Microsoft outlook stored XSS write-up ($3000)

Staying home is really nightmare for me and I am so boring to learn new things. So, I decided to write a writeup about how I found stored XSS in Micorsoft outook and got some bounty $3000. I stopped hunting bugs since last 3 years ago after I got some bounty from Yahoo, Tumblr ..etc. … Continue reading Microsoft outlook stored XSS write-up ($3000)

PostMessage vuln, what is it?

Nowadays JavaScript becomes very popular and application can write with only JavaScript. I want to share about exploiting websocket vulnerability and how to find them that I learned last 4 years ago during preparing to pass eWPT. In order to understand about exploiting websocket vulnerability we need to know how browsers interact with pages and … Continue reading PostMessage vuln, what is it?

Lesser Known Web Attack(LKWA) Walk-through

0x0A - Introduction I created LKWA lab for security enthusiastic that can test varieties of lesser known web attack such as Cross-Site Script Inclusion(XSSI), PHP Object Injection(simple injection, via cookies, object reference), PHAR Deserialization, SSRF and variables variable. You can download it from here. This blog post is for only walk-through, if I have more … Continue reading Lesser Known Web Attack(LKWA) Walk-through