The first ten minutes on a new JavaScript bundle
Opening a stranger's bundled JavaScript for the first time. What I grep for, in what order and why. A practical follow-up to why you should not skip JS files at all.
Read more →
Tag
web security
6 posts tagged with web security.
All15bug bounty12web security6recon4CVE4pentesting4mindset3WordPress2cybersecurity2career2SQLi2red team1SSRF1malware1RCE1
Stop skipping JavaScript files
Running automated scans while ignoring JavaScript files means missing the real gold. Here's how reading JS files led to full admin access on a HackerOne target.
Read more →
Two lines of defense that opened the door to SQL injection
Both lines were written for security. One added protection, the other removed it. How $wpdb->prepare() and stripslashes() combined into a critical SQL injection.
Read more →
DNS rebinding: turning blocked SSRF into internal access
How a well-timed DNS change can bypass SSRF filters and turn a blocked vulnerability into full internal network access.
Read more →
The uppercase letter that bypassed authorization
Sometimes a single case change in a URL path is enough to bypass 401/403 errors. Here's why this edge case works and when to test for it.
Read more →
The single quote that leaked database credentials
One character in a URL parameter exposed full database credentials and turned into a $2,000 double critical finding. Here's what happened.
Read more →