Mostafa Alrefai

The bug get fixed, so I wanted to share the story... Write-up Link: 7-th.github.io/posts/admin-pr…

🧵Bug Bounty Diaries ( D6 ) It's still a VDP, but the chain was EPIC => From CSTI (Client-Side Template Injection) to XSS Gadget + WAF Bypass => From XSS to CSP Bypass => From CSP Bypass to fetch requests => From fetch requests to Cookie hijacking

@HambrickBr76801 I don't

@__the7th Bro please do u teach at a fee

🧵Bug Bounty Diaries ( D5 ) Stored-XSS in the user's first and last name fields This was an old bug in a public bug bounty program, and it could be escalated to exfiltrate user cookies...

@ironCardSec Maybe 1 hour

@__the7th Very cool! How long did it take to find this!

I wanted to add some information about Exploit 1. After testing the exploit on live targets and a local lab, I validated that the XSS payload will work only if it is a DOM-Based Open Redirect, and if it were a Server-Based Open Redirect, the browser will stop the XSS from running

🧵Bug Bounty Diaries ( D4 ) How to escalate an "Open Redirect" from P5 to P3 or P1 Yesterday, I found an Open Redirect in a public VDP, and I wanted to teach you the exploitation process that you should take before reporting the bug as a P5 ... thread...

@VAG33K You can bypass authentication and authorization checks, using Math & Replace rules, if it done on the Client-Side only.

@__the7th Any tip?

🧵Bug Bounty Diaries ( D3 ) This was an EPIC hack... TTMG, In this report, I was able to combine 2 vulnerabilities to bypass the login page of an admin portal and log in as an admin, without any username or password Maybe more details in the future...

Sometimes, it just happens...

@Hoesenbug The popup appears when I inject the payload manually, or send the payload in an old browser.

@__the7th But it will encoded hence no pop up ?

🧵The Bug Bounty Diaries... This is the first post of a New Series where I talk about bugs that I found in wild Bug Bounty Targets This is a short story about a DOM-Based XSS that I found in a Private Bug Bounty Program, but it was unexploitable due to modern browser mechanisms

🧵Bug Bounty Diaries ( D2 ) Today, I found my first "Prototype Pollution" vulnerability in the wild, but it can't be a valid bug to be reported on its own, so when you find a PP, you should dig deeper to combine it with a gadget in order to build a valid report...

@Hoesenbug You send the payload in the parameters part or the fragment part of the URL, to be a part of the document.URL source

Why can't we send the payload without URL-encoding? Because in modern browsers, when you send anything in the query part or the fragment part of the URL, the browser should URL-encode it automatically, and this will prevent the attack from being successful.

DOM-Based XSS is all about (Source + Sink). In this case, the sink was `document.write` and the source was `document.URL` The problem is that the attack will only be valid if the payload was sent to the sink without URL encoding, as you can see the "alert box" in the screenshot.

[*] Bug Bounty Skills... (More Parameters = More Vulnerabilities) Did you know that there are 4 types of discovery techniques: 1. Website Crawling (Active) 2. Hidden Parameter Fuzzing (Active) 3. JavaScript Mining (Passive) 4. Searching Public Archives (Passive) 🧵Thread...

Building "AI Hacking Agents" from pure Python...

I like the UI updates by @Bugcrowd