A developer's notes in the world of security research and bug bounty, by pmnh
open-menucloseme
Home
About
githubtwitterrss

  • Bug Writeup: Stored XSS to Account Takeover (ATO) via GraphQL API

    calendarJun 29, 2023 · 16 min read · writeup xss graphql hackerone  ·
    Share on: twitterfacebooklinkedincopy

    Stored XSS to Account Takeover (ATO) via GraphQL API Late last year on HackerOne during an LHE (this is only important later due to an extreme time crunch), I found an extremely challenging vulnerability on a major brand's web site involving several layers of exploitation ultimately resulting in a stored XSS payload …


    Read More

Disclaimer

The opinions expressed on this site are my own personal opinions and do not represent my employer’s view in any way. All content on this site should be used for legal, research purposes only on assets you are permitted to test. The author expressly disclaims any and all liability from misuse of material on this site.

Featured Posts

  • Bug Writeup: Stored XSS to Account Takeover (ATO) via GraphQL API
  • Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass
  • Reflecting on 2 Years of Bug Bounty

Recent Posts

  • Bug Writeup: Stored XSS to Account Takeover (ATO) via GraphQL API
  • CTF Writeup: 2023 DeadSec CTF: Trailblazer
  • Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass
  • Reflecting on 2 Years of Bug Bounty
  • CTF Writeup: 2022 HTB Cyber Apolcalypse Web Challenge: Genesis Wallet
  • LuxCal 5.1.x and below Authentication Bypass: CVE-2021-45914, CVE-2021-45915
  • Advanced sqlmap Case Study

Tags

CTF 2 RCE 2 WRITEUP 2
All Tags
ADVANCED1 AUTHENTICATION1 BUGCROWD1 CSRF1 CTF2 CVE1 GRAPHQL1 HACKERONE1 INDEX1 LEARNING1 NODEJS1 PYTHON1 RCE2 SQLI1 SQLMAP1 VARNISH1 WAF1 WRITEUP2 XSS1
[A~Z][0~9]
A developer's notes in the world of security research and bug bounty, by pmnh

Copyright  A DEVELOPER'S NOTES IN THE WORLD OF SECURITY RESEARCH AND BUG BOUNTY, BY PMNH. All Rights Reserved

to-top