Author: lcolombo
-
One-Click Account Takeover: From XSS to Session Token Exfiltration
On a recent pentest I was able to chain an Open Redirect + XSS to exfiltrate session tokens, only needing for a user to click on a link. Open Redirect on redirectUrl While browsing the site, I noticed that the application used a redirectUrl parameter to redirect the application to different functionalities. The parameter was present in…
-
Week in Review – #24
To revive the blog I will begin a Week in Review series, where I write some notes about my previous week doing bug bounty work, with some ideas, notes and reflections of the process and what I’ve done. I used to do bug bounty occasionally, with very good results, so now I decided to focus a lot…
Lautaro Colombo 