Posts

How I got stored XSS on the ADMIN panel ?

Hey guys, so I am back with a new post this time. Recently I was assigned a penetration test for a certain client. I have written another post on my CSRF  findings in this penetration test. If you haven't read that post, I  recommend checking it out here , so that you can understand the application flow and how a user can interact with the ADMIN. I don't want to make it a long post by repeating the same things I did in the last post.                            Let's get to the main point then. In the application, the ADMIN can invite a user who would then sign up through that link. The main thing  I noticed here, was that this user could also, update the settings page for the company. He could change the company name also. The company name was being reflected on the page and I immediately thought that it seems a perfect place for finding XSS vulnerabilities. So I started trying different XSS payloads there, but it was filtering most of the stuff I could think of. If  I

A TALE OF AN APPLICATION WIDE CSRF VULNERABILITY

Hi, guys so this is something which I found during a penetration test and though its nothing too special, I thought why not share with you guys, because # Sharing is Caring . So this is how this story goes :)                                                           Recently I was conducting a penetration test for a company and say the target was  www. xyz .com.  Now, to be honest, the application was full of vulnerabilities but yes, I do love finding XSS and CSRF bugs (because I am a noob ;)) And, I did get a couple of  XSS's in quick successions ( more on this in another post). The target www.xyz.com  was an adverting platform, and people signing up normally would be considered as Master Admin of the team. These Master Admins can then invite other users as  Admins or normal users to the team. There was also the functionality to change the team's name and other settings. The first user i.e. the Master Admin could delete the account of other invited users (both roles, A

How I got sensitive details of a company via misconfigured endpoints?

Hey guys, The title seems somewhat catchy, but let me tell you the story how I got different sensitive details of a company via " Forced Browsing " on endpoints and how you can try to find the same kind of issues in Bug bounties or penetration testing. So last week I was performing a penetration test for a certain company. Let's say the main application was www.xyz.com . The application was an organization basically and I was provided with all level of access. It had 5 layers of different access controls of which an Account-Admin had the highest privileges whereas a Normal user of the organization had the lowest privileges. Between these two there were 3 other privileged users such as Manager , Team Leader etc. Now when you come across this kind of applications where there is a different kind of privileges, the first thing that comes in my mind is can I somehow READ or EDIT the details of a higher privileged user. XSS also comes in handy in this kind of situati