A bug bounty hunter discovered a stored XSS vulnerability on m.uber.com that could be chained with an arbitrary cookie installation vulnerability on business.uber.com to steal oauth2 tokens and compromise any logged-in Uber user's account. The exploit involved injecting malicious cookies via unsanitized server responses and using the XSS payload to extract sensitive authentication cookies from victims.
A reflected XSS vulnerability in an OAuth2 redirect_uri parameter was escalated from simple alert injection to account takeover by extracting CSRF tokens from meta tags and automating admin user creation without authentication. The writeup demonstrates a practical methodology for showing XSS impact through functional exploitation rather than simple proof-of-concept.
Parevo Core is a modular Go library that consolidates authentication, multi-tenancy, and permission management (RBAC/ABAC) across common web frameworks and databases. It provides auth primitives (JWT, OAuth2, SAML, LDAP, WebAuthn), tenant isolation with SQL filters, and pluggable storage adapters for MySQL, Postgres, MongoDB, and Redis.