Posts

User Account Takeover [Password Change]— Nice Catch!

Image
Writeup By Rohit Kumar Image Credits: Record Future Ever thought how you are implementing and passing data from the form to your queries? You are doing it dynamically? Summary : In this writeup, I will explain how I was able to change the user account password without providing the old password. This writeup will be short. I will not take much time. About Target:  Target was From a private program. So, let’s assume the target is site.com Reproduction steps: Login into your site.com account. Navigate to  https://www.site.com/users/[user_id]/edit Now, you will see a form which allows you to edit your account details and there is also another option to change your current password which requires your old password but this can be bypassed easily. Now, for bypassing this change password feature. Just edit your account details and then submit this request and meanwhile intercept it. Now you will notice some $_POST fields which will be like user[first_name] // For c
Post a Comment
Read more

Reflected XSS in Zomato

Image
Writeup By Sudhanshu Rajbhar Heyy Everyonee, In this writeup I am going to tell you how I was able to get xss in Zomato. I will tell the whole story how I found the vulnerable parameter. Actually at that time I was reading a book “Mastering Modern Web Penetration Testing” (You can get it on Amazon) and from there I got know about a website named  wolframalpha  which we can use for subdomain enumeration. I just thought of giving it a try , so I enetered zomato.com in the search bar and it gave me around 10 subdomains.It also shows “daily visitors” of a particular subdomain, thats a great options if you are looking for a less visited areas.So the last domain from the list caught my attention as the visitors were very less compared to others. Source: https://www.wolframalpha.com/input/?i=zomato.com I opened secretx.zomato.com, and all I can see is a button -“sign in with Zomato”.I checked the source code , nothing ineteresting. I clicked on the
Post a Comment
Read more

SQl Injection In Bugcrowd's Private Program

This summary is not available. Please click here to view the post.
Post a Comment
Read more

From Hunting for a Laptop to Hunting down Remote Code Execution

Image
Write-Up By Anil Tom It was another ordinary day that I came home from office and was chatting with my roommates, when one of my friends called up and told he wanted to buy a new laptop and needed some suggestions. So I went online and began hunting for laptops that met his requirements. I was reading about one of the Asus RoG models, when suddenly the Bug Hunter in me woke up and I asked myself why I shouldn’t Recon the Asus website. So I began my recon of the website, and spent a whole night looking for a bug on their main domain and did not find anything… The next day morning I went to my office, but my mind was still on the Asus bug hunt. That evening I got a notification on my mobile that there was an update for the Termux app. And suddenly my Bug Hunter senses tingled, and I thought, “Why don’t you run a sublister against asus.com on the mobile?” I randomly selected one of Asus’ sub-domains, specifically  http://stw.asus.co
Post a Comment
Read more

A Unique XSS Scenario in SmartSheet || $1000 bounty.

Image
TLDR:  This is an writeup of a recent bug which I found in smartsheet .It was an  stored xss , but the way it was getting triggered was really great from the perspective for hackers,  js  was getting executed when any user clicks on the malicious notification , this could let any user takeover any account (with vertical and horizontal privileges ) which increased the severity of the Bug.The security team of the program was very professional and understood the scenario very well. Before we move forward, I’d really like to thank the smartsheet security team for this coordinated disclosure. Hello guyzz .!!! Thanks for your support and blessings.I hope you all are doing fine and are excited to read about this writeup because of the click-bait Title. So without wasting any time further, lets get straight into it. Its only been 2–3 months since I started bug-bounty.Before that I used to spend most of my time on  hackthebox.eu  and play  CTFs  ,back then I ha
Post a Comment
Read more