The H1-212 CTF Writeup

It was nice experience so let’s have a look how I cracked H1-212 CTF? I was reading about H1-212 on hackerone.com/blog and got to know about server IP and host. I found that you can’t browse the host so I thought why not try to use acme.org as host as it was already hosted on … 

 

How I got 22000$ worth ethereum

Hello guys, Today I’m writing a blog post after long time. How I got 22000$ by pawning a website. Though it’s a private program so can’t disclose the name I’ll be using example.com to explain that how I’ve exploited blind XSS to pwn the website. I was doing the monkey test on name field to … 

 

Stored XSS to Full Information disclosure

Hello pals, During research of terapeak.com I found that Bulk Research name is vulnerable to XSS attack. Note:You need to subscribe for Terapeak Profession account. POC:

After digging more I’ve found that by that token you can get full information of that user like: Email Address, Full Name, Member ID, Subscription Type, and other info. as well … 

 

IDOR – Execute JavaScript into anyone account

Hey guys, New blog post about critical IDOR issue which I found in terapeak.com which allows attackers to change any user information and delete any saved bulk search remotely through one’s own account by just changing the Token id in Put and DELETE Request. The request for change and save search info looks like:

… 

 

All About Hackerone Private Program Terapeak

Hi folks!! Here is a new blog post – all about Hackerone private program Terapeak. One day I got private invitation from Hackerone and started digging in that, as I was trying to come back in bug bounty. I thought this was the right time to get some reputation. After spending sometime I found some XSS, … 

 

Multiple vulnerabilities in Oracle EBS

I’m writing about multiple vulnerabilities which have been found while testing for private program. I would like to thanks dlitchfield for the xss and SQLI. After the enumeration I got to know that xyz.com is using Oracle EBS so I’ve found multiple vulnerabilities in that. SQL Injection Description: It was observed that page biccfgd2.jsp is vulnerable to … 

 

Svg XSS in Unifi v5.0.2

This is another finding in Unifi Controller. Description: I have found a persistent xss vulnerability on Unifi Controller that allows attackers steal user’s cookies, do csrf attacks against victim account or do phishing attacks. This vulnerability occurs due the page allows svg attachments that contains “xmlns=http://www.w3.org/1999/xhtml”, then the page will render the content of the … 

 

Stored XSS in UniFi v4.8.12 Controller

I’m writing about a stored XSS which I found on Unifi controller v4.8.12 Description: The XSS happen in the admin page of Unifi controller v4.8.12 (Stand Alone or CloudKey). In this exploit it was possible to inject HTML and Javascript content in the admin page. The attack required the attacker to have valid credentials, so … 

 

Swf XSS (Dom Based Xss)

Hey Folks, I was working in UBNT for bounty and i found several xss there so i’m sharing one of the cool xss.

In the above code the FlashVar parameter “bridgeName” is passed to the ExternalInterface.call method without filtering. It is possible to pass JavaScript code via the bridgeName parameter that will be executed … 

 

Xss filter bypass in Yahoo dev.flurry.com

Hi, I want to share my another finding on Yahoo xss filter bypass which I have reported to them in Dec 2014. While researching and working on yahoo bug bounties i’ve found some cool xss. This is not the actual filter bypass I just found a way to enter javascript and run it. This is …