@AhmedMa07846126@babz200 The X-XSS-Protection is deprecated, so definitely don't skip. This has nothing to do with the reason XSS doesn't work. See https://t.co/s6gB8SsFeb.
Developers: "Yes, using SHA2 is very safe. Using that for the reset token makes it impossible to hack!"
Me: "Finds out they use SHA2 to hash the user's email as reset token, mass account takeover"
Devs: (0o0)
True story from one of my tests the other day. Lovin' it
@swajyadip @nav1n0x Correct me if im wrong, but afaik the choice of webserver has nothing to do with the backend database. You could have a fully flexing Nginx webserver and use PHP as backend language, and just select this header to be logged in the databsse (thus, creating a possibly dangerous sql
@bughuntar Might not want to share payloads that directly drop tables (although unlikely theyll call it users). People use this, without knowing what the payload actuqlly does. Believe me, you will not mqke friends if you drop tables on a production env.
Am I the only one that just does not accept program invites that are proxied through CF, Imperca or Akamai?
Don't get me wrong: Using it in normal situations is good. I'm just not planning on spending 5+ hours for a XSS bypass, because the company does not hand out Origin IPs.
@_ayoubfathi_ Personally, I get most excited if companies have a "all we got" or nearly that scope. I can live with lower payouts, as long as the company responds quickly and I dont have to wait a week before triage.
Update: Love this program already. Were honest and just rewarded a critical for this, even though i didnt have the "required" proof. Honest program members are the best 👌
So apparently this was no dupe, but the API key got revoked about 12 hours after reporting. Guess the fun part? I forgot to make screenshots. Lesson learned.