This service aims to: raise the security level of applications developed in this platform, detecting potential vulnerabilities that could generate risk to the company. Our methodology includes the analysis of file permissions, system processes, databases, system calls, HTTP Requests, Webservices used and logic operations specific to the application. Thus, it would detect possible security breaches that would be reported with strategic recommendations that seek to mitigate them.

lucas.apa bonsai, open source, security android, pentest, pentesting android, vulnerability

Recently, we’ve found an Open Redirection vulnerability in Twitter. To understand a little more about this, we can cite OWASP’s definition:

“An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.”

The following Proof of Concept was sent to the Twitter security team:

https://twitter.com/login?redirect_after_login=http://www.bonsai-sec.com

After a successful login, the affected user is redirected to http://www.bonsai-sec.com without any warning allowing possible phishing attacks.

This vulnerability was patched by Twitter security team last week (after we reported it and got almost no answer from them).

Detailed information can be found at: http://www.bonsai-sec.com/en/research/vulnerabilities/twitter-open-redirect-0108.php

nahuel bonsai, security open redirect, open redirection, OWASP, twitter, url redirection, vulnerability