Skip to main content

Posts

How I Pwned a company using IDOR & Blind XSS

This post is about exploiting Blind XSS and IDOR to gain access to company's Slack, Facebook Workplace and other services used by the company.

Special Thanks to Inti De Ceukelaire without his disclosure this would not have been possible.

And also thanks to my friend Harsh Jaiswal for giving some ideas.

Most of the people from infosec community must have read the disclosure by Inti De Ceukelaire regarding Ticket Trick, if you have not read I would suggest reading that first. ( https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c )

After reading the article, first thing came to my mind was exploiting this on a company as it had similar functionality on Support Tickets.

The company's website had a Support Portal. We could create a Ticket by sending an email.

Exploiting Ticket Trick to gain access to company's Slack or Facebook Workplace was not possible as Slack and Facebook included a random token while sending verification …
Recent posts

Exploiting a Single Request for Multiple Vulnerabilities

Hello Everyone,

This is my first blog post, it's about multiple security vulnerabilities found from a single request on a private program recently.

The vulnerabilities found are simple Stored and Reflected XSS, SSRF and Command Injection.

But since I have never written any pocs before, so just wanted to write about this one.

So let's call the website as privatesite.com

After login, the first thing I saw was a feature to upload images.

So started testing the uploader functionality, like directly uploading PHP, SWF, SVG, etc., but nothing worked as the uploader looked secured from my end.

Then I noticed there is a feature to crop the image, the post request of this feature looked kind of interesting.

1. SSRF
There was a parameter http_path which had the image URL, so I fired up a socket listening to a port on my server, and in that http_path parameter I put my server's IP and port, and the socket received the connection.

So an external SSRF was confirmed.

2. Stored XSS
On t…