Thread on BOLA vulnerability, which is one of the access control vulnerability identified in OWASP API Top 10 . #CyberSecurity #vulnerability.

Thread on BOLA vulnerability, which is one of the access control vulnerability identified in OWASP API Top 10 . #CyberSecurity #vulnerability.

CAPTCHA provides bad user-experience as CAPTCHA challenge's complexity have increased over time, as bot capability to solve challenges evolved. Cloudflare turnstile alternative solution to provide better user-experience without comprosmising the security. @Cloudflare #security.

Thread on BOLA vulnerability, which is one of the access control vulnerability identified in OWASP API Top 10.#CyberSecurity #vulnerability.

Below table, summarize the human captcha solving time(in seconds) & accuracy of different modern & popular CAPTCHA vendors documented in different studies.

On the other hand, it really become important for security vendor to innovate, in order to provide a CAPTCHA service with good user experience, minimal friction & less cost but without compromising the security.

So it become important for website owner to evaluate CAPTCHA vendor not only on the security, cost aspects but also on user experience front as well.

For ex: Website owners generally protect signup & login pages by including a CAPTCHA challenge, before users can do an action through these pages. Hence website protected having a bad user experience CAPTCHA will have an overall bad user experience.

Malicious bot pose a significant challenges & dangers for website, by performing nefarious at scale like creating fake accounts, fake comments & reviews, consuming scare resource etc. For nearly two decades, CAPTCHAs has been widely used as a mean to protect against bots.

Website owners puts a significant efforts(in terms of time & money) to have good user experience for it's end users.

Website having poor user-experience will face higher user abandonment, leading to less user signups, logins etc & hence creating potential business loss. #Hacking #Bot #CyberSecurity #cyberattacks #userexperience #ux #WebsiteDevelopment #ciso.

Below table summarizes Human Vs Bot solving time & accuracy documeneted in different studies. #research #CyberSecurity #CISO #botmitigation #Bot

Popular CAPTCHA tasks currently include object recognition (e.g. “select squares with. ”), parsing distorted text, puzzle solving(e.g., “slide the block. ”), and user behavior analysis. Google reCaptcha @hCaptcha @ArkoseLabs @GeetestOfficial are the major CAPTCHA vendors.

For nearly two decades, CAPTCHAs has been widely used as a mean to protect against bots. With increase of CAPTCHA usage, technique to bypass CAPTCHAs defence have continued to evolve & improve.

Malicious bots pose a significant challenges & danger for website, by performing nefarious activities at scale like:.1. Create fake accounts.2. Scrape content at scale.3. Post fake comments & review.4. Consume scare resource. #cybersecuritytips #captcha #ciso #Security

Here is the end!! Hope you like it. Follow @securitysetu

4. Pentration testing. 5. Obfuscating & randomizing object-identifiers like user-ID, customer-ID etc. 6. User API-security service providers for an added layer of security.

Ways to mitgate:.1. Implement robust access control system which rigorously checks for user access to a resource. 2. Apply user access check, in all eligible API enpoint using middleware. 3. Use robust unit-testing to ensure that code is automatically tested before deployment.

Main reason for BOLA vulnerability:.1. No authorization check implemented at API endpoint logic by a newbie developer. 2. Complex business logics. 3. Rapidly evolving API & improper testing. 4. Large number of API endpoints.

Ideally, the API logic should verify that the user requesting the deletion is the same as the one who uploaded the video. Otherwise a user can delete another user's blog by changing the <blog-id>. If this check is not done, then endpoint is vulnerable to BOLA.