www.1337.or.id
Search: csrf
Dynamic Content for Elementor < 1.9.6 - Authenticated RCE
Airlangga
10 February 2023
17.535 Views
The PHP Raw Widget dynamic.ooo widget php raw of the Dynamic Content for Elementor plugin before 1.9.6 did not properly check for user permissions, allowing accounts with a role as low as editor to perform RCE attacks. Proof of Concept POST wp admin admin ajax.php HTTP 1.1 Host exam...
Reflected XSS on Xiaomi with KNOXSS
Ganesha
28 November 2022
22.615 Views
Xiaomi Bug Bounty Programs When we look at Xiaomi Bug Bounty Program, they accept every subdomains from mi.com and xiaomi.com .. images post d6b1f2098768 xiaomi 20writeup1.jpg And I start looking for a subdomain of mi.com with sublist3r .. images...
Reflected XSS on sgsg.samsung.com
Ganesha
27 November 2022
23.915 Views
Like I did before, I use Google Dorks, to find some interesting URLs. Google Dork site sgsg.samsung.com I found a very interesting URL, The HTTP response shows every value from the campu...
1337.or.id Vulnerability Disclosure Program
Ganesha
30 November 2022
23.161 Views
No technology is perfect, and 1337.or.id believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you...
How to Make a Good Bug Bounty Report
Ganesha
30 November 2022
22.316 Views
Report Title Include the type of vulnerability XSS, CSRF, XXE, SQLi, SSRF, etc . Include sub domain and or with directory path example.com Example of a good title Stored XSS at example.com Via Parameter Name Example of a bad title Stored XSS example.com Report fo...
Elementor < 3.4.8 - DOM Cross-Site-Scripting
Ganesha
21 November 2022
25.210 Views
The plugin does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross Site Scripting issue. The issue was initially fixed in 3.1.4, however re introduced in 3.2.0. action lightbox settings eyJ0eXBlIjoibnV...
Reflected XSS on UC Browser Website
Ganesha
05 December 2022
30.814 Views
When I m looking at Alibaba Bug Bounty Programs on HackerOne I am interest in the ucweb.com domain and starting recon. .. images post fb2400f5bb55 alibaba 20domain 20scope.jpg Until I found this URL structure ...
phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
Ganesha
21 November 2022
32.770 Views
Security Team ChaMd5 disclose a Local File Inclusion vulnerability in phpMyAdmin latest version 4.8.1. And the exploiting of this vulnerability may lead to Remote Code Execution. usr bin env python import re, requests, sys check python major version if sys.version info.major 3...
Ganesha
27 November 2022
20.281 Views
httpstatus.io is an HTTP Status Code, Header Redirect Checker. For example, if we submit a URL Domain, httpstatus.io will check the HTTP Status Code, where the domain will be redirected if the HTTP Status Code is 301 302 etc. I try with ...
Microsoft says hackers attacking energy grids using decades-old software
Ganesha
25 November 2022
26.416 Views
Microsoft said this week that technology discontinued in 2005 is still being used widely and poses threats and vulnerabilities to power grids and the petroleum industry. Malicious hackers, according to the tech giant, are gaining access into secure networks and devices through common Internet of ...