Posts

Stealing $10,000 Yahoo Cookies!

Image
Hi, This is my second blog post. I recently started to script python, So I decided to write some recon script to filter out domains to attack first out of tens of thousands of Yahoo subdomains which promises some content since it doesn't seem feasible to visit each one of them. And it outputted https://premium.advertising.yahoo.com . Upon visiting and taking a look at intercepted requests, the page was interacting with api endpoints at https://api.advertising.yahoo.com using XmlHttpRequests and Cross origin resource sharing (CROS) technology . If you don't know much about CORS I would recommend you visit Burp Blog  . So in a Requests to https://api.advertising.yahoo.com/services/network/whoami , I saw alot of headers I see all day while looking into yahoo in response which kind of freaked me out. It was reflecting all my request header such as  `user agent`, `Accept`, and  `Cookie` like in following screenshot. Also any Parameters in GET requests were also gett

XSS on Bugcrowd and so many other website's main Domain

Image
Hi all, This is my first Blog post. I recently found Reflected Cross Site Scripting(XSS) vulnerability on Bugcrowd main domain which had huge impact. Secret Parameter: I was able to identify one secret parameter which was getting used by the server to respond differently and gave up error page showing ` unable to find page 404 in locale <my input>`. This was pretty much atleast XSS and Yes! Here is the POC video:   This didn't only work on 404 page but also on the homepage for ex: `https://bugcrowd.com?locale=xss`. However this parameter didn't seem to do anything else, so I immediately reported to Bugcrowd. When I woke up in the morning, I came to know that this bug was rather in Locomotive CMS, bugcrowd worked around showing that page at router level to mitigate the impact . Knowing this I immediately checked out Locomotive CMS and so was their website vulnerable. So I went dorking for other websites using Locomotive CMS and I have so ma