BLog
Want to Learn About Hacking?
Coveo Access Token Leak in JavaScript File Leading to API Token Creation
We were doing recon on a Bugcrowd public program and attempting to find information disclosure in JavaScript files. We grepped all subdomains using different tools, also brute-forcing subdomains, and then passed the results...
Exploiting Exposed Zendesk API Token for Full Support Desk Access
Investigating GitHub leaks, we were hunting on a private program on HackerOne. During our search, we discovered that the program was using Zendesk as its support desk service. While reviewing their company GitHub repository, we found a .zat file that exposed a Zendesk...
Account Takeover: Exploiting Insecure Password Reset Logic
We were hunting one of the private programs on HackerOne. The scope of this program was limited to a single domain, which was hosting an internal admin panel on a staging environment for testing purposes. We randomly tested various functionalities and focused on the...