approach from the perspective of a worst-case scenario (Candidate who can't get opportunities in cybersecurity through college placements and knows zero people in the industry who can give a reference).

The approach


Decide the area of work & gain skills

Going for a job hunt only makes sense if you have acquired sufficient skills required for your desired role. You should do enough research about the types of roles you want to apply and the requirements they have before starting your job hunt process.

Most of the entry-level cybersecurity roles would require you to have a general cybersecurity & computer science knowledge. Here's what a role looks like from Linked job search if I put the filters "Cyber Security Engineer | Experience: Entry Level"


Although it is not mandatory, It will be a very good decision if you select a specialized domain you want to pursue within cybersecurity early on, that way you can start building your profile around that area and it will be easier for you to make career decision once you move ahead from the trainee role. Some of the common domains are mentioned here.


Decide the type of companies you want to work for

In general, there are two types of companies, Consulting (Deloitte, EY, PwC) & Product based (Unilever, Boeing, Sony). In consulting firms, you will typically work on short term projects and get numerous opportunities to do a variety of work. Whereas in product-based firms you will be working on securing a single or handful of products, which will enable you to specialize in one single domain and increase your depth of knowledge. (This is how things work in general but don't be surprised if you experience something different)

With this you should also decide if you would like working with startups & mid-size firms or large scale companies, the interview & job application process at both these places is slightly different (We'll cover more later). No category of companies is good or bad, the deciding factor should be the choice of work, which is personal to you.

Gain experience if you can

The goodness in internships is that the requirements are not that demanding and it's pretty easy to get one (unless applying at top companies), you just need to be aware of the opportunities floating around and apply at the right times.

This filter on LinkedIn jobs would be the bare minimum you can do to look for opportunities. Just keep that Job Alerts button turned on.


Prepare your resume

At the beginning of my career, I had the most visually appealing resume you would've ever seen, so good that it would put designers to shame, It was one of those enhancv/resumebuild.com resumes with pie charts, bar graphs etc. Guess how many jobs it landed me? . . . Zero.

There were 2 major reasons why that resume didn't perform well:

Content:

The same way painting your Toyota bright red won't make it Ferrari, using great looking templates won't make your resume top-notch (*Unless applying for a design role). Content is the king and it will be the deciding factor for getting an interview opportunity or not. The wrong way to approach resume creation is to download a template and fill it with your details; the correct way is to decide the content you want to put in your resume and select a template which is the best match for that.

To understand the basics of resume creation here's a good resource Create Your Resume for Google: Tips and Advice and if you are ready to put additional effort you should definitely read The Google Résumé.

To get you started, here are the key takeaways from these resources that will make your resume top notch.

#1  Focus on impact
Not all activities you did within cybersec is worthy of putting in your resume; when describing a task or project, always focus on the impact you had. How does "I am an active bug bounty hunter" sounds vs "As a bug bounty hunter I identified high severity IDOR issue leaking PII information of over 1 million user base".

#2  Use action words
If you haven't heard about them before you should definitely check this out. But in a nutshell, action words demonstrate your strengths, highlights & puts a focus on the impact. Achieved, Implemented, Collaborated are few examples of action verbs.

#3  Customize resume based on the job description (Previously linked Google resume tips video describes more about this)

#4  Describe with metrics & facts
You might have the best web app sec skills on the planet and just write "Has good knowledge about OWASP Top 10" on your resume. Meanwhile, on the other hand, the candidate who just started learning web apps yesterday will also write something similar.

What differentiates your skills from others? what reason did you give recruiter to choose your profile for an interview over the others?

Your skill set should be quantifiable which will give a realistic idea about where you stand, for instance, I have this bullet point on my resume "Accomplished rank 32 in comparison to 400+ participants in Facebook CTF by completing web app security challenges". This isn't the best accomplishment in the world but draws a realistic picture of where my skill set lies when compared with others. (If you had instances where you performed amazingly well you should definitely put them in, but if you don't have then it won't hurt to put your above-average performances)

You will be surprised to know that employers are generous enough to understand that the skill set of a fresh grad can't be compared with an experienced professional and would consider above-average performance as a good sign. (Tip: Wherever possible you should use the formula Accomplished [X] in comparison to [Y] by doing [Z] to describe the activities you did; that way you can make the activity measurable)

Additional Note: If your career profile has some weak points like tier 3 college, no internships, non-cybersec degree etc you should focus more on the accomplishments, they can definitely fill the gaps. Few ideas of accomplishments you can gain are: Participate in a CTF, do a certification, present in reputed conferences, write a research paper, do bug bounties, contribute to open source cybersecurity projects, build something etc.

ATS Compatibility:

If you haven't heard about ATS before and were having a hard time deciding the best graphical template for your resume, let me make it easier for you, during initial screening your recruiter won't even see your resume template.

Once you apply on a career portal, what happens in the background is that your resume is processed by an Applicant Tracking System which extracts the contents out of your resume, scores it (on a scale 1-100), and displays it in a nice dashboard.

Here's what your application looks like in WorkDay ATS. (Notice content from the resume is populated in the dashboard?).

Note: Images are of low quality because I cropped them from a product demo video, I'll try to replace them once I find better ones.

Another aspect is the scoring mechanism, all candidate resumes will show up as a sorted list (high to low score) and a recruiter will only screen the resumes on first few pages, if you score higher you have better chances of getting screened (Ever wondered why your application at Google never got reviewed?)

Now your hacker mindset must be making you think about the exploit.py, how to score higher? let me tell you whatever ideas you have in mind will mostly be valid (Using the same keywords as job description, Keyword frequency etc) but don't get too caught up with this; resume screening is a very minor step in the interview process and you will eventually have to interact with real humans.

Scored & sorted resumes in WorkDay

Finally, a word of caution, visually impressive resume templates typically don't perform well with ATS, to show you a real example I just picked up an email template from Google page #1 Resume Builder and scanned it with another page one ATS, the results tell us that the ATS failed to parse the resume properly.


Because of this exact same problem, I've completely ditched visual email templates, all I use is a plain word doc with a couple of subheadings, bullet points, white background and black font, it does not look as bad as you might think and gets parsed very well, for the below example I landed the interview by only applying through career portal (no referrals). I won't call myself lucky to get shortlisted out of a couple thousand candidates, I did spend all that time learning about ATS :)


Tip: A resume customized for a specific job description will appear more relevant to the recruiter and will also score higher within ATS.

To summarize, You should know common pitfalls of graphical resume templates and try to strike a perfect balance between making your resume human-readable and ATS parsable. Once you have your resume prepared, you should try it against a couple of freely available ATS tools to see if it's parsable.

Start applying (Job hunting strategies)

#1  Applying via career portal:
This is the most obvious way to apply for a job, the things to note here are that the success rate of getting shortlisted by applying on career portal of a large scale firm is very low and you need to care about the ATS compatibility & score.

In comparison to this, the success rate of getting shortlisted by small & mid-sized firms is pretty high (if you meet the job criteria) and you don't have to care much about ATS; since the volume of resumes they receive is low, they would typically review all resumes manually.

Also, wherever you apply be ready to get ghosted; some companies might not send you a rejection email at all. If you don't hear back within a month or so consider it a dead lead.

#2  Conferences & Career Fairs
I never knew how amazing CyberSec conferences can be for getting job opportunities until I attended one. First of all, there will be plenty of companies which will have a trade booth where you can walk up to and discuss career opportunities. I had an experience where a company was running a small CTF challenge, I performed well in it and later on discussed career opportunities, it went well I got an interview. Don't believe me? here's POC.png 


Secondly, the open culture in these conferences will provide you with opportunities to interact with other people, you can make very good professional connections who can refer you to very good companies if you play your cards right (Does my FireEye referral sound impressive enough, to make you believe in this strategy?).

#3  LinkedIn Spam:
Remember how I told you to customize your resume for every job role? this method breaks all the rules we had set earlier, during my job hunt I was asking every cybersec professional out there for opportunities and was applying on all the job postings on LinkedIn. What I discovered was that the success rate of this approach is extremely low and it's not worth it. At one point of time, I had applied literally to hundreds of open positions and my inbox was so flooded with rejection emails that I mistakenly ignored the one's which wanted to proceed with my application, thinking it's another rejection email. :facepalm:


With that being said it does not mean that this approach doesn't work, it's just that the approach is very aggressive & less productive. It's better to stick to the other strategies which convert well.

#4  Applying via relevant job posts on LinkedIn:
This is probably the most productive approach amongst all, the strategy is to search for specific keywords on LinkedIn and find relevant entry-level roles.

The search for the keyword "we are hiring cybersecurity graduate" leads me to the following post, these posts are usually created by hiring managers or recruiters and typically don't gain a lot of popularity. You will have to compete with another 15-30 candidates who also noticed the same post; which is a lot better than competing with a couple thousand on a job portal.


Ever felt left out thinking about the fact that you know 0 people in the industry who can refer you to a company? well, use the same strategy to get referrals. All you need to do is convince someone ready to refer, that you have the matching skills for the role.

It worked well for me once I had already gained some experience but it's doable even without having any experience (great achievements in CyberSec can fill the gap).

Note: You should definitely be qualified (or overqualified) when you ask a complete stranger to do you a favour and give you a referral.



Alice in the wonderland :)


#5  Passive Job Hunting
This might sound counter-intuitive, but if you can build a good career profile you might not need to apply at all. All you need to do is put your accomplishments on LinkedIn, mention in the Title/Profile Pic/Job Preferences that you are open for work and stay a little active on LinkedIn.

At least that's how I managed to get most of the interview opportunities, and a chance to work with the best manager ever :)


Prepare for the interview

Typically the majority of companies have a technical cybersecurity round and a behavioural round  (With exception to top tech firms, I explained their interview process here in detail)

You can check out this compilation of interview questions to prepare for the technical round; you will probably get asked similar questions. And for the behavioural rounds, you will be evaluated based on your ability to work as a team, eagerness to learn new things & ability to resolve conflicts, you can check out this resource to get an idea about these kinds of interviews.

Evaluate & accept the offer

While evaluating an offer you should always check Glassdoor for a rough estimate about the median salary for your role in that specific area, if your offer is at the lower end of the range you can definitely negotiate. Also if you are in a situation where you have multiple offers from an almost similar type of companies your decision should be based on how compassionate your hiring manager is. Starting your career with an amazing manager will help you unlock great opportunities.

Doing the job


Finally, remember the key to success is grit and taking accountability of your own actions, you possess all the strength you need to make your own future. All the best with your job hunt :)

I interviewed as a Security Engineer at tech giants, here's what I learnt



It all started when I was still in university and developed a prominent interest in web application security that I aspired to get into one of the tech giants(GAFAM companies), but it wasn't until I had already spent 2yrs in the industry, that I finally got a chance to interview at Microsoft, Amazon & Facebook.

I had started my career doing bug bounties and the positions I got the interviews for were closely related to Web Application Security. To prepare for these interviews I made sure I knew every sophisticated payload out there, I even went to the extent that i started reading research papers to learn what more complex things I could do with very rare vulnerabilities such as RPO based XSS etc

With those skills, I was pretty confident that I will be able to crack the interviews, Guess how those interviews went? I failed Microsoft in screening round and Amazon, Facebook in Onsite round. The interviews were completely different from the interviews I had done before, that was the time when I realized that I had made a lot of assumptions and those lead me to the failure.

I have compiled a list of assumptions I had before interviewing at these companies and what I learnt from my failures if you aspire to get into one of the GAFAM companies you can definitely learn from the experiences I had and avoid making the same mistakes




#1.  I am interviewing for offensive security role, I do not need to know about defense

Even though you're interviewing for a pentester role, you will still be asked about vulnerability mitigation & remediation. Interviewing for offensive security role is no excuse for not knowing about the defensive side of things and vice-versa

#2.  I need to know complex payloads & wizard level attack techniques

You'll almost never get interviewed for complex stuff. . . unless you bring it up. Your interviews will mostly constitute of open-ended questions which will be asked to explore your breadth & depth of knowledge.

e.g ., Question: How would you stop malicious bots from attacking your website (Not an actual interview question)
Answer: You can talk about the attacks originating from bot traffic: credential stuffing, data scraping, and DDoS attacks. Then you could go in-depth and talk about various types of DDOS attacks, NTP based amplified DDOS attack exploits monlist command & finally talk about how you would stop these attacks.

If you answer in this way you can show that you understand the different types of attacks (breadth of knowledge) and you also understand the specific technicalities of attacks (depth of knowledge)

To excel in these interviews it's better to build overall cyber security knowledge along with the knowledge of common vulnerabilities, being asked to come up with a payload to exploit a very rare vulnerability is not a norm.

#3.  It's all about having Cyber Security skills

It might sound counter-intuitive but Cyber Security constitutes less than 50% of the overall interview domains, being good in cyber security only won't be sufficient to get you through the interview process.

Some of the other domains you need to know might be:
  • Networking Fundamentals - (OSI, DMZ, Firewalls, DNS)
  • Competitive Programming - (Optimized Solution, Calculating Space & time complexities)
  • Code Review - (Ability to read someone's code)
  • System Design - (More details later in the post)

#4.  I am not interviewing for a dev role,  I don't need to know Competitive Programming

While the majority of the companies might not ask you to solve Competitive Programming questions, there are still few which will ask you. For instance 3 of my interviews (2 screening & 1 onsite) @ Facebook were pure competitive programming interviews.

The expectation out of this interview is that you should be able to solve easy-medium level competitive programming questions, find optimized solution, space/time complexities and be able to implement the most basic data structures like Sets, Lists, Hash Map etc.

It's very difficult to build these skills overnight, you should definitely check if your dream company requires you to possess this skill set.

#5.  Security design interviews should be easy to clear

When I found Security Design in my onsite interview schedule @Amazon I searched online a little and didn't find much resources about this topic, so I assumed that I would be asked about WAF, IDS, Encryption etc, like the basic things you need to make a network architecture secure.

During my interview I was asked to come up with the architecture of a particular type of website, I did it, I made a server, a database and an API gateway, connected all of them together and a cherry on top, I even added a WAF, BoOm!! (it's big brain time). I felt the interview was too easy, but I was not even close, I just missed meeting expectations of that interview by a couple light-years.

In reality, Security Design interview is a System Design interview with security as a focus area. To get a taste of what a system design interview looks like, you should look at this video.

But to summarize, you need to know:
  • Data Structures (How would you build an Uber like app? heard about QuadTree Data structure?)
  • Tradeoffs (Why would you pick a NoSQL DB in comparison to Relational DB?)
  • Concepts (Consistent Hashing, CAP Theorem etc)
  • Scaling Strategies (How to vertically & horizontally scale a design, what sharding strategy would you define?)
Another interesting, type of security design interview is the one where you'll be given a half-done design and a predefined set of goals. Your interviewer will ask you to add new things and make the design work in such a way that it meets the predefined goals.

#6.  Behavioral interviews are a piece of cake

They are not, your behavioral interviews can last anywhere from 40 mins to 1 whole day (In Amazon all onsite tech interviews are 50% tech and 50% behavioral), during these interviews you will be asked about your past experiences, you should prepare enough examples to last you through 40 mins or 1 day.

These interviews are also the most important one's; if you fail this then regardless of how good your technical rounds went you will still be rejected. The recommended way to answer these questions is to follow STAR methodology, if you haven't heard about it before, you should definitely check it out.

In a nutshell, behavioral interviews can't be taken for granted and definitely need some prior preparation.

#7.  The interviewer is interviewing to find flaws & weaknesses

It may come as a surprise but interviewers at these companies would actually want you to perform well in the interviews, with most of these companies you would have a Prep call, where they will walk you through the interview process & tell you what to expect during the interview. Some of the companies would even go to an extent where they will buy you an online course to prepare for the interviews better.

I can't explain this with facts & metrics, but if you change your perspective from "interviewer is interviewing you to find your flaws" to "interviewer is interviewing you to succeed" you'll be more comfortable giving the interview; this works like magic there's no explanation to that.

Finally, if you have an upcoming interview all the best :) Or if you're in the process of preparing for the interviews here are some good resources I found Security Engineering at Google: My Interview Study Notes and My experience with Google interview for information security engineer.







[Writeup] How i bypassed XFrame options protection at Google Books

Hi There,

This is an long delayed writeup, i had reported this vulnerability around the month of march this year, but didn't realized that the bug was fixed until now.

Let's get started,

Abstract:

Google Books has implemented X-Frame-Options header for protection against ClickJacking attack.
I was able to bypass this protection and clickjack Google Books Dashboard.

Background:

So on one good evening when i was checking out some books on Google i came across this preview page which for some strange reason looked vulnerable to me and i started testing it out.


 While testing the webpage i found that Google allows it's books to be embedded into another webpage by using an embed code.


This is an example embed code  

<iframe frameborder="0" scrolling="no" style="border:0px" src="https://books.google.co.in/books?id=YJKbVzeabJYC&lpg=PP1&dq=web%20application%20hackers&pg=PP1&output=embed" width=500 height=500></iframe>
 By reading the code one could easily tell that the X-Frame-Options header protection will be turned off for the IFrame Source URL to make it framable on another webpage.

The HTTP response headers of the embed code is.


By comparing the framable URL with the original Google eBook URL, I found an interesting parameter output=embed

Original webpage URL 
https://books.google.co.in/books?id=YJKbVzeabJYC&printsec=frontcover&dq=web+application+hackers&hl=en&sa=X&redir_esc=y#v=onepage&q&f=false
 Framable URL
 https://books.google.co.in/books?id=YJKbVzeabJYC&lpg=PP1&dq=web%20application%20hackers&pg=PP1&output=embed

Using this parameter Google was removing X-Frame-Options and making a book framable.

Now the question is will this parameter remove X-Frame-Options from any other webpage and make it framable?

Answer: Yes



HTTP Response of Google books Dashboard


HTTP Response of Google books Dashboard with output=embed parameter


Impact: Just by making 2 clicks on Proof-of-Concept webpage all books from your bookshelf could be deleted.

Reward: $500

Thanks for Reading :)

[Writeup] How i prevented a bank from getting robbed



This story is about a loophole in an Online Banking website which could have allowed an attacker to steal funds from any customer account. After discovering this issue i immediately got in touch with the bank's security team and coordinated till a patched for this loophole was released. In this writeup i can't share the exact technical details about how i exploited the issue on the target website but i can give you a generalized idea of what went wrong and how it could have been exploited. 

Abstract: 
There was a bug in the forget password module of a netbanking website by exploiting which an attacker could have updated any customer's netbanking account password to his desired value.

To understand the exploit, we first need to understand how password recovery works on the target bank's website.

Here is normal flow of password recovery process which can be initiated by visiting the forget password page:


To recover a forgotten password on the netbanking website a customer has to follow this following process:

Step 1: Identify account using customer id.
Step 2: Submit an OTP( One Time Password) which will be sent via SMS & Email.
Step 3: Set a new password.

After following this process customer's password will be updated.

During my research, I found out that the webpage at "Step 3" was not validating if the customer has completed "Step 2" (OTP Verification).

The Exploit:

To exploit this issue and attacker has to complete "Step 1" -> Generate a Session ID -> Submit this Session ID to "Step 3" endpoint along with the new password which wants to be set for the account.

After making the post request the customer's netbanking password will be updated. Since the customer ID's on the netbanking website were numerical an attacker could have made an script that will reset every netbanking account's password and transfer funds out of it. 

At the end of the day this incident was a good test of my hacker ethics and taught me lessons which i will carry on throught my life. 

Thanks for reading & hack for good :)

[Vulnerability Report] Persistent XSS at Jotform


Persistent XSS @ Developers section

Vulnerable Service: https://developers.jotform.com

Description: The service mentioned above is vulnerable to Persistent XSS, due to which an attacker is able to steal user cookies which may lead to account hijacking.

Demo XSS thread:
https://developers.jotform.com/forum/post/<Removed>
- Click on "For Testing Purposes" to see the alert message.

Payload: javascript:alert('I_Am_Vulnerable_To_XSS');

Steps of Reproduction:
-Create a new thread & in thread editor click "Add hyperlink" button.
-Now instead of URL, paste payload there.
-"http://" will be automatically added to the payload, you need to remove that.

Proof of Concept:



Bounty:



[Vulnerability Report] Non-persistent XSS at Microsoft


 I had found a reflected XSS issue Microsoft, below is the report.

------------------- Email starts here -------------------
Vulnerability Type: Non Persistent XSS
Abstract: The affected url is vulnerable to Non-persistent XSS due to which an attacker is able to take over Microsoft account of logged in user.
Affected Url: https://www.microsoft.com/en-us/research/search/?q=<script>;prompt()<script>
Payload: <script>;prompt()</script>
Vulnerability Impact Senario: With Non Persistent Cross Site Scripting(XSS) an attacker can create custom URL with cookie stealing code on visiting which a user's cookie can be stolen and his account can be hijacked.
Vulnerability Reproduction Steps(POC):

1. Visit the URL "https://www.microsoft.com/en-us/research/search/?q="
2. With the parameter "q=" we can inject our payload.

Brief description of the issue:
This vulnerability is caused due to validation present only on the Search textbox present on the webpage. And no validation is present if we provide the same malicious HTML payload directly through the URL.

Proof of Concept:



Hall Of Fame:


[Vulnerability Report] Open Redirect on multiple subdomains of Intel

 
 
 
 
------------------- Original Message -------------------
 
Vulnerablility Type: Open Redirect ( https://www.owasp.org/index.php/Open_redirect )
 
Vulnerable URL:  
                            
https://communities.intel.com/terms-and-conditions!input.jspa?url=http://evilsite.com
https://<private>.intel.com/external-link.jspa?url=http://evilsite.com
 
Summary: An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.
 
In the URL described above the parameter url= is vulnerable to open redirect. An attacker is able to provide a custom URL where the victim will be redirected. An attacker can impersonate his malicious URL as Intel's
 
 
 

[Vulnerability Report] Non-Persistent XSS on Beats By Dre

---------Following is the email which i had sent to Apple Product Security----------

Vulnerability type: Non-Persistent XSS

Affected URL: https://tempo.api.beatsbydre.com/v1/login/?return=%22%3E%3C/form%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Attack Scenario: An attacker is able to trick an authenticated user into visiting a malicious URL,
which is capable of stealing user's session and take over his apple account.

Best Regards
 Amit Kumar
cse@engineer.com
-------------------------------------------------------------------------------------------------------------------------

Preview:
 
 

[Vulnerability Report] Persistent XSS on Microsoft.com

[Vulnerability Report] Non-Persistent XSS on eBay.com



The following is my report on a serious vulnerability which i had discovered on eBay .com, for which i was also awarded a place at eBay Hall of Fame.

---Following is the email which i had sent to eBay Security Team---



Vulnerability Type: Non Persistent XSS 



Vulnerability Reproduction Steps(POC): 

1. Visit the Scope URL as mentioned above. 

2. Enter the following payload in the search field: "]};; <script>alert("XSS-By-Ak" )</script>

3. After the search our URL becomes the same as POC URL which delivers the XSS alert payload "XSS-By-Ak" 

System Details: Firefox 41 on windows 8.1 

Let me know if you require any other information, i will be happy to assist. 

Regards 
Amit Kumar(Ak) 
-------------------------------------End of eMail------------------------------------- 

Acknowledgement:


[Vulnerability Report] Directory Traversal Attack in subdomain of Apple.com


Report: Apple flaw that leads to sensitive file disclosure

The following is my report on a serious vulnerability which I had discovered on one of the apple.com's subdomains for which I was also awarded a place at Apple Hall of Fame.

------------------Following is the email which I had sent to Apple------------------

Vulnerability Type: Directory Traversal Attack

Abstract: I have discovered one of the apple.com's subdomains vulnerable to directory traversal attack which allows a remote attacker to access sensitive files saved on the webserver that was not intended to be accessible by an unprivileged user.

Scope: http://consultants.apple.com

Risk Level: High

Vulnerability Description:  Directory traversal is a type of HTTP exploit that is used by attackers to gain unauthorized access to restricted directories and files. Directory traversal attacks use web server software to exploit inadequate security mechanisms giving them root access to directories and files stored on the webserver.

Affected URL: https://consultants.apple.com/publicLocator/downloadProfile/downloadProfile?execution=e1s1&id=%2Fimages%2FpublicLocator%2FPDF_RequirementstoJoin_ACN_May2015.pdf  

Vulnerability Impact Scenario: 
A remote attacker is able to download critical files from apple's webserver such as /etc/passwd, configuration files and log files which may result in "Sensitive Information Disclosure" and may also allow the attacker to carry out further attacks on the system using the information gathered through this vulnerability.

Vulnerability Reproduction Steps(POC):
 
1. Visit the Affected URL as mentioned above.

2. Modify the following parameter " e1s1&id=%2Fimages%2FpublicLocator%2FPDF_RequirementstoJoin_ACN_May2015.pdf " with " ../../../../../../../etc/passwd "

3. So our final URL becomes " https://consultants.apple.com/publicLocator/downloadProfile/downloadProfile?execution=e1s1&id=../../../../../../../etc/passwd "

4. The final URL which we have generated allows us to traverse /root directory of the webserver and as a POC(Proof Of Concept) we can see that URL which we have generated allows us to view the /etc/passwd file of the system.   


Brief description of the issue:    The vulnerability i am reporting is known as Directory Traversal Attack which is caused due to poor input validation in the Affected URL, the following parameter of the affected URL "id=" accepts path of the file to be downloaded, but due to insufficient security validation/sanitization of user-supplied input file names we can provide custom queries and traverse up to the root directory of the webserver using "../" (Go Up).

Directory Traversal Attack is a serious vulnerability which is capable of compromising the entire web server, not just the single subdomain which I have reported but all the websites which are hosted on the same server. My suggestion is to patch this vulnerability as soon as possible before it gets discovered by some cracker and gets exploited.

Let me know if you require any other information, I will be happy to assist.

Regards
Amit Kumar(Ak)
cse@engineer.com
-------------------------------------End of eMail-------------------------------------

Acknowledgement:



 
biz.