Home
mastomi.id
Cancel

Full Local File Read via Error Based XXE using XLIFF File

Some Information on this Post such as Target URL, Endpoint, and several others was modified due to Protect the Privacy of the Program I like finding bugs in apps that have a lot of features. T...

SSRF in PDF Renderer using SVG

Some Information on this Post such as Target URL, Endpoint, and several others was modified due to Protect the Privacy of the Program A few times ago, I had the opportunity to do Bug Hunting...

From Git Folder Disclosure to Remote Code Execution

A few moments ago I did Bug Hunting activities in one of the Private Programs on Bugcrowd. As usual, the hunting process begins with Recon and Enumeration. The hunting process is carried out on thi...

From Unvalidated Redirect and Parameter Tampering to Account Takeover

In this simple write-up, I would like to tell how I found an Account Takeover vulnerability with a unique method. There’s no special or unique bypass thing. Just try to find another exploitation wa...

How I accidentally found Bug in Google Search Console

In this simple write-up, I would like to tell how I found an Access Control bug in the Google Search Console application, where I can get information related to the domain that I added to the appli...

XSS to Account Takeover - Bypassing CSRF Header Protection and HTTPOnly Cookie

When doing a Bug Hunting and finding a Stored XSS bug, the imagination will usually get a big enough bounty that has been spinning around on the head. But sometimes the imagination fades when we tr...

Exploiting Cookie Based XSS by Finding RCE

When doing penetrating on this target, I collaborated with YoKo Kho to get the highest privileges. In this paper, you may find a little similarity with his trick. But in the real case, what we w...

AWS Metadata Disclosure via "Hardcoded Host" Download Function

Sometimes, when visiting a website, we find a link to download files from that site. The downloaded file can be a guide, tutorial, or another document. When hunting private programs on Bugcrowd,...