Post

🐞 Found HTML Injection ? Don’t Stop There. Most bug bounty programs label HTML Injection as Low or Medium severity 🤷‍♂️ Why? Because on its own, it’s often considered low impact and non-exploitable. But what if HTML Injection alone could be escalated to HIGH severity 🚨 — By exfiltrating sensitive data using only CSS, with no JavaScript or XSS? Assume there are 2 roles in web application which is vulnerable to HTML Injection — guest, admin....

Zoho QEngine is a test automation software to test your code on various devices & browsers before they get released. 🚀 One of its handy functions is openURL(), which lets you load a test URL in a supported browser like Chrome. Sounds neat, right? But as a security researcher, I couldn’t resist digging a bit deeper. 😏 🛠️ First Stop: Common SSRF Attack Vectors Initially like all security researchers, My intinct was to test for good ol’ SSRF test cases & check if, I am able to access their internal services or cloud metadata urls 169....

Long story short, We have a private WhatsApp/Telegram group which includes renowned infosec people & law enforcement officials from Tamil Nadu. I received a notification that, there is a new ongoing attack where victim when visited to a malicious site are being redirected to cybercrime.gov.in in a new pop-up window & made to pay fine to cybercrime.gov.in as shown in picture below. Note: At this point of time I had no direct contact with victim, nor have any other additional information....

Debugging Java web servers in an on-premise environment is crucial for pentesting and source code reviews. It’s possible to easily decompile java based apps using tools like JD-GUI. Often during dynamic analysis, we feel that, there’s a need to debug the application at runtime as if we had the source code, by placing breakpoints. Assuming that we do not have the source code, How do we debug Java based On-Premise Webservers ?...

ManageEngine OpManager is a powerful network monitoring software that provides deep visibility into the performance of your routers, switches, firewalls, load balancers, wireless LAN controllers, servers, VMs, printers, and storage devices. OpManager has tools like ping, traceroute etc which authenticated users can access via Web UI. Let’s take our attacker scenario using the ping tool provided in the Web UI of OpManager. The API request used for ping tool is — https://OpManager:8061/client/api/json/tools/getPing?...

Bing Maps allows users to create a collection and add places to those collections as shown below. The request & response to create a collection is as follows — You can notice that, there are no CSRF tokens present in the request, also notice that the Method & the Content-Type are POST & text/plain respectively. As this is a simple HTTP request, we are saved from preflight request & CORS checks....

In this article let’s learn about how to fuzz IoT protocols such as modbus using boofuzz, a open source fuzzing framework which can fuzz most of IoT protocols using TCP, UDP, SSL or even Serial protocols. Modbus TCP has following format— Transaction ID (2 Bytes) Protocol ID (2 Bytes) — Protocol ID is always 0000 as per modbus protocol definition Length (2 Bytes) — Value is calculated by amount of bytes from Unit ID to Function Dependent Data Unit ID/Device ID (1 Byte) Function Code (1 Byte) Function Dependent Data (No of Bytes depends on Function Code Used, for example For Reading Coils from Memory it’s usually 4 bytes) For detailed description of modbus protocol format refer here....

Torrent Trails: Unmasking Your Torrent Downloads with IP Address Public IP address is mostly assigned static to each unique person by an ISP in most of the cases. Few ISP might allocate single IP to multiple persons or allocate IP’s dynamically. (In these cases this technique might not work correctly) Okay, what can a attacker accomplish by knowing public ip address of the victim ? –> Read my detailed blog here ....

XS-Leaks — These are class of vulnerabilities derived from side channel attack. Although browsers have security features like SOP, which prevents access to data of websites from different origin. Browsers support various interactions between different web applications such as embedding a image, loading a sub-resource, postMessage, navigation to different websites etc XS-Leaks exploit small pieces of information that are exposed during interactions between websites, despite the security mechanisms in place to constrain these behaviors....

Few days ago, while I was exploring browser based bugs, I read a article over internet explaining about a path traversal vulnerability in Safari browser using Save Page As Feature. The file name was generated from content of tag. If title tag contained ../characters, The file could be saved in a directory other than desired or default Downloads directory. (If anyone finds the article, feel free to mention the article link in comments)...