While I was testing one of our clients web-application, I found an Open Redirect vulnerability in a parameter named “return”
https://app.reacted.com/login?return=https://google.com ,, very simple…

Wrote it down and continued testing and while I was testing the reset password functionality I came across the following request responsible to reset user password

POST /ForgotPassword HTTP/1.1

Host: app.reacted.com

— {some headers}

Cookie: cookies,,,

DNT: 1

Connection: close

{“email”:”my-email@gmail.com”,”returnUrl”:”/reset/password/:userId/:code”}

The JSON key “returnUrl” looks really interesting,,,

Yes the first thing came to my mind is to try
”returnUrl”:”https://my-website.com/reset/password/:userId/:code”
So That when user clicks the reset password link he should be redirected to “my-website.com” …


While I was testing one of our clients web-application, there was a function called “Add Account” which allows user to connect two accounts, so that he can access both of them without needing to logout out the first account and sign in again.
Both accounts will have access to each other and from any account of them user can control the other and also user can connect any number of accounts together.

This action caught my attention, so I decided to try to understand how this feature works and find a way in which it can be abused.
I opened my…


Introduction

At first there no thing especial about this article, it only illustrates steps to takeover subdomains pointing to strikingly and not registered on it or expired as I see that no one has written about this before.

Strikingly is one of the best website builders for one page websites with a lot of good features. If you’re not familiar with one page websites, they are long websites where clicking the navigation scrolls you up and down the page.

Signs to look for

While scanning Subdomains for a website, I have seen -for the first time- a subdomain with the a CNAME DNS record pointing…

Sherif Afifi

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store