Hello everyone It’s been a while since my last post. Holiday time :). And it will be some hacking experience from that time. I was living in a hotel in sunny Portugal and after a long day of tripping, I decided to watch another episode of the “The Dropout” series. So I connected my Amazon…
Broken links hijacking and CDN takeover
Hello again This time I want to tell you about the broken links hijacking technique which I decided to give a chance after reading some blog posts about it. The whole process consists of grabbing all the external links from the site and checking if they point to either non-existent (NXDOMAIN) or to some domain…
How I found multiple critical bugs in Red Bull
Auth misconfiguration One afternoon I decided to try my luck on the Red Bull VDP program. I gathered the subdomains and looked at interesting ones in the browser. I opened one of them let’s call it subdomain.redbull.com and I saw some web interface. Which looks like this: I tried Local login and some default credentials…
Chaining multiple vulnerabilities for credential stealing
Once upon a time in far, far hackalaxy…. there was a login form built with angular. This story is about how I managed to steal credentials using Angular template injection, post-based XSS, and CSRF protection bypass. I can’t disclose the real target so I call our target redacted.com. Angular template injection I’ve visited https://subdomain.redacted.com and…
Blind account takeover
In this story, I’m gonna tell you how I was able to take over an account due to a lack of server-side email verification. To register an account, the user had to enter an email and then got the activation link. This functionality was available on the main site. I entered the email, got the…
Turning cookie based XSS into account takeover
The cookie-based XSS One evening I started hunting on the Terrahost Bug Bounty program. I was testing the terrahost.no main domain. There was a functionality where I could choose the service, then register an account and place an order. So I did that. I chose Virtual Hosting and put all the data – username, address,…
Blind os command injection
Hi dear readers. This story is about how to find command injection, which leads to RCE getting “Thank you” in return :). I was hunting on one target I found via google dork. There was a functionality that was checking SPF records of the given domain. To clarify, a sender policy framework (SPF) record is…
Five-minute hunting for hidden XSS
One night I was about to go to sleep, however, set the goal of finding the bug within a max of 15 minutes. I did some google dorking like this: site:*.target.com ext:php I found the site with an admin panel on it. I tried to log in with some common credentials combinations such as admin/admin,…
URL filter bypass, RFI and XSS
In this story, I tell you how I was able to bypass the URL filtering rule to inject my own files into the server and eventually obtain stored XSS. As I can’t reveal the target let’s call it redacted.com. Using waybackurls on the target I found the following URL: http://emp.redacted.com/embed.html?playlist=https://playlists.redacted.com/sport/0/football/34232917A/playlist.sxml The playlist parameter was the…
The forgotten API and XSS filter bypass
On one site I found the forum section. There was an option to join some groups and then create posts in the group. I created an account, joined some opened group, and then created the post with the payload: <img src=x onerror=alert(1)> Nothing happened the user input was properly sanitized. I tried URL encoding, double…