A bug bounty writeup demonstrating unrestricted file upload leading to RCE by bypassing extension filters through MIME type manipulation in GET parameters, chaining with PUT requests, and exploiting alternative PHP extensions (phps, php3, php5) that bypass .php filtering to execute arbitrary code.
A researcher bypassed file upload restrictions by manipulating MIME type parameters in GET/PUT requests, ultimately achieving RCE through uploading a PHP backdoor with an alternative extension (php5/php7) after initial PNG/JPG restrictions were enforced.
Researcher demonstrates escalation of a subdomain takeover on impact.postmates.com (GitHub pages vulnerability) into session cookie theft by leveraging document.domain relaxation in the parent domain postmates.com, enabling account takeover despite the subdomain being out-of-scope. The technique exploits the fact that if the main domain explicitly sets document.domain, a compromised subdomain can set it to match and access sensitive cookies via JavaScript.
Researcher discovered a CSRF vulnerability in a user deletion module lacking CSRF tokens, combined with numeric user ID brute-forcing to delete all application users. The attack bypassed X-Frame-Options and origin validation by using iframe-targeted requests.