| How I Got $250 For My Second Bug on HackerOne |
|
|
|
| AI Under Siege: Discovering and Exploiting Vulnerabilities |
|
|
|
| Stealing First Party Access Token of Facebook Users: Meta Bug Bounty |
|
|
|
| Over 1 Million websites are at risk of sensitive information leakage - XSS is dead. Long live XSS |
|
|
|
| Self XSS + Login CSRF + OAuth = Account Takeover |
|
|
|
| Mobile OAuth Attacks - iOS URL Scheme Hijacking Revamped |
|
|
|
| POST to XSS: Leveraging Pseudo Protocols to Gain JavaScript Evaluation in SSO Flows |
|
|
|
| How we escalated a DOM XSS to a sophisticated 1-click Account Takeover for $8000 - Part 1 |
|
|
|
| Oauth Misconfiguration Leads to 0-Click ATO |
|
|
|
| Security Flaws within ChatGPT Ecosystem Allowed Access to Accounts On Third-Party Websites and Sensitive Data |
|
|
|
| Google OAuth is broken (sort of) |
|
|
|
| How OAuth Implicit Flow Led To Hundreds Of User Accounts Being Accessed? |
|
|
|
| Securing our home labs: Frigate code review |
|
|
|
| One Scheme to Rule Them All: OAuth Account Takeover |
|
|
|
| Hijacking OAuth Code via Reverse Proxy for Account Takeover |
|
|
|
| XSS on the Oauth callback URL with CSP bypass leading to zero-click account takeover |
|
|
|
| Oh-Auth - Abusing OAuth to take over millions of accounts |
|
|
|
| OAuth 2.0 Redirect URI Validation Falls Short, Literally |
|
|
|
| CVE-2022-4908: SOP bypass in Chrome using Navigation API |
|
|
|
| nOAuth: Account Takeover via Microsoft Oauth |
|
|
|
| Account hijack for anyone using Google sign-in with , due to response-type switch + leaking href to XSS on login.redacted.com |
|
|
|
| Playing Dominos with Moodle's Security (2/2) |
|
|
|
| SAMLjacking a poisoned tenant |
|
|
|
| Customer account takeover in Shopify stores |
|
|
|
| Cross-Tenant Information Disclosure: Unraveling Microsoft Connections, Custom Connectors, and OAuth 2.0 in Power Automate |
|
|
|
writeups.xyz
/
OAuth