Archives
All the articles I've archived.
-
Race Condition: abusing a single-use coupon with concurrent requests
OopsSec Store validates a coupon and increments its counter in two separate database calls. Send enough concurrent requests and several slip through the check before any of them completes the increment.
-
Middleware Authorization Bypass: Skipping Next.js Auth with a Single Header (CVE-2025-29927)
Exploiting CVE-2025-29927 to bypass Next.js middleware-based authentication using the x-middleware-subrequest internal header, accessing a protected internal status page without credentials.
-
Malicious MCP Server: Poisoning an AI Agent Through Tool Responses
We host a malicious MCP server whose tool responses trick OSSBot into calling a restricted internal tool and leaking the flag.
-
Padding oracle attack: forging encrypted share tokens
A padding oracle in OopsSec Store's share feature leaks whether decryption produced valid PKCS#7 padding. That's enough to forge a token for an internal report and grab the flag.
-
Profile Takeover: Chaining Self-XSS with CSRF
A Self-XSS in the profile bio editor is harmless on its own. Chain it with a missing CSRF token on the update endpoint and you get cross-user profile takeover.
-
Open Redirect: Accessing Internal Pages via Login Redirect
Exploit an unvalidated redirect parameter on OopsSec Store's login page to reach a restricted internal OAuth callback endpoint.
-
Session Fixation: Hijacking an Admin Account Through Support Access
Exploiting a mass assignment flaw in a support access token endpoint to generate a session for the admin account and access the admin dashboard.
-
Insecure Password Reset: Predictable Token Forgery
Exploit a predictable password reset token generation mechanism to take over any user account.
-
XML External Entity Injection: Exploiting a Legacy Supplier Import Endpoint
Exploiting an insecure XML parser in the supplier order import feature to read arbitrary server-side files and retrieve a flag.
-
Plaintext Password Exposure: Exploiting Server Logs via a Hidden SIEM Interface
Exploiting a forgotten debug statement that logs plaintext passwords and a hidden SIEM dashboard with hardcoded credentials to retrieve a flag.
-
Exploiting a Product Search SQL Injection
How to exploit a vulnerability in a tiny search box to quietly expose an entire database.
-
Second-Order SQL Injection: When Trusted Data Turns Hostile
How a crafted display name stored through a product review becomes a SQL injection payload when an admin filters reviews on the moderation panel.
-
Malicious File Upload: Stored XSS via SVG
Upload a malicious SVG to the admin product image field and get stored XSS that fires for every visitor.
-
Brute Force Attack: Exploiting a Login Endpoint With No Rate Limiting
Brute forcing a user password through an unprotected login endpoint using rockyou.txt.
-
Broken Object Level Authorization: Accessing Private Wishlists
A BOLA vulnerability in OopsSec Store's wishlist API lets any logged-in user read anyone else's private wishlist, including an admin one that contains the flag.
-
Prompt Injection: Extracting Secrets from the AI Assistant
A walkthrough of prompt injection attacks against OopsSec Store's AI assistant, bypassing its input filters to extract a flag from the system prompt.
-
SQL Injection via X-Forwarded-For Header: Exploiting IP Tracking
The app tracks visitor IPs via the X-Forwarded-For header and drops the raw value into a SQL query. Here's how to exploit it.
-
Stored XSS in Product Reviews
Exploiting stored cross-site scripting in OopsSec Store's product review functionality to execute JavaScript in every visitor's browser.
-
JWT Weak Secret: Cracking the Key to Forge Admin Access in OopsSec Store
Exploiting a JWT implementation that uses a weak signing secret to crack the key, forge admin credentials, and access restricted endpoints.
-
Chaining SQL Injection and Weak MD5 Hashing to Compromise the Admin Account
Exploiting a database leak combined with weak MD5 password hashing to gain admin access.
-
Insecure Direct Object Reference: Unauthorized Order Access
How changing one number in the URL lets you read anyone's order on OopsSec Store.
-
Server-Side Request Forgery: Accessing Internal Pages via Support Form
Exploiting a server-side request forgery vulnerability in OopsSec Store's support form to access restricted internal pages.
-
Client-Side Price Manipulation
Exploiting a server-side validation failure in OopsSec Store's checkout process to purchase products at arbitrary prices.
-
Mass Assignment: Admin Privilege Escalation via Signup
Exploiting a mass assignment vulnerability in OopsSec Store's signup endpoint to create an account with administrator privileges.
-
React2Shell: Exploiting CVE-2025-55182 in React Server Components
A technical analysis of CVE-2025-55182, demonstrating how React Server Components deserialization leads to remote code execution.
-
SQL Injection: From Dropdown to Database Dump
How a simple order status filter can be exploited to extract every user's credentials from the database.
-
Adding new posts in AstroPaper theme
Sat Naing Updated:Some rules & recommendations for creating or adding new posts using AstroPaperr theme.