Logical Authentication Bypass Vulnerability

28th September 2015 morning I received an Email from my colleague, Email says to perform aPenetration TestonAndroid Applicationof aBankcalled"ABC"(For security reasons not disclosing the name of the Application). Time limit was short as I have to complete the test & report in 2 days. So I looked for Critical vulnerability. One day passed & I checked for maximum Injections & Session managements vulnerability but there was no luck.
After giving some thought to the application I lose hope & started making report suddenly I my eye have a glimpse of Authentication Request that was going to Server.
Now, for understanding the request you have to understand the login functionality of the application. So developers of this app was trying to be smart as they were asking for Password & Memorable Keyword at the time of registration, for access your account in the app using some security policy like : 1.At least 8 characters password. 2.Password must contain One Upper Let…

Blind OOB XXE At UBER 26+ Domains Hacked.

XXE (XML External Entity) :
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

This is the story of how I was able to find XXE in one of the UBER'S Website that was in Bug Bounty Program Scope.

On July 26th 2016 Evening I was working on domain ubermovement Web Application.
As it was a small webapp there were no too much parameter to run injections tests. I started the old school tests and the first parameter I came across was the Search Box.

Now, I Attached my Burp Suite then gave a keyword to search and started monitoring the requests...

In Directory "search" I got two requests.
1.The Keyword …

That Moment When You Find Authentication Bypass Vulnerability In Bug Bounty Program ?

One whole year has passed, since I joined bug bounty program on various platforms and all I could find was hand full of XSS, XFS,CSRF,CRLF Vulnerability with 2 to 3 logical bugs  and about millions of duplicates...

22nd Dec 2015 Evening I started looking for sub domains of a website that was newly introduced to bug bounty program. After fingerprinting all domains I found a unique domain in which was hosted on IIS Server & running ASP.Net technology at back end. Nmap Scan gave me the version of server & technology. Web Application was running on Windows Server 2003, Microsoft IIS 6.0 with Microsoft SQL Server 2005. That was too old for 2015 technologies, so I go OLD School on one of the parameter of page for search for SQL Injection.

I injected a Quote and in few seconds I received a SQL Error. Now I was sure the SQL Vulnerability was present in this sub-domain. As It was a sub-domain the severity of the bug was less so my main job was to find as many unique sql bugs in the we…

Old School Source Code Disclosure Vulnerability

On May 2nd I started a revaluation of web application for a client. While doing revaluation I found out that they have added some more functions in web app, I started exploring the new features of app every things look fine as they where all static HTML page then suddenly I came across a file "filedownload.php".

Now, my first step was to spider this branch that I did with help of burp suite & the full link was "\netpub\vhosts\www\httpdocs/journal/welcome.pdf"

The Path Of Application was disclosed : E:\netpub\vhosts\www\

Then, I simply run the link "" on my browser & I Received a error message from server that :
"ERROR: download file NOT SPECIFIED. USE forcedownload.php?file=filepath"

The moment I saw that error I remember it may be old school GHDB type file download vulnerability so, now I have to check for two type of Vulnerability :
1. LFI - Local File Inclu…

Easiest Authentication Bypass Ever !!!

September 4th 2015,

I was given a revaluation pen-test for a bank's Android/IOS application.
It took me hardly an hour for replicating the test for previous vulnerabilities. When I was done with my work I still got time for sending my report to client. So I started looking to my burp suite history and suddenly I noticed a HTTP Response which was carrying a verification code parameter...

I was shocked as the code was same as OTP that I requested earlier that hour for login to my account. As million question coming to my mind such as how ?, why ? ...etc One thing was clear that the application authentication via OTP was going on at client side.

I had a thought, If the OTP & Verification Codes are present in HTTP Response I can easily Bypass the authentication plus I can change the password for any account I like all I want was victim's User Name or email or mobile number.

So, here goes the POC for How client side OTP Checked is dangerous for users ?

1. I started login with vict…

CTRL+C, +V (Copy Paste) Best Idea To Build Capstone Projects

Hii again...
Hope you liked my previous post "Post XSS At :".

Finally its 8th semester the 4 years of fun was going to end in next 5 months and the gang decided to attend first day class on time as a rituals. Professors were well aware that, there will be full strengths on first day, the last day & the day before exams so, they were ready with there A-Bomb for students.
This time the A-Bomb was "Capstone Project". The 10 credit game changing 5 months task either put your grades inside tombstone or rise it above stars. So we hear about the task and with in a week we have to make a 4-5 persons group, choose project & mentors.

The group was made in less then a minute but choosing of project was a tough call so we decided to come up with as many ideas as possible in next 3 days. IIIrd day the team member gather out in class and contributed our ideas eg. shopping website, social networking website, skype like software, google drive like …