cat ~/footstep.ninja/blog.txt

where I share my findings and whatnot

  • Exploiting HTML Injection in Email

    Sequel to my last post, I’ll be discussing about HTML injection on the same target. HTMLi is a vulnerability that can be exploited in any application that renders HTML code; email happens to be one.

    Read more…
  • Story of an IDOR via HTTP

    Oh! Yea, HTTP is the most common channel you could find an Insecure Direct Object Reference (IDOR) Vulnerability (IMO). I should call this an IDOR series, hahah!

    Read more…
  • Exploiting a Self Stored XSS with an IDOR

    In this post, I’ll be talking about an interesting bug chain I discovered a few months ago; Stored XSS + IDOR (Cross Site Scripting and Insecure Direct Object Reference respectively).

    Read more…
  • IDOR via Websockets

    In my previous post, I shared my love for testing Insecure Direct Object Reference (IDOR) vulnerability. This time I’ll be sharing the situation where I found an IDOR in Websockets.

    Read more…
  • My Struggle with Websockets Testing

    Until a few months ago, I have only dealt with HTTP(S) endpoints. Then there was an application I was testing which I couldn’t figure out how it communicated to the server even though I am always logging every request with Burp Suite.

    Read more…
  • Story of an IDOR via Email

    A year ago, I discovered an Insecure Direct Object Reference (IDOR) vulnerability which allowed anyone to reply to messages on behalf of other users on a website.

    Read more…
  • How I built my blog from scratch with Hugo, Github, and Netlify

    Hello everyone! I’m going to document the steps involved in setting up this blog so anyone can also pick it up as a guide when they want to do the same.

    Read more…
  • Tale of a Misconfiguration in Password Reset

    This post is about a misconfiguration in password reset I found on a popular help desk software sometimes ago where they were leaking the reset token.

    Read more…
  • Hacken Cup 2018 CTF Walkthrough

    I’ve got this down since the CTF and saw a few writeups on the same. Then I thought why not share my approach too :D

    Read more…
  • Hello World

    Hello World! Yay! Finally, I made a blog. So, exactly a year ago today, I made a list of goals for this year, 2018.

    Read more…