Skip to main content


Showing posts from March, 2021

Session leak & CORS misconfiguration lead to account takeover

Session leak & CORS misconfiguration lead to account takeover

 Hello, everyone. This blog is about Account takeover via session leak over url on a private program. Reconnaissance & Enumeration:  After subdomain enumeration, i found a subdomain that has no pages. So, the right thing to do here is to enumrate the resources.  I strat using dirsearch & gobuster. Then, i found the following directory:       I have found this json contains id and value. I tried to refresh the page many times to see if the value will change, but the value doesn't change. So, i tried to open burp suite to see the request and lol the value is the cookies value:   But the website is using Https. So i tried to see if there is any misconfigurations and the http was enabled. Also the cookies wasn't regnerated. So, we can capture the request over the http. Steps: 1- Victim open the link 2- Attacker capture the request and server response in clear text 3- Attacker use the cookies to login to victim account Note: since the http is enabled atta

How i was able to access ZTE EPMS (Engineering Project Management System) ?

 Hello, everyone. This blog is about how i was able to access ZTE  EPMS (Engineering Project Management System). Reconnaissance & Enumeration: Let's start with the most important phases in any pentest operation. After i have finished subdomain enumeration phase and long time of researching on each subdomain, I have found the following subdomain:        After trying to enumrate the directories, I have found nothing. :( So, I clicked on login button and i have been redirected to the following login page on a different subdomain.     Testing login functions: There is two ways to login, the first via username and password and the second using phone number. I started to search for any leaks for ZTE stuff to use it, also i tried many authentication bypass techniques, but all of it isn't working.   at this time, the waybackurl tool was working in background, i checked urls and lol i found a hidden signup page on the login domain.        Login to the Managment System: After signing