ScriptJacker  Blogs

Vulnerabilities Die Here

Services Contact
ScriptJacker

Latest Blog Post

Stored XSS

Converting Self-XSS to Stored XSS leads mass Account Takeover (ATO)

The attacker initially discovered a Self-XSS vulnerability by misusing the application features it got critical impact. Although harmless in browser, this input was later stored and rendered elsewhere without sanitization, escalating it to a Stored XSS. Since the payload executed in every user’s session, it could hijack authentication tokens or cookies.

Parth Narula
Parth Narula

Difficulty: Low

Request Manipulation

The Art of Request Manipulation

Attackers intercepted and modified raw HTTP requests—especially POST parameters—using Burp Suite. By tampering with fields, the server returned detailed SQL error messages and stack traces that weren’t visible through the browser. These internal error disclosures reveal database structure and back-end logic, risking information exposure and aiding further exploits. The root issue was over-detailed error handling and missing input validation.

Parth Narula
Parth Narula

Difficulty: Low


Topics

All

Web App

API

Business

Research

Tags

Let's Talk

Do you want to learn more about how I can help your company in your pentesting needs? Let us have a conversation.