A blind time-based SQL injection vulnerability was discovered in a file upload parameter where the application stored the filename directly in the database without proper sanitization. The vulnerability was exploited by injecting SQL sleep commands into the PDF filename and confirming exploitation through response time analysis after bypassing a Cloudflare WAF misconfiguration.
A walkthrough of exploiting a boolean-based SQL injection vulnerability via the User-Agent HTTP header to enumerate database version, table names, and columns, culminating in credential extraction from a MariaDB 10.1.21 instance.
A bug bounty hunter demonstrates a union-based SQL injection attack against a private company's web application, using order-by enumeration to identify 11 vulnerable columns, extracting database version, user, OS details, and dumping table schemas via information_schema queries with encoding bypasses.
A subdomain takeover vulnerability in flock.co where newdev.flock.co was pointed to an unclaimed readme.io custom domain, allowing the attacker to register a readme.io project and claim the subdomain through misconfigured DNS CNAME records without ownership verification.
SQL injection vulnerability discovered in a forget password function via time-based exploitation. The author enumerated the backend technology (ASP.NET/MSSQL), broke the SQL query with single quotes, injected a WAITFOR DELAY payload to confirm the vulnerability, and used SQLMap to automate database extraction.
Researcher demonstrates a subdomain takeover vulnerability on Starbucks by exploiting an unclaimed Azure Traffic Manager endpoint. The vulnerable subdomain had a CNAME pointing to a non-existent trafficmanager.net domain that could be registered without domain ownership verification, allowing complete control of the subdomain.
An IDOR vulnerability in Facebook Analytics allows users with analyst roles to access private dashboard charts by manipulating the 'chartID' parameter in a GraphQL request, disclosing chart names and data that should only be visible to the dashboard owner.
A security researcher bypassed 2FA/OTP on an Indian travel service provider by brute-forcing a 4-digit OTP without rate limiting, using Burp Suite's intruder to test all 10,000 possible combinations and obtain a valid login token.
A security researcher demonstrates how chaining a self-XSS vulnerability with clickjacking (UI redressing) can lead to session hijacking by exploiting missing X-Frame-Options headers to trick users into dropping malicious JavaScript that exfiltrates their cookies.
A reflected XSS vulnerability was discovered in a private program where URL parameters prefixed with 'utm_' were reflected without encoding in a JavaScript context. The breakthrough came from fuzzing parameter names themselves rather than values—specifically injecting JavaScript payload directly into the parameter name (e.g., 'utm_foobarbaz\')<>') which bypassed encoding applied to parameter values.
A writeup demonstrating exploitation of JSON CSRF vulnerability by bypassing anti-CSRF token validation through method override technique, converting a PUT request with token validation to a POST request that accepts method override headers.
Researcher discovered a reflected XSS vulnerability on Yahoo Finance mobile version by bypassing a filter that converted payloads to uppercase, using HTML character encoding (alert) to obfuscate the alert function and execute JavaScript.
Security researcher discovered an authentication bypass on springboard.google.com that escalated to local file inclusion (LFI) on Google production servers, allowing reading of /proc files with admin privileges. The vulnerability was found through directory enumeration and subsequently patched; the researcher received a $13,337 bounty.
A writeup demonstrating how combining Self-XSS with CSRF vulnerability can be chained together to achieve Stored XSS. The attacker used CSRF to force a victim to change their profile name to malicious JavaScript payload, which executes when the victim or other users view the profile, bypassing the Self-XSS limitation through CSRF form submission.
Google Docs lacks X-Frame-Options headers, allowing attackers to embed the voice typing feature in iframes on arbitrary sites and trick users into granting microphone access to record private conversations. The vulnerability was awarded a $2,337 bounty by Google.
A researcher discovered a CSRF vulnerability in an e-commerce website where the form_key token lacked server-side validation, allowing attackers to add arbitrary addresses to victim accounts by removing the token from a PoC payload. The finding earned a $500 bounty.
A researcher discovered a stored XSS vulnerability on a payment processing form by bypassing input filters that blocked angle brackets and parentheses. The payload used HTML event attributes (OnMouseOver) with backtick-based function calls to execute JavaScript when a user interacts with the input field.
A researcher discovered a CSRF protection bypass on IBM's account management endpoint by exploiting Referer header validation. The vulnerability allowed changing user email addresses via GET requests using a path traversal technique (hosting the IBM URL as a path on an attacker's domain) to bypass Referer checks.
A security researcher exploited missing X-FRAME-OPTIONS headers on API endpoints that exposed sensitive user data (credit card, email, address) by creating a clickjacking attack that tricked users into copying and pasting API responses via an invisible iframe, earning $1800 in bug bounty rewards.
A stored XSS vulnerability in a HackerOne program where a refclickid URL parameter is unsanitized and stored in Set-Cookie headers, then later reflected in JSON responses within script tags, allowing attackers to inject arbitrary JavaScript that executes on victim browsers.
Researcher discovered a clickjacking vulnerability on Binary.com's ticktrade subdomain that lacked X-Frame-Options protection, then bypassed the initial JavaScript frame-busting patch by using HTML5 sandboxed iframes with permissive attributes (allow-scripts, allow-forms, allow-same-origin) to prevent top-level navigation while maintaining script execution.
A researcher discovered a chain vulnerability in a third-party OneDrive integration by exploiting loose redirect_uri path validation in OAuth flow combined with a CSRF-enabling testCallback API endpoint, allowing theft of authorization codes and access tokens without user consent.
Reflected XSS vulnerability in Microsoft SharePoint's Follow feature (CVE-2017-8514) where the SiteName GET parameter is unsanitized and reflected into a JavaScript function call context, allowing attackers to break out of single quotes and inject arbitrary code via payloads like '-confirm("Xss")-'.
A CSRF vulnerability in Microsoft's Service Trust Portal allowed unauthorized addition of user roles due to missing CSRF token validation on the AddUserRole endpoint. The researcher successfully exploited this to add users with arbitrary roles and received a $500 bounty.
A CSRF bypass technique that chains cross-frame scripting with CSRF by exploiting a server behavior where removing the CSRF token from a request causes the server to echo back form values with a new valid token, which can then be submitted via clickjacking to execute unauthorized actions.
A bug bounty researcher discovered LDAP injection vulnerability in a registration form while attempting blind XSS exploitation. The server was passing unsanitized user input directly to LDAP directory operations, revealed through error messages about invalid directory pathnames.
CVE-2017-5244 is a CSRF vulnerability in Metasploit Express, Community, and Pro editions (versions < 4.14.0) that allows attackers to stop all running tasks by tricking authenticated users into loading a malicious page, due to improper validation of anti-CSRF tokens and the use of GET requests for state-changing operations. The vulnerability was patched by enforcing POST-only requests with CSRF token validation.
A stored iframe injection vulnerability in a discussion forum was chained with a CSRF vulnerability in the email change feature to achieve account takeover of admin users. By injecting an iframe pointing to an attacker's server hosting a CSRF payload, viewing the forum automatically triggers the email change request from the victim's browser.
A clickjacking vulnerability in Telegram's web client allowed attackers to bypass frame-busting protections using sandboxed iframes and block CSS stylesheets via MITM attacks, enabling account compromise and unauthorized message sending. The vulnerability was fixed by Telegram implementing proper X-Frame-Options headers.
A clickjacking vulnerability in Facebook's AJAX endpoint (/ajax/home/generic.php) allowed attackers to iframe a resource lacking X-Frame-Options headers and submit forms to trick victims into adding the attacker to secret groups or performing other unwanted actions on Facebook resources.