Mohamed Sayed - Blog

Hi again it's me :P,  I found a cool bug on a private program I wanna share with you. Like every time I start testing on a target I opened my Burp Suite and start visit every link and send a requests to the website to collect the endpoints, and paths and when I try to add a user on my account I write test on the name and I found that the page send an automatic request to an endpoint to check if this username available or not the endpoint form is https://target.com/api/user/endpoint_name?q= the value of username which you write on the input field will be added to the q parameter and the server will send a post request to the endpoint the problem here is the response which gives me a lot of information about this username like email, phone number, UUID, company's information, and a lot of other information almost all of the account information except password, it was cool for me but it's not very cool because I should get the username to get this information I co...

Hi again XD and another topic in this one we will talk about Cross Site-Scripting (XSS). What is XSS? it's a type of injection bugs which enables the attackers to inject Client-Side scripts into the web page, there are two common types of XSS: Reflected XSS :  works where the malicious string  originates  from the victim's request, the second one  Stored XSS : works where the malicious string originates from the website's database. DOM-based XSS : works where the vulnerability is in the client-side code rather than the server-side code. How to exploit XSS? let's start with basic XSS and go over to some XSS filters and bypasses, now if we have a link like that http://example.com/path/urname.php?name=flex the response on the web page will be Welcome flex if we try to inject a JS script on the parameter name like <script>alert('XSS')</script> if I add it to the parameter name the website will take and print it on the web pa...

Hey guys, it's me again XD, I will talk about some open redirect protection bypasses it will help you I hope that. let's start now if your target has an endpoint like /path/redirect.php?url=http://target.com/  this endpoint can used to redirect the user to another path after login or signup or anything and some websites make it for paths just for paths not to redirect the user to any external domain, if I try to enter http://google.com on the url parameter what will happen? you will get an error page if there is a protection or you will be redirected to Google and this is a basic open redirect. what if there is a protection and I got the error page now we will start to try a bypass to this protection, you can use this //google.com/  this bypass used if the function checks the http/https you can add two forward slashes before the domain name, another bypass this one  http://google.com%23.target.com/ and %23 refers to  #  the website will see tha...

Hi guys it's me Flex, in this post I will share a new vulnerability on a private program let's call it `example.com` the vulnerability was a Self-XSS with CSRF attack which leads to Stored XSS. The story of the discovery the target is a shop website when I test the function to add a product I start adding my lovely XSS payload  <svg/onload=alert(0)> everywhere and one of them these fields work and give me a pop-up because the input was wrong to the field and the website tells me that this value is wrong so it is a self-XSS I tried to find Clickjacking to make it exploitable but there is no way with clickjacking, after some minutes I tried to find a CSRF attack so I opened my Burp and catch the change request and I notice that there is no CSRF-Token or any CSRF protection so I tried to exploit this two bugs together to get the Stored XSS, the body of the edited request was like that {"basePage":{"draftIds":["victim_id"],"...

Hey Guys, Today I would like to show you how I found a Stored XSS on Edmodo main domain. when I test the website I create two accounts when I signup I added the XSS payload on the name, I opened the victim account on FireFox and attacker account on Google Chrome and I opened the victim profile and send a request to connect together like add friend now when the victim open my profile to accept the request the XSS payload which was in the name will be executed The POC Video I hope this topic helped you, thank you for reading.

Hi guys, What is the tool do? We write a new Tool this tool you gives it a subdomains list and the tool check all of the lists and if it notices that the subdomain may be vulnerable with subdomain takeover it will tell you about it. Requirements Python2.7 / 3.7 requests lib [pip install requests] colorama lib [pip install colorama] Now to Download you can download it from here:  Tool

Welcome Guys, I will solve the web challenges on the Quals of Saudi and Oman CTF 2019 I will solve it on the video but I will talk about the challenges first. The First Challenge is  Maria it's a Hard one with 200 points, this challenge is a SQL injection challenge the first thing you should found the field which you will inject your payload on it if we try to delete the cookie we will see the SQL query which adds your IP to the database so we will inject the IP to get the information from the DB we need the Maria's IP address so we will dump it and we will see that on the video after that when we add the IP we should add the cookies and we will use the cookies from set-cookie header on the response The Second Challenge is  Back to basics  it's an Easy one with 50 points if we try to open the challenge link we will be redirected to Google so we should open it with another way so I used Burp to catch the request but I didn't find anything interes...