Flickr API Explorer – Force users to execute any API request.
Flickr has a developer application section called The App Garden. Developers are able to create apps that make API calls to Flickr as an authenticated user via OAuth. I discovered a Cross-Site Request Forgery (CSRF) attack vector that allowed you to attack any user on Flickr.
admin.google.com Reflected Cross-Site Scripting (XSS)
After learning about Google's bug bounty program, I decided to look for vulnerabilities on their most sensitive services. Finding a vulnerability on admin.google.com was challenging; I managed to find a simple, but interesting form of Cross-Site Scripting.
Yahoo – Root Access SQL Injection – tw.yahoo.com
I'll keep this one simple and sweet because anyone reading this blog probably knows what SQL Injection is. I discovered a root access SQL injection on tw.yahoo.com.
Detecting Burp Suite – Part 2 of 3: Callback Exposure
This is part two of a three part series on detecting traffic generated by the security tool Burp Suite. These methods are by no means exhaustive, but are simple tricks that can be used for detecting some of the malicious traffic on your web server.
Detecting Burp Suite – Part 1 of 3: Info Leak
I recently started to review the automated vulnerability scanner Burp Suite because of its widespread usage. The tool is used by many security bounty hunters, security professionals, and blackhat hackers for automated scanning and vulnerability detection. While I was using Burp, I was wondering to myself how easy it is for a server to detect that I am using this tool.