π΄ Stealing SSO Login Tokens
Attacker can steal SSO login tokens for snappublisher.snapchat.com by chaining different flaws in SSO and Snapchatβs Snappublisher tool. Detailed attack flow is as follows.
| Url | Type | Bounty |
|---|---|---|
| https://hackerone.com/reports/265943 | Authentication Bypass | $7500 |
π Escalate Self-XSS to account takeover
self-XSS that I escalated to an account takeover using site features in a public program
| Url | Type | Bounty |
|---|---|---|
| https://script.hashnode.dev/self-xss-to-ato-via-site-features | Account Takeover | - |
π Reflected XSS with WAF bypass
There is a reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/ through the utm_source parameter. By using URL encoding I was able to bypass the WAF.
| Url | Type | Bounty |
|---|---|---|
| https://hackerone.com/reports/846338 | WAF Bypass | - |
π‘ XSS by uploading a file with javascript in its name
Its possible to get XSS using cv.pdf<img src=nothing onerror=alert("mczen")>
| Url | Type | Bounty |
|---|---|---|
| https://x.com/chux13786509 | File upload XSS | - |
π Self-XSS to ATO via Site Features
Escalating Self-XSS to account takeover by creating a custom API
| Url | Type | Bounty |
|---|---|---|
| https://script.hashnode.dev/self-xss-to-ato-via-site-features | Account Takeover | - |
π‘ Bypassing CSP via URL Parser Confusions
Bypass the CSP Content-Security-Policy: script-src βnoneβ meaning no script exeuction.
| Url | Type | Bounty |
|---|---|---|
| https://infosecwriteups.com/bypassing-csp-via-url-parser-confusions-xss-on-netlifys-image-cdn-755a27065fd9 | CSP Bypass | - |