Bergee's Stories on Bug Hunting

Hi dear readers. This story is about how to find command injection, which leads to RCE getting “Thank you” in return :). I was hunting on one target I found via google dork. There was a functionality that was checking SPF records of the given domain. To clarify, a sender policy framework (SPF) record is…

One night I was about to go to sleep, however, set the goal of finding the bug within a max of 15 minutes. I did some google dorking like this: site:*.target.com ext:php I found the site with an admin panel on it. I tried to log in with some common credentials combinations such as admin/admin,…

In this story, I tell you how I was able to bypass the URL filtering rule to inject my own files into the server and eventually obtain stored XSS. As I can’t reveal the target let’s call it redacted.com. Using waybackurls on the target I found the following URL: http://emp.redacted.com/embed.html?playlist=https://playlists.redacted.com/sport/0/football/34232917A/playlist.sxml The playlist parameter was the…

On one site I found the forum section. There was an option to join some groups and then create posts in the group. I created an account, joined some opened group, and then created the post with the payload: <img src=x onerror=alert(1)> Nothing happened the user input was properly sanitized. I tried URL encoding, double…

This time I have a story about several XSS bugs I found across several programs. This type of XSS is called CSTI XSS (Client Side Template Injection) which means that the attacker can inject the javascript code inside the template language used by the client side technology. The modern client-side frameworks such as Vue, React…