ESEA Server-Side Request Forgery and Querying AWS Meta Data

esea

For anyone familiar with the Counter-Strike competitive scene, you know about ESEA. They just recently launched a bounty program that puts their website, game client, and game servers in scope for security research.

I spent a night taking a look over the website and found a few vulnerabilities. The most interesting discovery was a Server-Side Request Forgery vulnerability. Using a cool trick that Ben Sadeghipour (@NahamSec) showed me, I was able to pull private information from ESEA’s AWS metadata.

Continue reading

Yahoo Login Protection Seal – Stored CSS Injection

In 2014 I discovered a vulnerability on Yahoo’s Login Protection seal that allowed for CSS injection. This information was saved to the browser and IP, persisting across login sessions on that computer. The protection seal feature has since been removed from the login page, but the feature still exists in your account preferences.

Continue reading