Olivia
Online
newfolder
@newfolderj
Muslim Security Student
Random Guy who Breaches Networks like a 9mm bullet
Islamabad Pakistan
Joined October 2017
225 Following
1.2K Followers
150 Posts
ย Pinned Tweet
None => Critical (10/10)
Second Order Account Takeover :
(attacker's VERIFIED email attached to attacker's UNVERIFIED email merged can takeover vicitm's VERIFIED account)
H1 : Closing as Self Account Takeover (none).
Me : Should I Takeover your Account?
H1 : Sure!
Me : BOOOM
@abdilahrf @iustinBB What if the server sends cache:MISS everytime, on existent and non existent path ?
Any way to bypass it ?
@HusseiN98D Hussein, it took me few days to find out in burp previous saved files but I am unable to send you DM as its blocked and require subscription.
Who to follow
Zhenwarx
@zhenwarx
Security Researcher | Bug Bounty Hunter | Traveler
moSec
@moe1n1
security researcher/
bug bounty hunter๐ค๐ฐ
Hacker in โค๏ธ,
'Noob, still learning'.
`I don't mind how high the mountain`
root@AkashHamal0x01:~/ # ๐ต๐ญ
@AkashHamal0x01
Solo | https://t.co/I6KH8WN8nm | Community Helper ๐ค| WebApp Security ๐ | Avid Learner ๐ | Male | Father of Two | Married ๐. 60+ CVEs
@khalidmeister1 @HusseiN98D @samwcyo So whats the point of traversing here or its not vulnerable or should I try something else or maybe you would mind mentioning what you found via the above method as everytime I belive there is nothing when I perform ../ at api endpoints
@khalidmeister1 @HusseiN98D @samwcyo Irfan I have watched the video several times and read different articles but cant exploit or unable to understand the scenario bcz I get /user/victim = 403 with every traverse e.g /user/me/../victim or /user/me/../../user/victim
@m4ll0k Paramminer have this functionality, you would need to Tick it when send request to paramminer
Just submitted my first Smart Contract Bug to the DeFi Protocol, big thanks to Owen, @pashov & @gogotheauditor for their public audits.
@h4x0r_dz I would suggest to go for web3 ctfs such as etheranut etc
@AkashHamal0x01 Put and Delete should be same report because of same path.
POST should be in different report.
I would suggest to submit put first , if the program is considering medium then add the delete one to bump the severity .
@3ncryptSaan @Hacker0x01 Hi ranjan, hackerone told me that we have stopped h1 clear and not accepting any applications. Would you mind telling me when you applied for it and how long did it take ?
@osamaavvan Onsite
@brutexploiter I hope people would get it as it took me and the triager 3 days arguing that what is this and at the end I took his account so marked as critical
None => Critical (10/10)
Second Order Account Takeover :
(attacker's VERIFIED email attached to attacker's UNVERIFIED email merged can takeover vicitm's VERIFIED account)
H1 : Closing as Self Account Takeover (none).
Me : Should I Takeover your Account?
H1 : Sure!
Me : BOOOM
@brutexploiter so the victim and the unverified email both got the forget token , attacker change pass and got the victim's account and at the same time his email also get verified and accounts also got merged so at the end victim's account is destroyed and there are now two account of attacker
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.4M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.5M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.4M followers
Taylor Swift
@taylorswift13
81.2M followers
Lady Gaga
@ladygaga
72.7M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.4M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.7M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.1M followers
CNN
@cnn
61.9M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.4M followers