Published inInfoSec Write-upsRCE on a Laravel Private ProgramThe recent Laravel CVE enables remote attackers to exploit a RCE flaw in websites using Laravel. I’ve read the article about the…Feb 20, 20211Feb 20, 20211
Published inInfoSec Write-upsTaking down the SSO, Account Takeover in 3 websites of Kolesa due to Insecure JSONP CallHello, this post is about how I could take-over any account of Kolesa’s websites using Single Sign-On. There was an insecure JSONP call…Sep 28, 20201Sep 28, 20201
Published inInfoSec Write-upsStory of a 2.5k Bounty — SSRF on Zimbra Led to Dump All Credentials in Clear TextThis post is about how I and my friend got roughly 2500$ from Cafebazaar bug bounty program.Jul 2, 20202Jul 2, 20202
Published inInfoSec Write-upsBroken Authentication in Mobile ApplicationFew months ago I had a penetration test project of a mobile application. I found an interesting vulnerability which made me capable of…Apr 16, 2020Apr 16, 2020
Published inInfoSec Write-upsASIS CTF — ShareL WalkthroughHello, The reader of this walkthrough should know these topics:Nov 18, 20191Nov 18, 20191
Published inInfoSec Write-upsASIS CTF — Protected Area 1 & 2 WalkthroughHello, The reader of this walkthrough should know these topics:Nov 17, 2019Nov 17, 2019
Published inInfoSec Write-ups1-Click Account Takeover in Virgool.io — a Nice Case StudyHello, Virgool is a light, Iranian version of meduim.com, recently I found 1-click account takeover vulnerability in their product.Jun 27, 2019Jun 27, 2019
Published inInfoSec Write-upsDigging Android Applications — Part 1 — Drozer + BurpHello, in this post I’m going to solve the first section of Andrill:Jun 7, 20192Jun 7, 20192
Published inInfoSec Write-upsAndroid Hook — ASIS CTF Final 2018 — Gunshops Question WalkthroughThe participants were given an APK named GunShop.apk. Opening the APK in Android showed a login page. We went on analyzing the application.Nov 26, 2018Nov 26, 2018
Published inInfoSec Write-upsNodeJS SSRF by Design Flaw — ASIS Final 2018 — SSLVPN Challenge WalkthroughThe participants were given a URL, opening the URL led to a login page. The main idea of the challenge was exploiting an SSRF…Nov 26, 20182Nov 26, 20182
