www.1337.or.id

XSS on httpstatus.io

Ganesha   27 November 2022   21.814 Views
httpstatus.io is an HTTP Status Code, Header Redirect Checker. For example, if we submit a URL Domain, httpstatus.io will check the HTTP Status Code, where the domain will be redirected if the HTTP Status Code is 301 302 etc. I try with ...

$1.000 IDOR

Airlangga   12 December 2022   30.385 Views
Insecure direct object references IDOR are a type of access control vulnerability that arises when an application uses user supplied input to access objects directly. The term IDOR was popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of many access control i...

Elementor < 3.4.8 - DOM Cross-Site-Scripting

Ganesha   21 November 2022   26.777 Views
The plugin does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross Site Scripting issue. The issue was initially fixed in 3.1.4, however re introduced in 3.2.0. action lightbox settings eyJ0eXBlIjoibnV...

Reflected XSS on UC Browser Website

Ganesha   05 December 2022   32.821 Views
When I m looking at Alibaba Bug Bounty Programs on HackerOne I am interest in the ucweb.com domain and starting recon. .. images post fb2400f5bb55 alibaba 20domain 20scope.jpg Until I found this URL structure ...

Reflected XSS on Xiaomi with KNOXSS

Ganesha   28 November 2022   24.222 Views
Xiaomi Bug Bounty Programs When we look at Xiaomi Bug Bounty Program, they accept every subdomains from mi.com and xiaomi.com .. images post d6b1f2098768 xiaomi 20writeup1.jpg And I start looking for a subdomain of mi.com with sublist3r .. images...

Reflected XSS on DomaiNesia

Ganesha   27 November 2022   24.354 Views
DomaiNesia is a company that serves domain name registration, Web Hosting, VPS, and others. I just found Reflected XSS Vulnerability at DomaiNesia s subdomain We required to upload an official document if buy a special domain, like ac. or. sch. etc. On the...

Stored DOM-based XSS on VPSServer.com

Airlangga   10 December 2022   32.090 Views
VPSServer.com is a company that sells Virtual Private Servers VPS . A virtual private server VPS is a virtual machine sold as a service by an Internet hosting service. The virtual dedicated server VDS also has a similar meaning. Now let me share how I found a Stored DOM based XSS Vulnerab...

Microsoft says hackers attacking energy grids using decades-old software

Ganesha   25 November 2022   27.898 Views
Microsoft said this week that technology discontinued in 2005 is still being used widely and poses threats and vulnerabilities to power grids and the petroleum industry. Malicious hackers, according to the tech giant, are gaining access into secure networks and devices through common Internet of ...

Russian Cybercrime Groups Stole Over 50 Million Passwords with Stealer Malware

Ganesha   24 November 2022   21.810 Views
Security researchers have warned of a password theft epidemic after revealing that Russian groups are using off the shelf info stealing malware to devastating effect. Group IB said its analysis revealed 34 Telegram groups used by threat actors to organize their efforts, and that they d infected o...

Dynamic Content for Elementor < 1.9.6 - Authenticated RCE

Airlangga   10 February 2023   19.488 Views
The PHP Raw Widget dynamic.ooo widget php raw of the Dynamic Content for Elementor plugin before 1.9.6 did not properly check for user permissions, allowing accounts with a role as low as editor to perform RCE attacks. Proof of Concept POST wp admin admin ajax.php HTTP 1.1 Host exam...

Paraminer: Finds hidden parameters.

Ganesha   29 November 2022   30.526 Views
Paraminer is a tool used to search for hidden parameters in a website Main Features GET Request POST Request Usage php paraminer.php u URL w WORDLIST .. images post 6941dbb5d020 64484851 74288d80 d242 11e9 89e5 cf937dd61541.png Link ...