Software Engineering @ McMaster · Bug Bounty Hunter since 2021 · Web & Mobile Security Researcher
Writeups on XSS, IDOR, auth bypasses, privilege escalation, and more.
Software Engineering @ McMaster · Bug Bounty Hunter since 2021 · Web & Mobile Security Researcher
Writeups on XSS, IDOR, auth bypasses, privilege escalation, and more.
A post title got reflected into a script tag, which gave me stored XSS. From there I pulled the victim’s session token from an API endpoint and reset their password without the old one. One click, full account takeover.
A hostname referenced inside a production JavaScript bundle pointed at a staging environment where every /api/admin/* route was reachable without authentication, including one that returned a password reset link for any user ID.
How I discovered that a staging environment shared its invite ID namespace with production, allowing an attacker to generate invite codes on staging and use them to forcefully join random private servers on production — including invite-only ones.
Introducing my security research blog — what to expect and why I’m writing.