Browsed by
Category: # BugBounty

Authentication Bypass Through PHP Type Juggling

Authentication Bypass Through PHP Type Juggling

PHP supports two common ways of comparing variables. One way is through loose comparison (== or !=) and the other is through strict comparison (=== or !==). Loose comparison checks whether both variables have “the same value” while strict comparison confirms if both variables have “the same type and value”. PHP type juggling vulnerabilities arise when loose comparison is employed instead of strict comparison in an area where the attacker can control one of the variables being compared. Illustration When…

Read More Read More

Exploiting Time-Based Blind SQL Injection With SQLMap

Exploiting Time-Based Blind SQL Injection With SQLMap

In this post, I will share details about a time-based blind SQL injection vulnerability I found on a private bug bounty program through HackerOne. This was also my first bug bounty on the platform. From this post by Acunetix, SQL Injection vulnerabilities can be classified into three major categories:- In-band SQL Injection, Inferential SQL Injection and Out-of-band SQL Injection. Types of SQL Injections In-band SQL injections allow the attacker to use the same communication channel to both launch the attack…

Read More Read More

Account Takeover Through Host Header Injection

Account Takeover Through Host Header Injection

In this post, I will explain what are host header injection attacks and how I found one in a private bug bounty program that led to full user account take over. The Anatomy of a HTTP Request Before we define what is a host host header injection attack, we need to first delve into the anatomy of a HTTP request. A HTTP request is generally divided into 3 parts, that include a request line, set of header fields and a…

Read More Read More