Latest Posts

Google VRP : oAuth token stealing.

Hey guys! hope you all doing well :), In June/July i decided to hunt on Google Products, As Google have almost everything in scope so i gone though list of Google products/fully integrated acquisitions. ( https://www.google.com/intl/en/about/products/ ), Waze is one of Google's Fully integrated acquisitions (There's difference b/w integrated and non-integrated). So i decided to give it a try...

Hunting Websockets For Fun And Profit

It's been a while since we have came up with any blogpost.  So this post will be about how i grabbed every information that was being updated over my organization even after i was removed from the organization. First let's start with what is WebSockets? A good explanation can be found here https://pusher.com/websockets Lets start, As the program...

Instagram Email Verification Issue

Hey guys! So won't be taking too long, its an year old bug i found in Instagram thought to share, The bug was very simple so not going too write much just simple PoC :). Steps to reproduce : 1) Create an account on instagram with email "abc@x.com" 2) Login to account and change Email to "def@x.com" 3)...

Cheatsheet : Open Authentication - oAuth

Hey guys! I hope you all doing well, So today we're going to discuss about oAuth and its bad implantation :) - What is oAuth ? - IOAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user...

XSS + CSRF = Bhoom!

Hello :D Everyone, It had been a long time since I got a good bug and a bounty too :3 so after an OWASP meet where I met many leet bounty hunters I felt so much motivated, to do a bug hunt.I started poking around and all , so this is a story of a simple Full Account...

Pwn them for Learn

Hello guys! This days i'm not much active because of college life :( but this weekend i got enough time to write about one of my Finding on a private site :-) from which i was able to get a Remote code execution on the server :)  Site : B*******.com Description : Bitcoin sell and buy site  Bug :...

Veris.in Account Takeover

Hey Guys! Today I'll share you my Account takeover finding on Veris.in, So no more waste of time and start. I installed Android app of Veris and started testing it, In Veris app we need to first verify our number and then we can register, While doing this i captured my request and try to bruteforce the OTP...

Page 1 of 212Next
Powered by Blogger.