A story when Allah willed me to tried to optimize my findings in the Points-Only program to be able to get 6 paid P1 issues in the bounty program.

بسم الله الرحمن الرحيم

Mirroring from: http://www.firstsight.me/2020/11/optimizing-hunting-results-in-vdp-for-use-in-bug-bounty-programs---from-sensitive-information-disclosure-to-accessing-hidden-apis-which-can-be-used-to-retrieve-customer-data/

As usual, I will try to release this write-up with two different approaches, which are:

Please kindly note: this write-up will probably be quite a long write-up. Because…

A story about how I Finally could use an AD account that unenrolled to MFA, by using an EWS Misconfiguration to Access Email Inbox and (Having the Ability) to Dump the Global Address List.

بسم الله الرحمن الرحيم

Mirroring from: http://www.firstsight.me/2020/06/from-recon-to-bypassing-mfa-implementation-in-owa-by-using-ews-misconfiguration/

Note: I want to thank (again) Th3g3nt3lman for his talks about Github Recon and Sensitive Data Exposure. I use it as a way to find the AD credentials.

And also thanks to Beau Bullock from Black Hills Infosec for the research they have published on Bypassing Two-Factor Authentication on OWA and Office365 Portals (by using the EWS Misconfiguration). I use it as a way to access this protected account and to increase its impact.

As usual, I will try to release this article with two different approaches, which are:

A story about how I got several simple bugs (1 P2, 1 P3, and 2 P4s) on a target (that just allow Specific Country Code to Register) by using Premium Phone Number.

بسم الله الرحمن الرحيم

Mirroring from: http://www.firstsight.me/2020/06/from-399-to-1650-usd-part-i-simple-vertical-privilege-escalation-by-changing-http-response/

As usual, I will try to release this article with two different approaches, which are:

Please kindly enjoy the story.


Here are the simple 7 points…

How I Finally could Got into an Internal Network (and could accessing all of their internal assets) by Using Various Vulnerabilities.

بسم الله الرحمن الرحيم

Mirroring from: http://www.firstsight.me/2020/02/from-recon-to-optimizing-rce-results-simple-story-with-one-of-the-biggest-ict-company-in-the-world/Here is a little story about how I finally could got into an internal network (and could accessing all of their internal assets) at one of the biggest ICT company in the world by using various vulnerabilities (from sensitive data exposure, miss-configuration, until outdated version of application that vulnerable to unauthenticated RCE).Note: The program owner has given me a permission to release this article.PDF Version: Download here.

So, as my other write-ups, this simple article will has 2 different approaches, which are:

CVE-2019–18653 & CVE-2019–18654: The story when Reflected XSS was triggered from the SSID Name (It also affected AVG AntiVirus because basically the product codes were mostly “merged”).

بسم الله الرحمن الرحيم

So, this article will be explained in two ways, which are the one that tells how I got it and the one that tries to explain the basic and reference.Readers could also read the TL;DR section directly.


1.1. Create an SSID Name with a simple XSS Payload (with maximum = 32 characters). We can use BruteLogic and s0md3v short XSS payload (thanks man!).

1.2. Connect your Windows OS (with Avast AntiVirus installed and active) to the SSID and wait for the Avast Network Notification Feature to trigger the XSS payload.

Triggering the XSS via SSID Name

1.3. Report it to Avast…

The story of when you download a file that looks “legitimate”, but changes when you run the file.

بسم الله الرحمن الرحيم

Update I (Jan 21st, 2020): Opera has replied the email and acknowledged the reported issue. On that occasion, Opera also apologized for the delay in their response.

Response from Opera

Update II (Feb 27th, 2020): Opera notifies if Opera Mini 47 has been released and is being rolled out to 50%. They also offer a good HoF (I haven’t provided the information needed).

So, let say you download the .png file. But when you try to open it, the file will be executed as a malicious .apk file. 

بسم الله الرحمن الرحيم

(This is a 2017 article that has been released at my personal blog).


We can’t deny if one of the biggest dream for everyone that has so many contents at their site is to be indexed at top search engine in the world. In reality, we should realize that even the search engine could help us to “promote” our contents to public, the search engine itself could “betrayed” the site owner to leakage the information if those site owners doesn’t setup the blocking rules properly.

This kind of mindset was coming out with a good fact…

بسم الله الرحمن الرحيم

- Part I from (hopefully) IV Parts -

Update I: Added a “Reference” Section.

Update II: “We” at this series of article will refer to Faisal Yudo Hernawan, Tomi, and Me.

Update III: The way to exploiting the “upload.php” function has been released at Tomi’s write-up. It could be bypass with the .phtml extension.

Update IV: The reason why we choose those target (the one that has a stored-XSS issue), has been released at this write-up (from simple bypass of registration activation that lead to many bug).


1.1. Few Words about this Write-Up

As an information…

بسم الله الرحمن الرحيم

Laporan merupakan suatu hal yang terbilang penting ketika seorang penguji hendak menyampaikan suatu kerentanan baik ketika berpartisipasi di dalam suatu program bug hunting maupun di tingkat pekerjaan yang lebih formal seperti Penetration Test dan semacamnya.

Informasi mengenai fungsi dari suatu fitur berikut dengan letak permasalahan (kerentanan) dari fitur dimaksud, merupakan suatu hal dasar yang perlu disajikan oleh para penguji dengan harapan dapat menyampaikan informasi yang optimal di dalam memahami dampak serta rekomendasi perbaikan yang ada.

Namun demikian, sayangnya tidak sedikit para penguji yang cukup kesulitan dalam merangkai suatu laporan sehingga berujung pada beberapa situasi kurang baik…

بسم الله الرحمن الرحيم

Please kindly visit this simple paper directly to looking this release (for a simple look — November, 2017 Article):

[English Version] PayPal — Turning Self-XSS into non-Self Stored-XSS via Authorization Issue

For completing the explanation, we upload the video at Youtube for both of scenario:


As a part for delivering the technical support to all of PayPal’s merchant, PayPal providing the portal (located at: https://www.paypal-techsupport.com) for their merchant to communicate each other with PayPal…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store