YoKo Kho

Category: Web Apps

Collection of the bug that specifically found at web application

Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)

In the name of Allah, the Most Gracious, the Most Merciful. – Part I from (hopefully) IV Parts – Update I: Added a “Reference” Section. Update...

September 14, 2019

Bug Report / Web Apps / Write-Up

IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release in simple:[English Version] IDOR...

April 17, 2018

Bug Report / Web Apps / Write-Up

Ribose – IDOR with Simple CSRF Bypass – Unrestricted Changes and Deletion to other Photo Profile

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release in simple:[English Version] Ribose — IDOR...

April 16, 2018

Bug Report / Web Apps / Write-Up

Bypassing the Current Password Protection at PayPal Tech-Support

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release (December, 2017 Article):[English Version]...

December 26, 2017

Bug Report / Web Apps / Write-Up

Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork – 1,000 USD

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release:[English Version] PayPal – Information...

December 26, 2017

Bug Report / Web Apps / Write-Up

Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal”

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release:[English Version] PayPal — Turning Self-XSS into...

November 12, 2017

Bug Report / Web Apps / Write-Up

FortiNet – Unrestricted Deletion to All Other Sub Account via IDOR at Support Portal

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release in simple:[English Version] FortiNet...

May 3, 2017

Bug Report / Web Apps / Write-Up

Tokopedia – Converting Content Injection to Reflected Cross Site Scripting via Base64 Encoding

In the name of Allah, the Most Gracious, the Most Merciful. I. ABSTRACT Provision of information for activating a new-registered account is one of the features...

August 26, 2016

Category: Web Apps

Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)

IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks

Ribose – IDOR with Simple CSRF Bypass – Unrestricted Changes and Deletion to other Photo Profile

Bypassing the Current Password Protection at PayPal Tech-Support

Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork – 1,000 USD

Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal”

FortiNet – Unrestricted Deletion to All Other Sub Account via IDOR at Support Portal

Tokopedia – Converting Content Injection to Reflected Cross Site Scripting via Base64 Encoding

Search

Recent Posts

Categories

Latest Tweets

Category: Web Apps

Search

Recent Posts

Categories

Latest Tweets

Tags