Authorization Bypass | writeups.xyz

Title	Vulnerabilities	Programs	Authors
Authorization bypass due to cache misconfiguration	Authorization Bypass Access Control Bypass GraphQL	Undisclosed	Rikesh Baniya (@Rikeshbaniya)
The Hunt for ALBeast: A Technical Walkthrough	AWS ALB Authentication Bypass Authorization Bypass	AWS	Liad Eliyahu (@Liadeliyahu)
Bypassing Account Suspension Using Anonymous Posting \| Facebook Bug Bounty	Authorization Bypass	Meta / Facebook	Ph.Hitachi
Hacking Millions of Modems (and Investigating Who Hacked My Modem)	Authorization Bypass Cryptographic Issues TR-069 Protocol	Cox	Sam Curry (@Samwcyo)
Disclose Instagram Personal Private Archived posts when switching to Professional account through creative hub	Privacy Issue Authorization Bypass	Meta / Facebook (Instagram)	Sarmad Hassan (@JubaBaghdad)
Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform	Path Traversal Authorization Bypass Hardcoded Credentials Weak Flask Session Secret Account Takeover	Points.com United Airlines Virgin	Ian Carroll (@Iangcarroll) Shubham Shah (@Infosec_au) Sam Curry (@Samwcyo)
Bypass IIS Authorisation with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3	RCE Authorization Bypass Security Code Review	Sitecore	Dylan Pindur
GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts	Cloud OAuth Authorization Bypass	Google (GCP)	Astrix Security (@AstrixSecurity)
Pentah0wnage: Pre-Auth RCE in Pentaho Business Analytics Server	RCE SSTI Authorization Bypass Groovy Scripting	Hitachi Vantara (Pentaho)	Harry Withington
Improper Privilege Management in Grails Spring Security Core <= 5.1.0 (CVE-2022-41923)	Privilege Escalation Authorization Bypass	Grails	Benjamin Sepe (@Butanal_C4H8O) Adrien Peter (@Taryax)
Clipchamp ( Microsoft Office Product) - Google IAP Authorization bypass allowed access to Internal Environment Leading to Zero Interaction Account takeover	Authorization Bypass JWT Account Takeover	Microsoft (ClipChamp)	Vikas Anil Sharma (@Vikzsharma)
GitHub Security Lab audited DataHub: Here’s what they found	SSRF Insecure Deserialization Cypher Injection Authentication Bypass Authorization Bypass XSS Open Redirect JWT JSON Injection Cryptographic Issues Session Expiration Issue Security Code Review	DataHub	Alvaro Muñoz (@Pwntester) Michael Stepankin (@Artsploit) Peter Stöckli (@Ulldma) Kevin Stubbings Jorge Rosillo (@Jorge_ctf) Sylwia Budzynska
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More	Account Takeover SSO RCE Authorization Bypass SQL Injection Mass Assignment Information Disclosure	Kia Honda Infiniti Nissan Acura Mercedes-Benz Hyundai Genesis BMW Rolls Royce Ferrari Spireon Ford Reviver Porsche Toyota Jaguar Land Rover SiriusXM	Sam Curry (@Samwcyo) Neiko Rivera (@_Specters) Brett Buerhaus (@Bbuerhaus) Maik Robert (@XEHLE_) Ian Carroll (@Iangcarroll) Justin Rhinehart (@Sshell_) Shubham Shah (@Infosec_au)
From a 500 error to Django admin takeover	Authorization Bypass Account Takeover	Undisclosed	Shashank (@CyberboyIndia)
Exploiting Admin Panel Like a Boss	Authorization Bypass Weak Credentials	Undisclosed	Shivam Kamboj Dattana (@Sechunt3r)
We Hacked Apple for 3 Months: Here’s What We Found	RCE Authentication Bypass Authorization Bypass SSRF XXE Blind XSS IDOR OS Command Injection SQL Injection	Apple	Sam Curry (@Samwcyo)
Bypassing GitHub's OAuth flow	OAuth Authorization Bypass	GitHub	Teddy Katz (@Not_aardvark)

Page 1 of 1