Yelp Deconstruction

Deconstructing www.yelp.com is harrowing. They use Pyramid which is a python framework. They have their own internal CDN (yelpcdn) as well as using an external CDN with fastly. They have their own flavor of GraphQL that uses their homemade Server Driven UI called CHAOS that integrates with their flavor of GraphQL throughout their mobile app and maintains backwards compatibility with other services. It is a microservices house. Burp Proxy says they also use cookielaw.cdn and they batch their GraphQL api calls all in one go initially on loading the webpage. I learned a bit about GraphQL but they are an extremely hardened target with a company that has been around since 2004. I figured I try my luck with some basic cross side scripting on a vendor login form field but no luck. I got any api endpoint that I tried fuzzing with ffuf but no luck I got a bunch of 403's. I don't know what else to do but keep exploring the site and learning about GraphQL. There is a whole host of GraphQL vulnerabilities with denial service by making big queries but they don't reward denial of service and ask you politely not to.

Comments

Post a Comment

Popular posts from this blog

Knowing how to pivot is important in OSINT it seems and to go from a wide scope to a narrower scope. Pivot charts are useful to collect information of results from selectors, each pivot being a resultant node of information. Going from a wide search to a narrower search is like the goldilock's effect, a little too wide and you lose focus but too focused you can lose out on other wider details. All sources state that methdology trumps tools and the focus early on in an OSINT career is to develop your methodology like knowing how to pivot and knowing the intelligence cycle. Being nimble and flexible in your search queries is important to hone your searches using Google as a primary tool to locate information. You just have to Google it. You Google to find tools like websites that facilitate investigations. It seems that Rae Baker, the author of Deep Dive into OSINT, is adept at using Google to serve her needs though she stresses the importance of methodology. Cynthia Hetherington of ...
Read more
Being in California I have seen plaques from the native sons of the golden west and thought nothing about them at the Burlingame train station. They seemed like a benign fraternity but if you dig a little deeper into their history you realize they were like California's KKK chapter against the Japanese. They really hated the Japanese and wanted to expel them from California as if the Japanese were vermin in the early 20th century. Native sons of the golden west go way back into the 1800's and their anti-japanese stance existed at the moment it seems that Japanese immigrants arrived in the late 1800's. They wanted to end birth right citizenship for Japanese Americans who were born in America. This echoes today with Republicans questioning birth right citizenship and considering getting rid of it. The hostilities towards Japanese immigrants resonants today with the attack on the newly arrived Latinx immigrants. The zenophobia is always an old trope that seems to never end wit...
Read more
My learning methods are flawed. I am not doing spaced retrieval exercises which is supposedly the most effective means of learning. Spacing out what you retrieve from memory of your reading is time tested the best way. I tend to read and reread which is ineffective and I don't force myself to sit away from the text and try to remember everything I have just read. It is like dyeing cloth. You dip the cloth in the dye over and over again and the coloration gets more and more saturated and radiant. Spacing the time you remember what you have learned repeatedly ,spaced repetition, is important and I have to practice this more.
Read more