XSS by Javascript Overriding

This post describes an interesting XSS that I recently encountered. I'll describe my thought process during the exploitation of this vulnerability as well. Shortly after taking part in H1-702 (Hackerone's latest Live Hacking Event at time of writing), I was sitting in my room in the Luxor Hotel in Las…

A Case Study of API Vulnerabilities - Part 2, and Empty Heads

IntroThis blog post is a more general one than my usual posts. I'll try and cover two things; an SSRF bug in an API, and a cool productivity system I use. SSRF with Secondary Context Path TraversalThis writeup presents another thing to test for when you have a full-or-partial-read SSRF.…

A Case Study of API Vulnerabilities

OverviewThis writeup details a series of vulnerabilities I encountered a few months ago on a single private program. The company did specify that they would like to read the writeup before publication to approve it first. Unfortunately, the private program has since been shut down, and the email account that…

Reflections on ECSC 2021

Note: I updated my Ghost instance but forgot to back up images, so all of the images that were on this blog are now gone forever. cries but anyway The Story And Some NotesIn September, I was fortunate enough to be selected as a team member of Team Ireland. I…

H@cktivityCon 2021 CTF

I participated in the H@cktivityCon 2021 CTF alongside some talented hackers - we placed 57th out of over 2,000 participating teams. My contributions weren't that big - but I did learn a lot. Most of the challenges I solved were easy. Bad Words The general aim of Bad…