Privilege Escalation: Privilege escalation happens when an attacker exploits a bug, design flaw, or configuration error in an application or operating system to gain elevated access to system resources that should normally be unavailable to any unauthorized user.


Hi Infosec Community,

I hope everyone is fine and hitting hard on the applications, I encountered a privilege escalation issue so let’s discuss about it.

I was hunting on a private program and started with subdomain enumeration with Subfinder.

After that, I ran Waybackurls on output_file.txt.

I was…

What is Broken Link Hijacking?

Often on websites we are presented with some buttons which are hyperlinked with external services such as social network buttons and on clicking those links user is redirected to the social media profiles of the company.

BrokenLink: Sometimes the links are broken means there is always some profile IDs to identify the profile of a person or a company page you are visiting but the profile does not exist or page is not found.

Hi BountyHunters,

I recently found BrokenLink Hijacking issue so let’s discuss about it and get started.

If you enjoy reading my…

Cross Site Scripting allows an attacker to inject malicious javascript code in the web application through some parameters and can be escalated further to perform attacks such as cookie stealing , session hijacking etc.

Types of XSS:

  • Reflected XSS
  • Stored XSS
  • DOM Based XSS

How it all started?

I recently got an invite for a private program on BugCrowd and I immediately went through the details and found that all the subdomains are in scope.

So, I went further and started enumerating the subdomains using various tools

amass , sublist3r , subfinder , findomain-linux , …

CVE Description

The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified.


I was performing Recon on the target

My Recon Steps:

  1. Parameter Mining on using paramspider & Checking for open redirect , ssrf , xss on parameters mined

2. Subdomain Enumeration using sublist3r , assetfinder , amass …

Back with another writeup. In this I will be discussing about how easy is to hunt for CVE:2020–3187&, 2020-3452 and what are the steps involved in it.

NOTE: For this we need to focus on subdomains of targets which are working on Cisco VPN.

Let’s Start

Finding Subdomains: Sublist3r , AssetFinder , Amass

I simply used above tools to find the subdomains and saved the entire result in .txt file.

Now extract the sub domains which all are having VPN keyword in it.

Example: ,

So, on visiting these kinds of sub domains I got

Now, Reload the…

I Found CSRF issue On Password Change functionality on one of the private program.

So, before this issue I reported 3 Bugs on to the same program.

Let’s have a look how I found this although it was very easy.

Let’s consider the website as

So, I made two testing accounts on the portal (Test1 and Test2 both having different passwords)

Using Test1 : I visited the password change option to change the password of my current account just to capture the request in burp and to see if csrf tokens or any protection against csrf is present or…

I recently started hunting on one program and from very first step of account creation I thought to hunt for xss.

I was filling out the form for account creation on the website:

I checked that if I can inject special characters in the name field or not and saw that I can inject characters there was no restriction on that.

So, immediately I inserted xss basic payload in first name

Payload used : <script>alert(“Paras”)</script>

and created account.

Then I received an email for the account activation, after activating my account it got redirected to

and my xss got executed.

How I hacked into a Admin Portal of a Tech Company last night?

The question is Why I initiated the things to hack this companies portal specifically ?

So here’s the answer: In 2018 I hacked into the same companies portal and after that they deployed a fix and I was like satisfied that the vulnerability was fixed.

With time comes knowledge and with knowledge comes change.

So, I decided to again browse that Companies Web Portal and see if I can break into that.

WebPortal :

Directory bursting lead me to the admin login URL and I tried…

OTP Bypass | Second Factor Authentication (2FA) Bypass

Let’s come to the point directly.

Goal: Adding and verifying any phone number without providing OTP

Website name changed to :

I was enumerating a subdomain of i.e

Registered and made account on this and was struggling to find something in this portal.

I got a feature of adding a phone number, I thought to add. my phone number so I provided mine and verified the OTP but I intercepted the response and analysed it.

Try1: I edited my phone number to my other phone number and again it…

How a lil enumeration helped me finding simple xss on a searchbox.

Website name changed to

I was trying to find something on main website was not able to get something good.

Then I started extracting the subdomains and tool I used for subdomains listing is sublister.

I found a subdomain and I saw a searchbox , simply inserted <script>alert(1)</script> in searchbox and payload executed.

Paras Arora

Social media: @parasarora06 , Penetration Tester | Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store