saas-attacks
saas-attacks copied to clipboard
pushsecurity
Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown
Adding new Guest user access misconfiguration in Initial Access section.
Refer: https://github.com/Esonhugh/KubernetesCRInjection. Here is my documents. I think this is a **Potential** attack surface in SaaS system which based on kubernetes. After I discussed with some Cloud security Researchers about...
With the google AMP phishing stuff in the news (https://cofense.com/blog/google-amp-the-newest-of-evasive-phishing-tactic/) I'm wondering if there isn't a generic technique here? This doesn't feel like it's going to be solved quickly. Perhaps...
https://github.com/mbrg/power-pwn
1) SIM fraud for passwordless SMS logins or MFA bypassing 2) Persistence via similar methods by registered an adversary controlled phone number (as opposed to ghost logins)
While reviewing Expensify for a couple example additions to techniques, I noticed this co-pilot functionality. This is essentially a form of delegating access to other users of the application so...
We currently have mostly 1-2 examples for each technique demonstrating it is valid to a minimum of a proof of concept level. Going forwards, the more examples we have the...
Run through all the techniques left to right to find some quick-win references to add where appropriate e.g. relevant blog posts/tools that are specific to the technique that we haven't...
Metadata
Owner
Metadata
Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown