appsec

cross-posted from: https://lemmy.dbzer0.com/post/65113725

https://www.linkedin.com/posts/activity-7436961550927785986-2xH8?rcm=ACoAAFf3VBUBTNIVHgRhuTOBvpuDcfEcxS2ztts

Broken Function Level Authorization in Enterprise Campus Recruitment: A Case Study in BFLA and DPDP Compliance.

Recently, I audited the frontend architecture of Superset, a recruitment SaaS utilized by major Tech and Big Four firms and identified a critical exposure.

Here is the technical breakdown of the authorization failure:

1. Metadata Leakage The platform secures "unlisted" job links using UUIDv4s. However, rendering a public company registration page triggers a background API call for branding metadata. Despite developers using a silent=true parameter to hide this in the UI, basic network telemetry captures the request, exposing the Master Tenant UUID (companyCode).

2. The Lateral Pivot Using the leaked companyCode, I queried the public enumeration endpoint: /tnpsuite-core/public/companies/[companyCode]/job-profile-outlines

3. BFLA Bypass The API lacks token verification. It blindly trusts the companyCode and returns an unauthenticated JSON array containing hiring outlines for the 2025 and 2026 cycles.

The exposed JSON schema included:

• ctcMin, ctcMax, fixedPay (Proprietary compensation structures)

• publiclyVisible: false (Allowing a temporal bypass to view future vacancies)

• userType: COMPANY_USER including full names and emails of HR leads (A severe compliance violation under Section 8 of the DPDP Act).

Remediation & Next Steps: Complex URLs are not authorization boundaries. Security requires strict logic checks at the function level.

I have privately briefed our affected campus partners so they can initiate vendor-risk remediation. This public disclosure is heavily sanitized strictly to highlight the DPDP compliance gaps in HR tech architecture.

#CyberSecurity #AppSec #BFLA #RiskManagement #DPDP #ThreatIntel #OpenToWork

cc: Superset Data Security Council of India (DSCI) OWASP® Foundation ISACA

My nephew did this. Is he in legal trouble idk Indian law.

https://owasp.org/www-project-application-security-verification-standard/

Found this interesting list: https://list.latio.tech/

On the open source side, there is https://www.dependencytrack.org/

If you're interested in a way to implement Zero Trust principles like least-privilege access or make your access policies more granular without creating code bloat this is something to check out.

Cerbos Hub externalizes application permissions (RBAC/ABAC) and makes it easier to write and maintain fine-grained access policies without falling into a slow doom spiral of spaghetti code.

You write your policies in a central repo, and deploy as many containerized policy decision points as you need alongside the relevant services in your application. Policy checks are an API call. No single point of failure or lag issues.

You can maintain and monitor distributed policy decision points from one place. Make changes in Hub once and the changes are deployed everywhere. It supports PDPs deployed in serverless environments, at the edge or on device. There's a collaborative policy playground to write and test your policies. It has a central audit log of all the policy decisions that take place across your application.

cross-posted from: https://infosec.pub/post/8123190

Hello everyone,

I work in appsec, my manager would like to send us to a conference this year. We are based in Europe, and the company would like to across intercontinental travel.

I have OWASP Global 2024 in Lisbon on my radar, as well as the BlackHat EU in London, is there any other conference you guys would recommend?