Post

Server Side Request Forgery is a vulnerability that allows attacker to make server request to attacker controlled network location/path. While analyzing requests in Burp for Skype for Web, found a endpoint at *.*.skype.com/path?url=https://example.com , As the url param appeared interesting tried to change the url with my ngrok instance & got a hit ! Confirmed that it’s Skype which hit the url by looking at the ngrok inspect web console by verifying received User-Agent header(Skype)and IP address in who....

I usually track acquisitions of websites for which I am hunting bugs regularly. I knew that Fitbit acquisition has been completed by Google and is eligible for bounty in GoogleVRP platform. But, I previously remember that, Fitbit was also part of some other bugbounty platform before Google’s acquisition, So wanted to make sure that I am reporting to correct platform. Hence, I made a simple Google search and found this broken link in official website of Fitbit in the 1st page of Google result....

I found a 2fa bypass recently in a responsible disclosure program — pickmycareer.in . The vulnerability allows an attacker to register any mobile number with his account bypassing OTP verifications. The process is very simple during registration process, attacker gives his own mobile number and receives OTP, enters correct OTP and intercepts request to /api/user/account/register [POST] api endpoint, Here the attacker keeps the OTP unchanged, but changes the mobileNumber param in the request into victim’s mobile number and forwards request....

First of all, I am not a complete beginner in infosec/cyber security community. I have been doing bugbounty for past 3 years and also my current job role is related to security engineer. So, I haven’t prepared much as I already use most of the tools frequently at my workplace/CTFs/BugBounty. I decided to go with CEH (Practical) as I have got scholarship for the same and amount was $100, which also I earned by winning a private CTF....

I was looking for blogs on GoogleVRP reports as well as noting down it’s popular aquisitions. Then I found a blog (https://tutorgeeks.blogspot.com/2018/08/misconfigured-jira-setting-apigee.html ) which talks about unauthenticated Jira instance leaking dashboard name ,project title and user profile picture by applying filters. It also mentions ,the website supports only logging in with @apigee.com email address,So I thought why not try logging in using Google OAUTH. I signed in using my Gmail account and got successfully logged in !...

I started with usual subdomain recon of a google acquisition(VirusTotal).This time I used a online subdomain finder service https://subdomainfinder.c99.nl/ for finding subdomains quickly. Then I found a subdomain grafana.internal.virustotal.com ,The word internal in the subdomain made me visit that page due to my curiousity. But unfortunately ,It’s only for authorized users. I searched for grafana endpoints visited /signup and tried to signup for new account,It showed sign up disabled. Then I thought if oauth sign in was allowed ,I could try logging in using Google, Github or any other service....

This is one of the easiest bug that I have found in a private bugbounty program. The program had two of it’s browsers in it’s scope. I was testing for RTLO related bugs,I found that the downloads section of the browser was rendering the rtlo characters in the improper way. RTLO characters are “Right-To-Left-Override” characters which is rendered from right to left ,unlike English which is rendered from left to right....

This is a story of CORS bug that I found in one of Google’s aquisition -Kaggle,Where I got rewarded for CORS bug in 404 page. One fine day I was looking at one of the aquisitions of Google-(Kaggle),Kaggle is used worldwide by Machine Learning community and is pretty famous. I tried looking for CSRF bugs all over website but everything went in vain.I also searched for CORS misconfigurations but couldn’t find anything useful....

If You think WhatsApp is totally safe and your Profile Picture is visible to people only in your contacts or depending on your privacy settings then you are totally wrong. I found a bug in WhatsApp through which any 3rd Party App with only read Storage Permission can access your WhatsApp profile Picture no matter What or How Secure your profile visibility settings are. Let’s Go into the details of the bug:...

This is a low hanging bug ,I discovered in Google ,This blog is going to be to short and to the point. I followed the usual Recon process after enumerating subdomains , I selected https://datastudio.google.com.I tried to check for popular vulnerabilities XSS,CSRF,SSRF and What not!!! But couldn’t find anything .Then I tried to see the features in the website.There was an option to EMBED any site in a report ....