-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.xml
23 lines (18 loc) · 1.12 KB
/
index.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Atul</title>
<link>https://marcelo321.github.io/</link>
<description>zonduu</description>
<generator>Hugo -- gohugo.io</generator>
<language>en-us</language>
<lastBuildDate>Sat, 08 Feb 2020 23:04:58 +0545</lastBuildDate>
<atom:link href="https://marcelo321.github.io/index.xml" rel="self" type="application/rss+xml" />
<item>
<title>Idor in session Cookie leading to Mass Accoutn Takeover</title>
<pubDate>Sat, 08 Feb 2020 23:04:58 +0545</pubDate>
Baby paws:
I looked for what are the functionalites available in the WEB app just to see what are the possible attack vectors. I analyzed the WAF and found what triggers it and what are blocked characters I found a upload field that explicitly uses these three formats: PNG, XML, and EPS. ie The upload field for the avatar. That allowed me to check for imagetragick, ghost script and some fuckery over file uploads!</description>
</item>
</channel>
</rss>