Privilege Escalation: Privilege escalation happens when an attacker exploits a bug, design flaw, or configuration error in an application or operating system to gain elevated access to system resources that should normally be unavailable to any unauthorized user.
Hi Infosec Community,
I hope everyone is fine and hitting hard on the applications, I encountered a privilege escalation issue so let’s discuss about it.
I was hunting on a private program and started with subdomain enumeration with Subfinder.
subfinder -d domain.com | httpx -o /output_file.txt
After that, I ran Waybackurls on output_file.txt.
cat output_file.txt | waybackurls > /wayback.txt
What is Broken Link Hijacking?
Often on websites we are presented with some buttons which are hyperlinked with external services such as social network buttons and on clicking those links user is redirected to the social media profiles of the company.
BrokenLink: Sometimes the links are broken means there is always some profile IDs to identify the profile of a person or a company page you are visiting but the profile does not exist or page is not found.
I recently found BrokenLink Hijacking issue so let’s discuss about it and get started.
Types of XSS:
How it all started?
I recently got an invite for a private program on BugCrowd and I immediately went through the details and found that all the subdomains are in scope.
So, I went further and started enumerating the subdomains using various tools
amass , sublist3r , subfinder , findomain-linux , crt.sh …
I was performing Recon on the target example.com
My Recon Steps:
2. Subdomain Enumeration using sublist3r , assetfinder , amass …
Back with another writeup. In this I will be discussing about how easy is to hunt for CVE:2020–3187&, 2020-3452 and what are the steps involved in it.
NOTE: For this we need to focus on subdomains of targets which are working on Cisco VPN.
Finding Subdomains: Sublist3r , AssetFinder , Amass
I simply used above tools to find the subdomains and saved the entire result in .txt file.
Now extract the sub domains which all are having VPN keyword in it.
Example: vpn.example.com , vpn-us-east-1.example.com
So, on visiting these kinds of sub domains I got
Now, Reload the…
I Found CSRF issue On Password Change functionality on one of the private program.
So, before this issue I reported 3 Bugs on to the same program.
Let’s have a look how I found this although it was very easy.
Let’s consider the website as example.com
So, I made two testing accounts on the portal (Test1 and Test2 both having different passwords)
Using Test1 : I visited the password change option to change the password of my current account just to capture the request in burp and to see if csrf tokens or any protection against csrf is present or…
I recently started hunting on one program and from very first step of account creation I thought to hunt for xss.
I was filling out the form for account creation on the website:https://www.example.com
I checked that if I can inject special characters in the name field or not and saw that I can inject characters there was no restriction on that.
So, immediately I inserted xss basic payload in first name
Payload used : <script>alert(“Paras”)</script>
and created account.
Then I received an email for the account activation, after activating my account it got redirected to https://www.example.com/account
and my xss got executed.
How I hacked into a Admin Portal of a Tech Company last night?
The question is Why I initiated the things to hack this companies portal specifically ?
So here’s the answer: In 2018 I hacked into the same companies portal and after that they deployed a fix and I was like satisfied that the vulnerability was fixed.
“With time comes knowledge and with knowledge comes change.”
So, I decided to again browse that Companies Web Portal and see if I can break into that.
WebPortal : https://www.site.com
Directory bursting lead me to the admin login URL and I tried…
OTP Bypass | Second Factor Authentication (2FA) Bypass
Let’s come to the point directly.
Goal: Adding and verifying any phone number without providing OTP
Website name changed to : Redacted.com
I was enumerating a subdomain of redacted.com i.e subdomain.redacted.com
Registered and made account on this and was struggling to find something in this portal.
I got a feature of adding a phone number, I thought to add. my phone number so I provided mine and verified the OTP but I intercepted the response and analysed it.
Try1: I edited my phone number to my other phone number and again it…
How a lil enumeration helped me finding simple xss on a searchbox.
Website name changed to redacted.com
I was trying to find something on main website was not able to get something good.
Then I started extracting the subdomains and tool I used for subdomains listing is sublister.
I found a subdomain blog.redacted.com and I saw a searchbox , simply inserted <script>alert(1)</script> in searchbox and payload executed.