Hey hackers, hope you are all doing good in this pandemic, this is a story of a ssrf I found in a private program through the html to pdf converter functionality and was able to read internal files, aws metadata and some internal debug ports with juicy customer information. I will divide the various bypasses and exploitation I found in 3 parts.

SSRF TO AWS KEYS AND SENSITIVE INFORMATION DISCLOSURE

So I started testing the web application and after seeing the pdf converter functionality I quickly tested for some quick ssrf payloads. The application was fetching url from a remote…


Hey,

Today I will share you my recent finding which was a self xss but I turned it into a full account takeover using various other misconfigurations and features already available on the website.

EXPLOITATION SCENARIO :

  • Self stored xss
  • Google login csrf to good xss
  • Logout of attacker account
  • Using previous google login to get into victim account
  • Stealing password change csrf token
  • Changing the password
  • Sending email+password to the server

So this was a private program so every thing will be redacted. During my testing I found a simple stored xss which was in the profile upload functionality…


My OSCP story

So it all began in 2018 when I saw this certification on the internet which seemed like a challenging one and a good entry level pentesting certification. So I set a goal for myself that I want to achieve it in end of 2019. During the time I got to know about this certification, I had some knowledge about linux,networking,some web application vulnerabilities, and a very little knowledge about network pentesting.

BEGINNING

I started my preparation by signing up on http://hackthebox.eu/ and solving some easy active boxes, and started learning more about port scanning , service detection…


Story of a stored xss to full account takeover vulnerability(N/A to accepted)

Hey everyone,

This is one of my most best finds ever which took me some days to exploit but when I finally exploited it, it was the best feeling in the world!!

So lets begin,

I got a invite on a private program on hackerone and I started testing on it. As this was a private program I will use example.com instead of main program.

This site was mainly for the purpose of group purposes so companies can share their data among other peoples and can invite other…


Story of a uri based xss with some simple google dorking

Hey everyone,

This is a old xss bug which I found in a private program on hackerone by doing some google recon. Because it was a private program I will the name the site as www.example.com everywhere.

So lets start,

The program seemed to be quite old but its scope was wide with a bunch of domains.I thought that many people might have already tested the main domain. So I thought of exploring other domains in the list first. During the initial testing I did’nt find anything useful.Then …


Hey today I will share my first ever valid xss bug which was a reflected xss on a public program on hackerone.

So lets start, I was very new to hackerone and I took a random program to start and I started to do some recon by finding the subdomains and different endpoints.When I was looking at different pages inside the website and then I found an endpoint like this:

https://example.com/abc/]

I thought there is something fishy here and I opened that page but the page loaded normally.Then …

Jatin Aesthetic

Web application pentester

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store