Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
197 views

POCs For Various Exploits and Vulnerabilities

This document provides proofs of concept (POCs) for various exploits and vulnerabilities, including cross-site scripting (XSS), remote code execution (RCE), insecure direct object references (IDOR), unrestricted file upload (UFU), local file inclusion (LFI), deserialization, race conditions, brute force attacks, SQL injection, and privilege escalation. It lists specific bug bounty reports and vulnerabilities that demonstrate each type of exploit.

Uploaded by

Akhilesh Gokhale
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
197 views

POCs For Various Exploits and Vulnerabilities

This document provides proofs of concept (POCs) for various exploits and vulnerabilities, including cross-site scripting (XSS), remote code execution (RCE), insecure direct object references (IDOR), unrestricted file upload (UFU), local file inclusion (LFI), deserialization, race conditions, brute force attacks, SQL injection, and privilege escalation. It lists specific bug bounty reports and vulnerabilities that demonstrate each type of exploit.

Uploaded by

Akhilesh Gokhale
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

POCs for various exploits and

vulnerabilities
POC for XSS​:
Cross site scripting (XSS) is a common attack vector that injects malicious code into a
vulnerable web application.
● AirBnb Bug Bounty: Turning Self-XSS into Good
● Google XSS Turkey
● How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)
● Uber XSS via Cookie

POC for RCE


Remote Code Evaluation is a vulnerability that can be exploited if user input is injected into a
File or a String and executed (evaluated) by the programming language's parser.
● PayPal Inc Bug Bounty #114 - JDWP RCE Vulnerability
● How I Hacked Facebook, and Found Someone's Backdoor Script
● JetBrains IDE Remote Code Execution and Local File Disclosure

POC for IDOR:


Insecure direct object references (IDOR) are a type of access control vulnerability that arises
when an application uses user-supplied input to access objects directly.
● Change any Uber user's password through /rt/users/passwordless-signup - Account
Takeover (critical)
● DOB disclosed using “Facebook Graph API Reverse Engineering
● Change the description of a video without publish_actions permission
● View liked tweets of private account via publish.twitter.com
● Facebook Vulnerability - Delete Any Video on Facebook

POC for UFU:


Unrestricted File Upload (UFU) is a vulnerability that exploits bugs in content-ltering checks in
a server-side web application
● Unrestricted File Upload to RCE | Bug Bounty POC

POC for LFI:


Local File Inclusion generally occurs when an application is trying to get some information from
a particular server where the inputs for getting a particular file location are not treated as a
trusted source.
● Reading local files from Facebook's server (fixed)
POC for Deserialization:
Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of
an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it
being deserialized.
● Remote Code Execution Vulnerability
● Instagram's Million Dollar Bug
● EXPLOITING JAVA DESERIALIZATION VIA JBOSS

POC for Race Condition:


A race condition attack happens when a computing system that's designed to handle tasks in a
specific sequence is forced to perform two or more operations simultaneously
● Race conditions on Facebook, DigitalOcean and others (fixed)

POC for brute force:


A brute force attack (also known as brute force cracking) is the cyberattack equivalent of trying
every key on your key ring, and eventually finding the right one.
● InstaBrute: Two Ways To Brute-Force Instagram Account Credentials
● How I Could Compromise 4% (Locked) Instagram Accounts

POC for SQL:


SQL injection is a code injection technique, used to attack data-driven applications, in which
malicious SQL statements are inserted into an entry field for execution.
● GitHub Enterprise SQL Injection
● Yahoo – Root Access SQL Injection

POC for Privilege Escalation:


Privilege escalation happens when a malicious user exploits a bug, design flaw, or configuration
error in an application or operating system to gain elevated access to resources that should
normally be unavailable to that user.
● Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation: Writeup + POC

You might also like