Web Apps Archive

Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)

Author: | Categories: Bug Report, Web Apps, Write-Up No comments
In the name of Allah, the Most Gracious, the Most Merciful. – Part I from (hopefully) IV Parts – Update I: Added a “Reference” Section. Update II: “We” at this series of article will refer to Faisal Yudo Hernawan, Tomi, and Me. Update III: The way to exploiting the “upload.php” function has been released at

IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks

Author: | Categories: Bug Report, Web Apps, Write-Up No comments
  In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release in simple: [English Version] IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks I. PRE-INTRODUCTION Few months ago, I got an invitation

Ribose – IDOR with Simple CSRF Bypass – Unrestricted Changes and Deletion to other Photo Profile

Author: | Categories: Bug Report, Web Apps, Write-Up No comments
In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release in simple: [English Version] Ribose – IDOR with Simple CSRF Bypass – Unrestricted Deletion to other Photo Profile I. ABSTRACT Introducing ourselves in the use of social

Bypassing the Current Password Protection at PayPal Tech-Support

Author: | Categories: Bug Report, Web Apps, Write-Up No comments
In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release: [English Version] PayPal – Bypassing the Current Password Protection at PayPal Tech-Support For completing the explanation, we upload the unlisted video at Youtube: https://youtu.be/QGBpjDDs9pY

Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Search Engine

Author: | Categories: Bug Report, Web Apps, Write-Up No comments
In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release: [English Version] PayPal – Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Search Engine For completing the explanation, we upload the unlisted video at Youtube for

Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal”

Author: | Categories: Bug Report, Web Apps, Write-Up No comments
Please kindly visit this simple paper directly to looking this release (for a simple look): [English Version] PayPal – Turning Self-XSS into non-Self Stored-XSS via Authorization Issue For completing the explanation, we upload the unlisted video at Youtube for both of scenario: Stored XSS (via Malicious SVG File) at

FortiNet – Unrestricted Deletion to All Other Sub Account via IDOR at Support Portal

Author: | Categories: Bug Report, Web Apps, Write-Up No comments
I. ABSTRACT As a part for completing the support to all the customer, FortiNet providing the support portal (located at: https://support.fortinet.com/Home.aspx) for their customer to communicate each other. One of the interesting feature that available at the Support Portal is “manage user” that could be used to connected with

BigTree CMS – Multiple Security Issue of CSRF at Few Parameters (CVE-2017-6914 … 6918)

Author: | Categories: Bug Report, Web Apps, Write-Up No comments
I. ABSTRACT As quoted from the official site of BigTree CMS, BigTree CMS is an open source content management system built on PHP and MySQL. It was created by – and for – user experience and content strategy experts. BigTree’s user system is designed for a single webmaster or

Tokopedia – Unrestricted Deletion to All of People’s Bank Account

Author: | Categories: Bug Report, Web Apps, Write-Up No comments
I. ABSTRACT The simplicity in receiving payment from the online sales is certainly a dream for every seller. For actualizing this simplicity, Tokopedia has launched a feature which is “Tambah Rekening Bank” (Adding Bank Account) that could be used to receive the sales payment after every transaction processes to

Tokopedia – Content Injection that could Result Reflected Cross Site Scripting

Author: | Categories: Bug Report, Web Apps, Write-Up No comments
I. ABSTRACT Provision of information for activating a new-registered account is one of the features that could be seen by the user (in context of buying) after finishing a short sign-up process. However, the problem occurs when the page that provides the information doesn’t do any filtering to the