Hello folks This time I want to tell you the story how I gained access to some admin functionalities and leaked some sensitive info using FUFF, Burp, my eyes, and brain :). Fuzzing Let’s call the target “redacted.com”. I started fuzzing the target with FUFF and found an /admin endpoint https://redacted.com/app/admin which displayed: “Sorry you’re…
From AngularJS CSTI to credentials theft
Hello again This time I will tell you about the easy way of credentials theft. I was doing some recon on some sites. I stumbled upon a site with the login form. I checked Wappalyzer and saw the site is using Angular 1.1.3. I immediately put {{7*7}} payload in the login form and pressed the…
The story of exposed service, SSRF, CSP bypass and credentials stealing via XSS
Hello there Another day, another bug 🙂 I started looking at the portal at redacted.com. The portal was written with PHP so I started fuzzing it a bit with fuff. Due to rate limiting this took some time. I found the endpoind called /resize. When I entered it I saw just: [img] Must set src-attribute….
“Hacking” the hotel room TV
Hello everyone It’s been a while since my last post. Holiday time :). And it will be some hacking experience from that time. I was living in a hotel in sunny Portugal and after a long day of tripping, I decided to watch another episode of the “The Dropout” series. So I connected my Amazon…
Broken links hijacking and CDN takeover
Hello again This time I want to tell you about the broken links hijacking technique which I decided to give a chance after reading some blog posts about it. The whole process consists of grabbing all the external links from the site and checking if they point to either non-existent (NXDOMAIN) or to some domain…
How I found multiple critical bugs in Red Bull
Auth misconfiguration One afternoon I decided to try my luck on the Red Bull VDP program. I gathered the subdomains and looked at interesting ones in the browser. I opened one of them let’s call it subdomain.redbull.com and I saw some web interface. Which looks like this: I tried Local login and some default credentials…
Chaining multiple vulnerabilities for credential stealing
Once upon a time in far, far hackalaxy…. there was a login form built with angular. This story is about how I managed to steal credentials using Angular template injection, post-based XSS, and CSRF protection bypass. I can’t disclose the real target so I call our target redacted.com. Angular template injection I’ve visited https://subdomain.redacted.com and…
Blind account takeover
In this story, I’m gonna tell you how I was able to take over an account due to a lack of server-side email verification. To register an account, the user had to enter an email and then got the activation link. This functionality was available on the main site. I entered the email, got the…
Turning cookie based XSS into account takeover
The cookie-based XSS One evening I started hunting on the Terrahost Bug Bounty program. I was testing the terrahost.no main domain. There was a functionality where I could choose the service, then register an account and place an order. So I did that. I chose Virtual Hosting and put all the data – username, address,…
Blind os command injection
Hi dear readers. This story is about how to find command injection, which leads to RCE getting “Thank you” in return :). I was hunting on one target I found via google dork. There was a functionality that was checking SPF records of the given domain. To clarify, a sender policy framework (SPF) record is…