Olivia
Online
𝐞𝐧𝐞𝐬
@EnesSaltk7
a.k.a phlmox | I’m something of a hacker myself
Joined June 2020
202 Following
580 Followers
284 Posts
@JoshDavisWrites thanks, i am glad you like it
en buyuk cok buyuk ctf geliyor!!!!!
@muzakirbloch1 just for the poc, found it myself manually
Insecure Message Listener -> DOM XSS -> Authorized access to API routes via CORS
An attacker can extract users' critical information and modify it.
An attacker can also make withdrawal requests on behalf of users.
Their response? #bugbounty
+++
They continued to claim that this is neither critical nor even a real vulnerability, but merely social engineering.
So I am disclosing it with their permission.
The vulnerability is still there, but according to them, it does not pose any real problem at all.
"Based on our data, the team has not considered this vulnerability critical."
You might ask why. I asked the same thing.
Their reply was:
"The vulnerability in question is a form of phishing."
Bug bounty sırasında bulduğum ve Cloudflare WAF'ı bypassladığım RXSS yazısı.
https://t.co/SClKeoelKK
Here is my writeup of Intigriti's December XSS challenge. It consisted of 6 smaller challenges combining into a big 1-click exploit.
One of the most fun ones I've ever played. Loved the unique format by @RenwaX23!
https://t.co/mNYyMzdq0G
third party account linking - account takeover
TL;DR: The developers didn't use OAuth's state parameter or implement their own CSRF protection, which led to my OAuth account being linked to theirs.
https://t.co/5iQLR3hMbr
If you find an HTML injection but can't escalate it to XSS due to blacklisted elements, try DOM Clobbering. https://t.co/LC31YhPVRj
@rizasabuncu bakınız ben de şirket kimliği de var
Authentication Bypass https://t.co/EPtlPN7xUw
#bugbounty
Account takeover via insecure postMessage:
https://t.co/V7NnstSC96
nothing fancy, just wanted to write something
#bugbounty
@sametsahinnet Great extension, I appreciate your work. However, it couldn't find the 'API_KEY' variable on the web page due to the carriage return characters in your watchlist.txt. It works fine when you remove them.
@buckberi 1500 ile başladık 30 ile kapatıyoruz :) ya da kapatmıyoruz 3 euro da olabilir her an
This might be the most stupid bug ever: a 6-character long email verification code was leaked in response as an encrypted SHA1
@bugoverfl0w Thanks, you can check the README to see the changes
Modified my JSLinkfinderv2 Burp suite extension which is clone of the original InitRoot's BurpJSLinkFinder and now it's available for community edition.
https://t.co/C4WujDmxt2
@Hacker0x01 @jobertabma @martenmickos As I know each year #hackforgood destination changes, first it was for COVID-19 then for supporting Ukraine.
As you know one of biggest earthquakes recently happened in Türkiye, per this tweet more than 17K lost their lives.
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.2M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
87M followers
Taylor Swift
@taylorswift13
80.8M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
68.8M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.4M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.1M followers