Hey everyone! While most of my blog posts tend to revolve around Bug Bounty and cybersecurity topics, today I’m taking a little detour to share something different – a fun side project I’ve been working on. I recently launched a simple word-based logic game: WordSearchPuzzleGame.com. It’s a classic word search puzzle, playable right in your…
How I hacked XXXX for fun and !profit
I am a little bit late but Happy New Year 🙂 In the beginning of the year I decided to hack one company, let’s call it XXX as I can’t give the real name. The company is running VDP program and offers only letters of appreciacion. So I wanted to get one. I started my…
Accessing admin panel with fuzzing, digging and guessing
Hello folks This time I want to tell you the story how I gained access to some admin functionalities and leaked some sensitive info using FUFF, Burp, my eyes, and brain :). Fuzzing Let’s call the target “redacted.com”. I started fuzzing the target with FUFF and found an /admin endpoint https://redacted.com/app/admin which displayed: “Sorry you’re…
From AngularJS CSTI to credentials theft
Hello again This time I will tell you about the easy way of credentials theft. I was doing some recon on some sites. I stumbled upon a site with the login form. I checked Wappalyzer and saw the site is using Angular 1.1.3. I immediately put {{7*7}} payload in the login form and pressed the…
The story of exposed service, SSRF, CSP bypass and credentials stealing via XSS
Hello there Another day, another bug 🙂 I started looking at the portal at redacted.com. The portal was written with PHP so I started fuzzing it a bit with fuff. Due to rate limiting this took some time. I found the endpoind called /resize. When I entered it I saw just: [img] Must set src-attribute….
“Hacking” the hotel room TV
Hello everyone It’s been a while since my last post. Holiday time :). And it will be some hacking experience from that time. I was living in a hotel in sunny Portugal and after a long day of tripping, I decided to watch another episode of the “The Dropout” series. So I connected my Amazon…
Broken links hijacking and CDN takeover
Hello again This time I want to tell you about the broken links hijacking technique which I decided to give a chance after reading some blog posts about it. The whole process consists of grabbing all the external links from the site and checking if they point to either non-existent (NXDOMAIN) or to some domain…
How I found multiple critical bugs in Red Bull
Auth misconfiguration One afternoon I decided to try my luck on the Red Bull VDP program. I gathered the subdomains and looked at interesting ones in the browser. I opened one of them let’s call it subdomain.redbull.com and I saw some web interface. Which looks like this: I tried Local login and some default credentials…
Chaining multiple vulnerabilities for credential stealing
Once upon a time in far, far hackalaxy…. there was a login form built with angular. This story is about how I managed to steal credentials using Angular template injection, post-based XSS, and CSRF protection bypass. I can’t disclose the real target so I call our target redacted.com. Angular template injection I’ve visited https://subdomain.redacted.com and…
Blind account takeover
In this story, I’m gonna tell you how I was able to take over an account due to a lack of server-side email verification. To register an account, the user had to enter an email and then got the activation link. This functionality was available on the main site. I entered the email, got the…