Hello everyone, at first I want to thank you all for 1K family and I hope you guys are getting some knowledge from my blogs. I decided to write something interesting on 1K followers and luckily I found this material for the blog on vulnerability which I discovered in 2018.

Summary :

Remote code execution has many different types and the easiest way to achieve it is when a “WebDav” is enabled allowing PUT method.

What is WebDav ?

WebDav stands for Web Distributed Authoring and Versioning which is an extension of the Hypertext Transfer Protocol that allows clients to…


Summary :

PII stands for Personally Identifiable Information. It is a kind of data which helps us to identify ones identity, for instance your full name, social security number, taxpayer identification number, driver’s license number, PAN card number, mobile number, address, etc. This kind of issues can breach the privacy of anyone on the internet.

Description :

I have found this issue on one of the private program of HackerOne where it was leaking customer name and pending invoice amount. …


Summary :

Server Side Request Forgery (SSRF) attacks are used to target internal systems that are behind firewalls and are not accessible from the external network. SSRF attacks can be exploited to access internally running services like SSH, Local-Host, FTP, Gopher etc. In a normal SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure.

Description :

I have found this server side request forgery vulnerability on a private bugcrowd program. The program was having an option to upload the documents where there was no validation on the uploaded file type…


Summary :

Everyone knows what is an “Exif Data”, so I found this exif data vulnerability on my target website where the server was not stripping the exif data from the uploaded images. Reporting exif data vulnerability is considered as P4 and in some cases P3 as per Bugcrowd’s VRT. So I thought of updating the severity of the bug by converting it into Cross Site Scripting (XSS) attack. So using Exiftool I injected XSS payload into an image and uploaded it on the website and got XSS.

Now in normal case exif data has two categories P3 and P4…


Summary :

Cross Site Port Attack is an abbreviation of XSPA. In this attack an application processes user supplied URLs and does not verify or sanitize the back end response received from remote servers before sending it back to the client. An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself. The responses, in certain cases, can be studied to identify service availability like open ports , banner versions etc. and even fetch data from remote services in an unconventional ways.

It allows attackers…


Hello everyone I would like to share one of my findings of business logic errors where I was able to abuse password functionality. I found this vulnerability on a private project I was working on.

Summary :

It commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application’s functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

Business logic vulnerabilities are ways of…


Hello everyone I want to share one of my recent findings for which I was paid $50 because it was the highest amount they were offering. I found an interesting account takeover using JSON null value.

Summary :

Few days back I was hunting on a program where there was a normal option of signup but while logging into the application I was having two different options :

  1. Login with Password
  2. Login with Token

So I chose “Login with Token” and as a normal behaviour a token was sent to my email. At first I tried parameter pollution but it…


I would like to share one of my unique finding about a bug called Duplicate Registration which led to Account Takeover. Using this bug it was possible to takeover any account with the same username.

Summary :

Duplicate registration is when an application allows us to register or sign up with the same email address, username or phone number. It can have critical consequences based on what kind of attack is performed.

I was looking for different bugs and just tried to register my self with the same email but it didn’t happen. So I tried to register myself with…


Summary :

I was invited on a private program on HackerOne and there were so many domains in scope so I thought of testing some of them. In one of the domain I found this vulnerability which is Cross Site Request Forgery, when combined with Insecure Direct Object Reference was able to delete anyone’s account.

I was searching for different vulnerabilities on that domain and I saw that there are two different types of account you can register yourself with :

  1. Open Source Account
  2. Trial Account

In trial account you get the trial of 29 days and you also have…


Hello everyone, I would like to share one of my recent findings on a Vulnerability Disclosure Program. It is related to how I escalated to Remote Code Execution using Local File Inclusion with Log Poisoning.

What is RCE ?

In basic words Remote Code Execution is a vulnerability that allows attackers to access a system and read or delete their contents, make changes etc.

What is LFI ?

In basic words Local File Inclusion is used by attackers to trick the web application into exposing or running files on the web server. It can lead to information disclosure, remote code…

Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store