surajdisoja.me
  • Home
  • About Me
  • OAuth and PostMessage

    Chaining misconfigurations for your access token.

    Posted on February 21, 2022

    Tl;dr: An OAuth misconfiguration was discovered in the redirect_uri parameter at the target’s OAuth IDP at https://app.target.com/oauth/authorize, which allowed attackers to control the path of the callback endpoint using the... [Read More]
    Tags:
    • postmessage
    • OAuth
    • ATO
  • Watch your requests!

    Open redirection to account takeover

    Posted on October 5, 2020

    Recently, while testing a web application, I discovered multiple vulnerabilities that on chaining together could have allowed anyone to take over the Victim account. The affected company name is interchanged... [Read More]
    Tags:
    • ssrf
    • bugbounty
    • ato
    • graphql
  • Email me
  • RSS
  • X (Twitter)
  • LinkedIn

© Suraj Disoja  •  2024

Powered by Beautiful Jekyll