Recently when I was testing a web application, which is used for money transfer, wallet and banking, the scenario was that the multi factor authentication was compulsory, without enabling the user cannot use the application, I was able to login into someone’s account without MFA and with only username and password

The target was a food delivery application, there was a functionality of referral code to invite someone and get cashback for that in the wallet but the user only get the referral code after placing first order, i exploited application logic to get referral code without placing order

I was recently hunting on a target, which is a food ordering site and found a bug from which I can tamper price during food order

In this blog I will be describing the pre-requesty steps I followed for one of the android application penetration testing

As usual, I was looking for some responsible disclosure programs on google and came across a project, which was a dating application and has iOS and Android application in Scope

After my last blog Chaining Small Vulnerabilities to Account takeover, I got many messages asking, how I found the variable from javascript, so, in this blog I will demonstrate, how do I review the frontend source code, this does not include analysis from any tools

The application was an admin application which is used to manage users, user-roles, user-groups, and other user account options, I found several vulnerabilities in the applications which can be chained and lead to many account takeovers in the application, firstly I will list the vulnerabilities that I found and after that a demonstration, how I chained the vulnerabilities

Hello, this is part 2 of the short writeup series of VIIT CTF V2

Team - N00bs | Position - 2nd (Runner ups) | Team Members:

vj0shii - Vaibhav Joshi | p4nk4j - Pankaj Verma | H4$H - Anuja Khandelwal | loopspell - Ankit Kushwah

It was the same program as How I bypassed OTP mechanism used for updating Sensitive Information

There was a Address book section inside the application where the user can add a number of addresses for the product delivery

I found this vulnerability in a ecommerce site, the site has a responsible disclosure program

So the vulnerability was in profile

Hello, this is part 1 of the short writeup series of VIIT CTF V2

Team - N00bs | Position - 2nd (Runner ups) | Team Members:

vj0shii - Vaibhav Joshi | p4nk4j - Pankaj Verma | H4$H - Anuja Khandelwal | loopspell - Ankit Kushwah

This blog is about Autorize which is an Automated Authorization testing plugin for burp suite, the tool can be used to check if proper Access control is implemented on the server or not

I was looking for responsible disclosure programs and came across a program, let’s call it example.com

I started enumeration, the website is basically used to create applications which will be deployed as a subdomain on the website domain, like if I created an application test then URL to the application will be https://test.example.com