In this article, I detail the discovery of a critical web cache poisoning vulnerability in websites hosted on Hubspot CMS, which had the potential for widespread watering hole attacks. By exploiting how media files were cached and served, I demonstrated how attackers could replace legitimate content with malicious files, affecting over 100,000 websites. The vulnerability was responsibly disclosed to Hubspot and subsequently patched. This research highlights the importance of understanding web cache behavior and exploiting secondary contexts in web applications.
In this write-up, I share how I was able to chain a Blind XSS on the admin side with a CSRF vulnerability to achieve code injection, allowing for full control over a website's content. By exploiting a suggest edits feature on a documentation platform, I bypassed filters, triggered XSS, and escalated the attack to gain administrative privileges, leading to potential site defacement and more. After responsibly reporting the issue, the vulnerability was patched, and a bounty was awarded.
In this write-up, I describe how I discovered and exploited a flaw in the OAuth implementation of a company's staging and production environments. By manipulating the 'referer' parameter in OAuth requests, I successfully logged into a victim’s account using an attacker session. This exploit was made possible due to the reuse of JWT secrets across environments and the lack of email confirmation requirements. The vulnerability highlights the risks of staging environments and the importance of proper authentication and session management.
In this report, I detail a critical CSRF vulnerability in Hackerone’s Tray.io integration, which enables organizations to connect their bug bounty programs with third-party apps like Github and Jira. By exploiting a lack of CSRF protection, I demonstrated how an attacker could trick users into linking their third-party apps to the attacker’s Hackerone account. Additionally, the integration’s GraphQL API could be leveraged post-exploitation to perform unauthorized actions, such as accessing private Github repositories. Despite the severity, the bounty was reduced to 20% because of a non heard of policy about third party related vulnerabilities.
In this article, I reveal a misrouting vulnerability that I uncovered while diving into Google Cloud Load Balancers connected to storage buckets—something that exposed thousands of websites to potential attacks. By crafting unconventional HTTP requests, I stumbled upon a flaw that reveals sensitive bucket names and opens the door for attackers to exploit load balancers in unexpected ways. Ever wonder how much damage can be done through a misconfigured cloud setup? Think data leakage, resource exhaustion, and sneaky redirections. Curious about how I pulled it off and the risks you might be overlooking? Read on to find out.