From Staging to Full Admin Control In Prod: A Breakdown of Critical Authentication Flaws

October 22, 2024

AI Hijack: How I Took Control of an AI Assistant

October 14, 2024

Finding Hidden Threats: How I Found Leaked AWS Credentials in an Android App API Using DAST

June 28, 2024

How I Manipulated My Rank on the Bugcrowd Platform

April 19, 2023

Hacking 100k+ Loyalty Programs for Fun and Profit!

May 19, 2022

Hacking Subscription Plans for free service.

February 27, 2022

Using Inspect Element to Bypass Security restrictions | Bug Bounty POC

June 30, 2020

Playing with JSON Web Tokens for Fun and Profit

April 4, 2020

Microsoft Apache Solr RCE Velocity Template | Bug Bounty POC

March 31, 2020

Hacking SMS API Service Provider of a Company |Android App Static Security Analysis | Bug Bounty POC

February 19, 2020
January 20, 2025
by

Purple Teaming: What Not to Do in OT & IoT Testing to Avoid Halting the Factory or Sinking the Oil Rig

Umair Ahmed, a Senior Security Engineer at HelloFresh, shares insights on pen-testing operational and IoT systems, emphasizing the importance of preparation, threat modeling, stakeholder alignment, and execution. He highlights the need for careful examination of systems to mitigate risks and ensure compliance while providing best practices for effective testing. Post-engagement, thorough reporting and follow-ups are essential for continuous improvement and vulnerability management.

October 22, 2024
by

From Staging to Full Admin Control In Prod: A Breakdown of Critical Authentication Flaws

In this blog, I explore a real-world case of an Admin Panel Takeover caused by broken authentication and insecure configurations. By exploiting a misconfigured JWT token from a staging environment, full administrative access was gained to a production system, exposing sensitive user data and critical application controls. This case study emphasizes the dangers of default credentials, unsecured staging environments, and improperly scoped tokens, providing key lessons in security hygiene and best practices to prevent such vulnerabilities.

October 14, 2024
by

AI Hijack: How I Took Control of an AI Assistant

Discover how a simple API key exposure led to the complete takeover of an AI assistant in production. This eye-opening security analysis reveals the critical vulnerabilities lurking in AI-powered applications and offers essential insights for developers and security professionals.

June 28, 2024
by

Finding Hidden Threats: How I Found Leaked AWS Credentials in an Android App API Using DAST

Found a critical vulnerability involving leaked AWS credentials within an Android App API during a bug bounty hunt. by utilizing Dynamic Application Security Testing (DAST) and the Mobile Security Framework (MobSF) to uncover the vulnerability. This blog post provides a step-by-step guide for newcomers to set up their own testing environments and utilize MobSF.

August 18, 2023
by

Bug Bounty Blueprint: A Beginner’s Guide

This guide is a must-read for beginners to dive into Bug Bounty Hunting. It provides foundational skills, tips, tools, and resources for Bug Bounty Hunters. I’ve covered various aspects including vulnerabilities and learning resources. Are you ready to embark on your Bug Bounty adventure?

April 19, 2023
by

How I Manipulated My Rank on the Bugcrowd Platform

This vulnerability on the Bugcrowd platform allowed manipulating rank on the platform using the API.

May 19, 2022
by

Hacking 100k+ Loyalty Programs for Fun and Profit!

This blog post is about how a hacker could have Hacked 100k+ Loyalty Programs to get free points & redeem them for free stuff or coupons.

February 27, 2022
by

Hacking Subscription Plans for free service.

June 30, 2020
by

Using Inspect Element to Bypass Security restrictions | Bug Bounty POC

Hey guys so this blog post is about bug bounty report, I was able to Bypass Security restrictions by using inspect element and use Paid Features. About the Issue: The...

April 4, 2020
by

Playing with JSON Web Tokens for Fun and Profit

Hey Everyone, I hope you all are fine and doing well. Today I wanna share something related JSON Web Tokens (JWT). In this writeup, I’ll tell you how I was...