Hi Folks! hope you all doing well it’s being a long time since I do a write-up, so this write-up is all about my tweet Exploiting/Chaining auto-save functionality to takeover the victim account. Make sure to follow @xSaadAhmed and @SecurityFoster for more upcoming amazing write-ups & tools.

Exploiting/Chaining auto-save functionality to takeover victim account.

So without wasting a time let get started, It was a private program to let assume private.com. While exploring the website every input in properly sanitizing then file upload functionality caught my attention. So we can upload files & there is a public link that we can share & other people can also…

Hi Folks! hope you all doing good so I am back with another amazing way of bypassing the WAF which is blocking me from weaponizing the XSS, Without wasting any time let get started.

The XSS part is very simple my input is reflecting inside the HREF in <a> e.g <a href=”https://example.com/home/leet”>Home</a>

Escaping from href is very simple my payload leet” onmouseover=alert(1)” now when I move my mouse over the link the XSS is popup this is very simple & basic.

It’s time to do something BIG!!! Now I am checking all the endpoints of the WebApp that disclosing the…

Hello friends this write-up is about how I bypassed the CORS validation. Let assume the website name redact.com. Simply I logged into the website checked for CSRF attack but there was a Current Password pram which means if I am able to bypass, there is a CSRF protection. I still need the victim’s current password to exploit it

Then I saw..

Access-Control-Allow-Origin: https://redact.com

Access-Control-Allow-Credentials: true

I tried to set the attacker.com in the Origin header but didn’t worked out I tried by adding another Origin header it also failed basically the server was checking the Origin header value like this

Hello friends, I hope you all are doing well, so this write up is all about how I chained the two different vulnerabilities to update the victim account details. Let’s assume the website name is redacted.com

So when I visited the profile page https://redacted.com/editinfo/& tried to change the account details there was a CSRF token I tried different methods to bypass that CSRF protection but failed, then I found the suspicious endpoint that was disclosing the CSRF token https://redacted.com/accountinfo/personal/lpsust/v1/redacted.com/

So when I opened that endpoint I found the CSRF token in the response, Now the next part was to steal…

Hi guys I hope you all are doing good so this write-up is all about the accidental IDOR that I found in the PRIVATE program, so let’s assume the name redacted.com. I was checking the CSRF vulnerability in the update address functionality, the API was sending the JSON DATA to the server & there was no CSRF protection when i tried to change the content type to text/plain I got this.

An error disclosed another hidden endpoint, when i made an OPTIONS request to that hidden endpoint & checked the allow methods i got this.

Hi guy I hope you all are fine this POC is all about how I convert the Self XSS To Evil XSS so let assume the site PRIVATE.COM

The first step simply sign-up and login to the account & start playing with the change account details functionality after some time I find out that the first name field is vulnerable to xss but the problem is this is self stored xss so I need to convert this xss to exploit other users I check the 1st method through CSRF but there is a CSRF token in the account update functionality…

Hy Guy’s this write up is all about my SQL Injection that I found in PRIVATE program running on BugCrowd

let assume website name subdomain.private.com/registro/login. when i visit the site I saw the strange behavior this is the admin panel & the website reload it self again & again so I turn on the intercept & capture the request and tried basic bypass eg admin:admin, 1'or’1'=’1 but didn’t work there is two parm _email and _pass

I put in ’ _email parm & nothing happen but accidentally put in both _email & _pass and I got <b>Warning</b>: PDOStatement::execute(): SQLSTATE[42000]…

Hello guy’s I am back with another POC again this bug I found in PRIVATE program using on bugcrowd so without wasting the time let get started!

let assume the website private.com I created an account looking for CSRF Account Takeover but the website is secure & there is CSRF token also I try many method to bypass but failed so I started to play with it’s subdomain & I found one of it’s subdomain super.private.com when I try to login I used my main account credential & it worked here so most of developer they secure only main website

Hi guy I am back with another POC that I found in PRIVATE program on bugcrowd let get started. So let assume the SITE name private.com I was testing the main website and after crawling I come to know that the server is WINDOWS

I didn’t find any thing on the main website so started to find It’s subdomains after spending alot of time i found a interesting helpdesk.private.com. I created a account on it there is only one functionality that you can report some issue you faced in the website

I was testing the browser functionality where you can…

Hi Guy,

After a long time i decided to share some of my finding & contribute to this awsm community. This write up is all about the IDOR that i found in PRIVATE program that I hunting from past 1 Year.

So there is a request that update the account username https://www.site/dataentities/CL/documents/0e84b3b2-c65f-11e8–822e-0edf00549f0a` contain the following data {“firstName”:”john”,”lastName”:”account”,”document”:”32132132132",”birthDate”:”2019–05–30T00:00:00",”gender”:”male”,”homePhone”:”1000000000"}

so I notice 0e84b3b2-c65f-11e8–822e-0edf00549f0a is the user ID I created another account and replace the other account & able to change the first & last name of my 2nd account. But the USER-ID is hard to guess after spending the alot of time…

Saad Ahmed

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store