I am a little bit late but Happy New Year 🙂 In the beginning of the year I decided to hack one company, let’s call it XXX as I can’t give the real name. The company is running VDP program and offers only letters of appreciacion. So I wanted to get one. I started my…
Category: vdp
From AngularJS CSTI to credentials theft
Hello again This time I will tell you about the easy way of credentials theft. I was doing some recon on some sites. I stumbled upon a site with the login form. I checked Wappalyzer and saw the site is using Angular 1.1.3. I immediately put {{7*7}} payload in the login form and pressed the…
How I found multiple critical bugs in Red Bull
Auth misconfiguration One afternoon I decided to try my luck on the Red Bull VDP program. I gathered the subdomains and looked at interesting ones in the browser. I opened one of them let’s call it subdomain.redbull.com and I saw some web interface. Which looks like this: I tried Local login and some default credentials…
Blind os command injection
Hi dear readers. This story is about how to find command injection, which leads to RCE getting “Thank you” in return :). I was hunting on one target I found via google dork. There was a functionality that was checking SPF records of the given domain. To clarify, a sender policy framework (SPF) record is…
Five-minute hunting for hidden XSS
One night I was about to go to sleep, however, set the goal of finding the bug within a max of 15 minutes. I did some google dorking like this: site:*.target.com ext:php I found the site with an admin panel on it. I tried to log in with some common credentials combinations such as admin/admin,…
URL filter bypass, RFI and XSS
In this story, I tell you how I was able to bypass the URL filtering rule to inject my own files into the server and eventually obtain stored XSS. As I can’t reveal the target let’s call it redacted.com. Using waybackurls on the target I found the following URL: http://emp.redacted.com/embed.html?playlist=https://playlists.redacted.com/sport/0/football/34232917A/playlist.sxml The playlist parameter was the…
The forgotten API and XSS filter bypass
On one site I found the forum section. There was an option to join some groups and then create posts in the group. I created an account, joined some opened group, and then created the post with the payload: <img src=x onerror=alert(1)> Nothing happened the user input was properly sanitized. I tried URL encoding, double…
XSS via Angular Template Injection
This time I have a story about several XSS bugs I found across several programs. This type of XSS is called CSTI XSS (Client Side Template Injection) which means that the attacker can inject the javascript code inside the template language used by the client side technology. The modern client-side frameworks such as Vue, React…