Crius

  Hello guys, I was looking at some javascript files of some website with a bug bounty program.we'll call it redacted.com I grepped for http and https protocols.One of the https links that resembled  :https://redacted.page.link/?link=https://redacted.com i immediately knew it was a firebase dynamic link and got curious with the second redacted.com url.After replacing the second url with google.com i got redirected to google. Win! Open redirect confirmed. Dynamic links are deeplinks that allow you to send an application user or potential users to any part of the application. You can read about firebase dynamic link here https://firebase.google.com/docs/dynamic-links I reported to the company and was paid in under 3 hours. After that i remembered i had encountered some companies using firebase during my normal pentests and bug hunting so i decided to check the sites/app. I decided to FUZZ all h1 programs for the misconfiguration.Fired burp intruder and replaced the first ur...

 Hello guys, I decided to take a look at my vpn provider to assess its security posture. First i decided to check for network traffic going in the vpn.I started by proxying the application with wireshark.I saw the program was downloading an update via HTTP. This means the application was vulnerable to MITM leading to evilgrade attack where an attacker could replace program with malicious update/code leading to code execution.The updates are not digitally signed! After that i knew i could get some impactful bugs.maybe a remote or local vulnerability. Local credentials disclosure I found the program was disclosing login details in memory .This is same vulnerability that affected putty in CVE-2011-4607 and other programs such as teamviewer(https://www.exploit-db.com/exploits/40342) and mysql(https://www.exploit-db.com/exploits/40337).The program logged login details such as username.password and tokens ,also the ip address connected to original ip address and timestamps  in the m...

  A friend asked me to do a pentest for their company,A  Kenyan fintech company.For obvious reasons i cannot name the company. Everything was to be audited(sites,android and ios apps) After looking at the websites i couldn't find anything interesting except for  enabled xmrplc,broken links hijacking  and some unrestricted directories. I even tried scanning the site with wpscan.WordPress sucks! As a newbie ios pentester i decided to challenge myself to find atleast one bug on their app.After downloading the app from the appstore i proxied the iphone  to burpsuite.As static analysis of ios app is tiresome and not straightforward as android(just unpacking the apk file which is basically zip file) i opted for dynamic analysis.The procedure of setting up proxy in ios is the same as on android,just set ip address and port then install burp certificate. Fortunately ,No ssl pinning :) I started by signing up on the app.I received the confirmation  email and my 4 nu...

  DISCLAIMER!!!   This is for educational purposes only and not a guide to hacking betting sites. In this writeup i will try to provide some bugs i have found on betting sites during my almost 3years bug bounty journey.I have reported more than 100 vulnerabilities on betting websites and android application but i will only talk about some bugs.Sorry,I don't have screenshots to demonstrate the vulnerabilities so i will just list  some bugs and their impacts.I will not name the companies for obvious reasons The writeup lists some  vulnerabilities bug hunters can look for while hunting on betting platforms so grab some coffee and popcorn and enjoy! Some are interesting like  changing odds or withdrawing twice or withdrawing money more than your balance:) IDOR I found most of IDOR on betting sites on profile id parameters.some occurred on bet history where i could change user bet id history and get any user betting history on the site. SQLI Most of then were blind s...

   hello guys, While looking at some web pen test project i saw a simple reset password flow.The user receives a reset password code via phone number. It's a  four numbers pin and no rate limit was implemented.You can just guess what's going to happen. so a user could just ask for reset code, input new password and code on the reset password page and if the code is correct the password is changed. I sent the request to burp intruder with my new password and bruteforced for the codes.With 4 number pins we have 10,000 possible combinations. After a few minutes i saw longer response and  200 ok status. Clicking on the response i was greeted with password changed successfully message. Hurrah!!! Account Takeover is fine but what about stealing funds from some wallets. I checked the withdraw feature and started playing with  the request. The request was in json format so i remembered albinowax tweet on json interoperability vulnerabilities by bishopfox labs.you can re...

   Hello guys, I am a newbie IoT  and hardware hacker and i would like to share some of resources and findings as i  learnt Router exploitation and other hardware hacking. My journey I wanted some challenge for something new for research. I thought for sometime then i decided to start do IoT hacking.I have some IoT and embedded  devices on My house such as smart Tvs and router. so i started to look at smart Tv exploitation.There are a few writeups or videos out there. After watching  the videos i noted key points such as attack surface on the TVs and some key points while hacking smart TVs After some weeks i found some vulnerabilities that i will talk about in another writeup. After some few months i decided to look at router exploitation.I had read of high payouts by ZDI on pwn2own competitions on router exploits.So i searched for their writeups. I found advisories on  vulnerabilities affecting different routers but  no clear step to step to hack...

  Hello guys, This bug affected an api on a third party merchant integrating with mpesa so it was not on scope of safaricom bug bounty on hackerone program. The bug was reported and fixed.i will use redacted.com to refer to the affected site.Sorry,i won't provide screenshots  It is a popular e-commerce site in kenya.i was able to use a logic bug(error message to know anyone's mpesa balance).The downside of using this  method was getting mpesa STK pop up notification by the  victim.The pro is that you don't need the victim to do anything(0 click).you just needing to know the phone number! How? I clicked the items and added to the shopping cart.Clicking the cart sends you to the payment page.here they use a custom API(api.redacted.com) ,add your victim mpesa number and continue to pay for the item. Here is where the vulnerability lies.If the victim number has enough cash in mpesa ,they receive STK push  notification to pay and on the site you receive a 200 error s...