Anirudh Kaushal on LinkedIn: GitHub - anirudh3171/SSL-pinning-bypass: SSL Pinning bypass using frida… | 12 comments (2024)

I’m happy to share that I’m starting a new position as Chief Technology Officer at Vendisys!

This content isn’t available here

Access this content and more in the LinkedIn app

70

10 Comments

I’m happy to share that I’m starting a new position as Associate Solution Advisor at Deloitte India (Offices of the US)!

This content isn’t available here

Access this content and more in the LinkedIn app

70

9 Comments

Found a Sensitive Information Disclosure Vulnerability in WordPress based Website. Upon Recon, I came across some endpoints that were disclosing information of registered users, internal user keys, API keys, OAuth Tokens etc. The endpoint being referred here is,- https:// WP-website. com/wp-json/and some sub-directories like,- https:// WP-website. com/wp-json/wp/v2/- https:// WP-website. com/wp-json/wp/v2/usersThe /wp-json/ endpoint in a WordPress website allows us to access the REST API for the site. This is more of a misconfiguration at the organization's side, as they have not restricted access to certain endpoints. These endpoint can be found at almost all the WordPress based Websites, and if not access-restricted properly, will disclose sensitive information.Upon researching more about the vulnerability, I was able to find several Google Dorks and Disclosed Hackerone Report related to the same. Do have a look at them and feel free to ping me to discuss more about them.References:- To know more about wp-json endpoint: https://lnkd.in/gkqD5Bi- Google Dork: https://lnkd.in/gyN8SFD- Google Dork: https://lnkd.in/gXZbfjF- Hackerone Report: https://lnkd.in/gya_4RA#cybersecurity #infosec #bugcrowd

146

17 Comments

Found an Information Disclosure vulnerability in REST API using CQL Injection. CQL stands for Confluence Query Language and is used for advanced search in Atlassian's Confluence Rest API.While reconnaissance, I came across an endpoint that was returning an error, "No CQL Parameter Found". Upon curiosity, I added a GET parameter named CQL with a random value "c" as the value and got a response, "No field exists with the name: 'c' Did you mean one of content, creator, created, container, contributor". This piqued my interest as the API responsively return the possible parameter values. Automating the process a bit, I was able to enumerate all the possible values, including Ancestor, ID, Labels, etc. On sending the value as "ID", I got another error saying, "Expecting operator for field 'id', supported operators are: =, !=, IN, NOT IN". This implies that ID is actually a parameter and needs a value. The value of ID can be bruteforced, but it would not be very efficient. In programming languages, there is an operator "!=" (NOT EQUALS TO) that returns true if the operands don't have the same value. Using this to my advantage, I sent the value "-1" and voila, I had a huge amount of sensitive data to look through.Payload: http://test .com/path/?cql=id!=-1#infosec #vulnerability

134

6 Comments

Found a Broken Authentication and Session Management vulnerability on a website. The website was using several third party tools to track the users, for customer support, and other purposes. Some of the third party tools had their cookies scoped to the parent domain. The main/parent website logs the user out after sometime of in-activity. Somehow, the session in the third party tools was not getting ended after the main website logs the user out. On using the cookie from the third party tools, got me logged in to the main website, bypassing the authentication. I was only able to exploit it when the person has logged into that system before and made my vulnerability report showing the impact for a shared computer. Later, I was told that the internal team did find some parameters that would lead to a remote attack as well.Initially, I thought that this was probably due to improper implementation of the third party software, but came to know that it was an issue of the third party software itself.#Bugcrowd #InfoSec #CyberSecurity #Vulnerability

135

12 Comments

Recently, One of the security vulnerabilities I reported to Google got accepted and was eligible for reward under their VRP program, and also registered a spot in Google's Bughunter Hall of Fame, at, https://lnkd.in/eDUTHZD I was able to bypass an Authentication mechanism implemented in Gmail Application. If exploited, it could have lead to several critical attacks, even leading to Complete Account Takeovers. I really recommend security researchers to be a part of Google VRP and try to find security vulnerability in their massive scope domains and acquisitions.I would also like to thank my mentors Mudit Budhiraja Sir, Vikash Chaudhary Sir and Partho Mandal Sir for their constant support and guidance.#Google #VRP #GoogleHoF #Infosec #BugBounty #CyberSecurity #HallOfFame #InformationSecurity #BugHunting

317

38 Comments

Found a vulnerability that was causing an Application Level DoS Attack. Me and my friend Harsh Aksh*t were testing a social media platform's android application and were sharing the relevant findings in the chat section of the same application. For referral, Harsh shared me a link explaining the working of a functionality. As soon as I clicked on the link, the app crashed. Even on restarting the app, as soon as I clicked on the Messages option, the app crashed again. I had to then delete the message from the web application.We were able to reproduce the vulnerability again and figured out that, the link shortener had some issues while shortening the special characters like ¿ (%bf), ½ (%bd), ï (%ef), and converted replaced them with a "very" long string of gibberish before shortening. For example:The Original URL: https:// example. com/¿Shortened URL: https://sh. ort/smthingRe - Lengthened URL: https:// example. com/G1bb3r1$gI66er!S#...<continues for over a thousand characters>So ultimately, when the receiving user tries to access the link the web view of the application crashed leading to crashing the complete app. This vulnerability can also be referred to "Improper implementation of WebView", but we actually figured it out after submitting the report.#Hackerone #Infosec

77

8 Comments

Found a vulnerability, that allowed me to tamper the error reports being generated by the website. All these generated reports were being logged at a subdomain of that organization. What caught my eye was that I was able to edit all the parameters of the report, to any length of the string - No character limitations. Also, there was a No Rate Limiting vulnerability at the same endpoint. By chaining both the vulnerabilities, I could have flooded their error-logging system with huge sized error reports.P.S. - I tried a lot to explain to them, how can it be exploited and how much it may impact them, still they weren't interested and closed the report as "Informative".#vulnerability #infosec #cybersecurity #hackerone

66

2 Comments

I am happy to tell you that my team "JIIT Noida_3rr0r_4o4_No7_f0uNd" is among the top 13 teams selected for the Grand Finale of Deloitte's Collegiate Cyber Threat Competition (CCTC), Technoutsav. It has been a great journey till now with 3 rounds and over 19,000 participants. I would also like to thank my team members AMAN AHUJA and Sunny Dhama, without them I might not have reached this far. We look forward to performing to the best of our calibre in the upcoming round as well.#Deloitte #JIIT #Technoutsav #CCTC

108

22 Comments