A researcher discovered a critical vulnerability chain in a multi-tenant business data management app: predictable, non-expiring invitation tokens with no signature protection allowed brute-forcing access to organizations, coupled with a secondary issue allowing visibility of pending admin invitations enabled full organizational takeover with minimal detection risk.
Uber's SSO system was vulnerable to authentication bypass through a combination of subdomain takeover (dangling CloudFront CNAME on saostatic.uber.com) and session cookie theft via shared cookies across *.uber.com subdomains. An attacker could relay CSRF tokens and steal the _csid session cookie from authenticated users, then impersonate them across all Uber subdomains by injecting the stolen cookie into their own login flow.
A critical CSRF bypass vulnerability in Facebook's ads management interface where the fb_dtsg token validation could be circumvented by manipulating the show_dialog_uri parameter and using double-encoding (%253F) to bypass the initial fix, allowing arbitrary account modifications like email changes and security setting alterations without proper CSRF protection.
A CSRF protection bypass technique achieved by converting a POST request with a valid _csrf token to a GET request and removing the token parameter, exploiting improper server-side validation that only checks tokens on POST requests. The attacker uses JavaScript to automatically redirect victims without user interaction.
A CSRF protection bypass achieved by chaining cross-frame scripting (XFS) with CSRF exploitation, where an attacker removes the CSRF token from a PoC, triggers a server response that includes a valid token, then embeds this within a clickjacking attack to auto-submit forms with attacker-controlled values.
A writeup demonstrating how to escalate a self-stored XSS vulnerability in an account profile field to steal credentials from other users by injecting a phishing form via iframe and exfiltrating login data to an attacker-controlled server.