Showing posts from April, 2016

Cross Site Scripting and URL redirection ...

Hi Guys,

Almost 2 years back I found a cross site scripting and a Dom based Open Url redirection bugs on a certain web site. Since the issues are still not patched, even after 2 years, I have decided to write a blog on them.

Cross Site Scripting: As per owasp, "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it."
While testing, I ended up working on the support page pointing to . After playing around the site, I found that it is vulnerable to the reflected cross site scripting on the following url.…

How I could Delete Instagram Captions and Comments that are not mine,.....

Its been a while since i published my last post. So, here i come with a write up for chaining of multiple issues in Facebook Acquisition - Instagram, that could allowed me to delete entire comments/captions from the Instagram DB.

For the first 2 hours or so, I could not find anything as each request is added with a signature and I am lazy enough not to understand/reverse the signature logic. So as usual, i was about the close my Mac and then, saw a request without signature.

Bingo..something to play around. so i started working on the request, trying to find most common bugs, like sqli,xss, csrf etc.. Then to cross verify a csrf issue, I used my browser. But to my surprise, in later requests in browser app, there is no signature at all, but of-course csrf issue is properly protected.
So while testing with both the App and Browser together, I realised that there is an authorisation flaw in the comment deletion action. But it requires certain comment ID values, which are (supposed to be) n…