all posts

SECURITY
WRITEUPS

21 writeups across web app pentesting, API security, mobile, and vulnerability research — real bugs, real targets, responsible disclosure.

2023
31Oct
Business LogicWriteup// high
Hotel Booking Hack: Free Diamond Subscriptions & 12% Discounts
Chained AES encryption reverse engineering with a payment_method parameter swap to obtain diamond membership and 12% discount without payment.
13Jul
Mass AssignmentWriteup// critical
Database Dump via Mass Assignment Vulnerability
Bypassed email update restrictions by passing email as an array, then triggered SQLi through the same vector to dump the entire MySQL database.
30May
SQLiWriteup// high
WAF Bypass → SQL Injection Database Dump
Used X-Forwarded-For header spoofing against an internal endpoint to bypass WAF rules and automate boolean-based SQLi with sqlmap.
12Apr
Business LogicWriteup// medium
Business Logic Error: Price Manipulation via Negative Quantity
Bypassed salted hash price validation by submitting negative quantity values, causing the backend to calculate a reduced payment amount.
30Mar
ATOWriteup// critical
Account Takeover via Session Storage Manipulation
Hijacked financial application accounts by injecting target user details into session storage, bypassing cookie-based auth entirely.
25Mar
MisconfigurationWriteup// high
MNC CMS: Authorization Bypass via Local Storage Role Manipulation
Discovered hidden signup endpoint, obtained JWT, then escalated from viewer to publisher by setting local storage role variables.
15Feb
Writeup
Reversing Client-Side AES Encryption to Exploit APIs
Extracted hardcoded AES-CBC keys and IVs from CDN JS, decrypted API traffic, and chained with CAPTCHA bypass for mass account creation.
2021
01Jul
APIWriteup// critical
API Misconfiguration → Mass PII Data Leakage
Combined response manipulation for admin privilege escalation with API key reuse to enumerate thousands of passenger PII records from a transport app.
19May
SQLiWriteup// high
Time-Based SQL Injection → Full Database Dump (Android App)
Bypassed SSL pinning on an asset tracking app, found time-based blind SQLi in a JSON parameter, and automated full PostgreSQL database dump with sqlmap.
08May
SubdomainWriteup// high
Massive Subdomain Takeover via Heroku — 20+ Subdomains
Used dnsx + subzy to enumerate 2000+ subdomains, identified 20+ unclaimed Heroku CNAME records, and confirmed takeover via curl response analysis.
07Apr
RCEWriteup// critical
File Upload → RCE via PHP Webshell (Career Page)
Discovered uploads directory via dirsearch, bypassed frontend file validation to upload PHP webshell, and established reverse shell via ngrok.
10Mar
Tool / Lab
iOS Pentesting: Jailbreaking iPhone & Dynamic Analysis Lab Setup
Step-by-step guide: checkra1n/unc0ver jailbreak, Cydia, Frida, AppSync, Burp Suite certificate installation, and SSH via OpenSSH on iPhone 6.
05Mar
RCEWriteup// critical
RCE via File Upload: Content-Type Bypass with p0wny Shell
Bypassed extension whitelist by changing Content-Type to image/gif, uploaded PHP reverse shell, then pivoted to p0wny shell when outbound TCP was blocked.
17Feb
ATOWriteup// high
Account Takeover via Login Response Manipulation
Replaced a 401 login response with a 200 signup response using Burp Suite's intercept, logging in to any account without valid credentials.
14Feb
RCEWriteup// critical
RCE via Unrestricted File Upload (CV Upload — $500 Bounty)
Uploaded PHP reverse shell as a CV file with no content type validation. Triggered via direct URL, earned $500 responsible disclosure reward.
08Feb
ATOWriteup// high
Account Takeover via OTP Brute Force (No Rate Limiting)
Brute-forced a 4-digit OTP using Burp Intruder at 100 threads, then chained with profile update to permanently take over victim accounts.
08Feb
XSSWriteup// medium
Reflected XSS via OAuth Parameter Injection (lootdog.io — HoF)
Injected script payload into a Set-Cookie parameter in an OAuth login flow on account.my.games, confirmed reflection, earned Hall of Fame on HackerOne.