Posts

Awww!!! It's *Public* Service Commission.....

Image
In this post, I'd like to talk about multiple issues I found on a website owned by Kerala Public Service Commission. The issues here are otp bypass to achieve IDOR. For those who don't know what's IDOR, quoting from OWASP "Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly".

The site url is `https://mailer.psc.kerala.gov.in/KPSCAptitudeTest/home`, which is a temporary site they've opened for the Aptitude Exam for engineering students.









How the site worksStudents can register for the aptitude exam by providing following details : College ID card number, Mobile Number, Email, Name, Address, College Name, Desired Center Name and the photographs of themself, signature and id card.
Question : This is for engineering students. What I'm doing there?




We're everywhere. In this case,…

Send request to Martians. Earthlings are already your friends.

Image
Hello everyone,

I'm back with another write up. This time it's a Google bug. YouTube is Google's video sharing site and a great place to explore. As a bug hunter, you can spend hours or days or even weeks in YouTube without hesitation.I always used YouTube to play some music when I worked as a developer last year.

When I started bug hunting, I tried YouTube multiple times and can't find any. Then I started hunting on another google services.

After hunting for more than 2 hours, I found a bug on one of Google's acquisition. According to Google, a video PoC is required only if it is contributing something that the text can't. But I'm a great fan of videos and my first bug to google (duplicate) contained a 15min video 😎.

I recorded a video of that bug I found and visited YouTube to upload it. when I clicked upload button, I noticed something strange aside it, something new. It looked like a message button.




But then, the upload page has loaded suddenly and the butt…

Setting up your environment for Hacking - Part 1 : Tools

Image
Hello everyone,

In previous posts, I gave you introduction on XSS, one of the vulnerability. In case if you missed it, you can read it here

Introduction to XSS

Hands on | Google XSS Game




The above 2 posts are well reached and I got lots of mails and facebook messages asking "Can you teach me hacking".

Most of the people are noobs and they don't know how to hack or what is hacking. So, In this and the next few posts, I am going to tell you about setting up your environment for hacking (or) to learn hacking.

In this post, I am talking about the common tools used for hacking. Don't worry. They're open source and you can get it for free.

1. FireFox

Firefox is a web browser you must have to perform testing against websites and web applications. Firefox is not as interesting as chrome but it does have lots of add-ons which help us to test against a target. I'll tell about them later.

Visit Firefox Official Page  |  Download Firefox Web Installer





2. Python

Python is a programm…

How to earn some internet points on Stack Overflow

Image
Stack Overflow, the largest QA site for professional, founded by Jeff and Joel in 2008 and became an encyclopedia for everyone who work or interested in Information Technology. It became an essential part of every programmer's life. Unlike other sites, Stack Overflow focuses only on technology. Any question that are not related to technology will be closed as off topic there. Also questions to recommend some software or hardware is unacceptable by the community.

To get high reputation on Stack Overflow, you have to consider lot of things.

1. Choose your Tag(s)

Each Stack Overflow question is tagged with programming language, tools, etc. So you can watch the tags of your interest to see new questions immediately when they posted.




Choose wisely because if you answer wrongly, you may lose reputation because of down votes.

There are certain tags that have high traffic. If you choose such a tag, your earnings will be high.

2. Be a FGIW

Try to be the first answer. Being the first one to…

Hands On training | Google XSS Game

Image
Hello everyone,

In a previous post, I talked about XSS aka Cross Site Scripting. Hope you all got a basic knowledge now. In this post, I am giving you more information on XSS with a hands on training on the Google XSS Game. You can find a video on how to solve this at the bottom of the page.

At first, Google XSS Game is a training platform provided by google to practice XSS. It consist of 6 levels and in each level, you have to execute a JavaScript alert in order to advance to next level. In each level, you'll be provided with different problems and you've to execute the alert using different techniques in each level. This will help you to understand various methods than can be used to execute XSS in a web page.

There are hundreds of such websites available which allow you to practice various types of vulnerabilities.





So let's get started.

Navigate to https://xss-game.appspot.com. This is where the Google XSS Game is available.

You'll see a page like this




Click the but…