Vid Grosek

Expertise

Web Application Security

Q: What is the difference between automated scanning and manual penetration testing?

Automated scanners find known vulnerabilities like outdated software versions. Manual penetration testing finds business logic flaws, authentication bypasses, and chained vulnerabilities that scanners miss. A real attacker uses both — and so should your security assessment.

Q: What vulnerabilities do you test for beyond OWASP Top 10?

Beyond OWASP Top 10, I test for business logic abuse, race conditions, JWT manipulation, OAuth misconfigurations, session fixation, HTTP request smuggling, cache poisoning, and WAF bypass techniques. Modern web applications require testing that goes far beyond standard checklists.

Beyond OWASP Top 10. Logic flaws, vulnerability chains, and attacks scanners don't find.

Authentication is the new perimeter. And it's broken. OWASP Top 10 is a good starting point, but real attacks go beyond that. Logic flaws, authentication misimplementations, and vulnerability chains that turn "low severity" into full account takeover.

Why Scanners Aren't Enough

Automated scanners find approximately 20% of vulnerabilities that an experienced tester finds. Why?

Logic flaws - Scanner doesn't understand your application's business logic
Vulnerability chains - Scanner tests individual vulnerabilities, not combinations
Context - Scanner doesn't know what's "normal" for your application
Authentication - Most scanners poorly test authentication flows

Authentication and Authorization Vulnerabilities

Authentication and authorization are the most common vectors for full application takeover.

Broken Authentication

Credential stuffing - Using stolen credentials from other breaches
Password spraying - Common passwords against many users
Session fixation - Attacker sets session ID before victim logs in
Insecure "Remember Me" - Predictable or persistent tokens
Password reset flaws - Predictable tokens, no time limits, token leakage

MFA Bypass Techniques

MFA isn't a silver bullet. It can often be bypassed:

Response manipulation - Changing server response from "false" to "true"
Direct request - Skipping MFA step by directly accessing protected page
Token reuse - Using an already-used OTP token
Brute force OTP - No rate limiting on OTP input
OAuth flow abuse - Incorrect OAuth implementation allows MFA bypass

Broken Access Control (IDOR)

Most common critical vulnerability. Application doesn't verify if user has rights to access requested resource.

Horizontal privilege escalation - Access to other users' data (change ID in URL)
Vertical privilege escalation - Access to admin functions
Parameter pollution - Adding extra parameters to bypass controls
HTTP method tampering - GET instead of POST to bypass CSRF protection

Injection Vulnerabilities

SQL Injection

Classic but still common vulnerability. Modern techniques:

Second-order SQLi - Payload stored in database, executed later
Blind SQLi - No direct output, but information via time delays or boolean responses
Out-of-band SQLi - Data exfiltration via DNS or HTTP requests
Filter bypass - WAF evasion with encoding, comments, alternative syntax

Server-Side Request Forgery (SSRF)

Attacker forces server to make HTTP request to arbitrary location. Critical in cloud environments:

Cloud metadata - Access to http://169.254.169.254 for AWS/Azure/GCP credentials
Internal services - Access to internal services not exposed externally
Protocol smuggling - Using gopher://, dict:// for attacks on internal services
DNS rebinding - Bypassing IP-based filters

Server-Side Template Injection (SSTI)

When user input ends up in a template (Jinja2, Twig, Freemarker), attacker can execute code:

Detection - {{7*7}} returns 49? Vulnerable.
Exploitation - File reading, command execution, RCE
Sandbox escape - Bypassing template restrictions

Cross-Site Scripting (XSS)

XSS is no longer "just session stealing". Modern techniques enable full account takeover.

Types of XSS

Reflected XSS - Payload in URL, executed immediately
Stored XSS - Payload stored on server, executed for all users
DOM-based XSS - Executed in browser without server involvement
Blind XSS - Payload executed in admin panel, attacker doesn't see output

Advanced XSS Techniques

CSP bypass - Using allowed domain to host payload (JSONP, Angular)
Dangling markup injection - Data theft without JavaScript
XSS to RCE - In Electron apps, admin panels with command execution
Polyglot payloads - One payload works in multiple contexts

Bypassing Protections

Filter evasion - Encoding, case manipulation, null bytes
WAF bypass - Fragmentation, alternative event handlers
Browser quirks - Browser-specific behaviors

Business Logic Vulnerabilities

Most valuable vulnerabilities that scanners cannot find.

Examples

Race conditions - Multiple use of one-time codes (coupons, withdrawals)
Price manipulation - Changing prices in requests
Workflow bypass - Skipping steps in process (payment)
Mass assignment - Adding extra fields (isAdmin=true)
Negative quantities - Ordering -1 items for credit

How I Find Them

Understanding application's business process
Mapping all possible states and transitions
Testing edge cases and unexpected inputs
Testing concurrent requests (race conditions)

WAF (Web Application Firewall) Bypass

WAF isn't a security solution - it's an obstacle that attackers bypass.

Bypass Techniques

Encoding - URL encoding, double encoding, Unicode normalization
Case manipulation - SeLeCt instead of SELECT
Comments - SEL/**/ECT in SQL
HTTP Parameter Pollution - Multiple parameters with same name
Chunked transfer encoding - Payload fragmentation
Content-Type confusion - Sending JSON as form-data

JavaScript Deobfuscation and Analysis

Modern frontends hide logic in obfuscated JavaScript code.

What I Look For

API endpoints - Hidden or undocumented APIs
Hardcoded credentials - API keys, tokens
Client-side validation - Logic that should be on server
Debug code - Console.log with sensitive data
Source maps - Original source code if available

Vulnerability Chains - Real Example

Individual low-severity vulnerabilities combined into critical attack:

Information disclosure - Stack trace reveals internal structure
IDOR - Access to other users' email addresses
Password reset flaw - Token sent in URL instead of body
Reflected XSS - In search function
Combination - XSS steals reset token from Referer header → full account takeover

Result: 4 "medium severity" vulnerabilities = full takeover of any account.

My Approach to Web Application Testing

Understanding the application - Business processes, user roles, sensitive data
Mapping - All functionalities, API endpoints, user flows
Manual testing - Burp Suite, custom tools, creative thinking
Verification - Every vulnerability confirmed with working PoC
Remediation - Concrete recommendations for developers

Need a Web Application Test?

Discover vulnerabilities scanners miss. Manual testing by an OSWE certified expert.

Contact Me