Archives
All the articles I've archived.
-
Supply Chain & AI Rules File Backdoor: Typosquat → Poisoned Skill → Runtime Backdoor
A two-flag chain that walks an attacker from a developer's stray dev-comment, through a typosquatted npm package, into an AI rules file dropped on disk, ending with a runtime backdoor the AI agent silently injected into the application's admin API.
-
Cross-Site Request Forgery on the Admin Order Update Endpoint
The admin order update endpoint authenticates via cookie and validates nothing else, allowing any same-session page to flip an order's status on the admin's behalf.
-
Insecure Randomness: recovering a gift card code from its timestamp
OopsSec Store derives gift card codes from a linear congruential generator seeded with the card's creation timestamp. The timestamp is exposed to the buyer with millisecond precision, which is all you need to reproduce the code and redeem the card from a different account.
-
Path Traversal: Escaping the Documents Directory via the Files API
Exploiting an unsanitized file path parameter in OopsSec Store's documents API to read files outside the intended directory and retrieve a flag.
-
Reading Secrets From the Browser: The NEXT_PUBLIC_ Trap in Next.js
Exploiting a misused NEXT_PUBLIC_ environment variable in OopsSec Store to recover a payment secret embedded in the client JavaScript bundle.
-
Leaking Secrets Through Error Messages: Exploiting a Verbose API Debug Response
A data export endpoint dumps system diagnostics when it hits an invalid field. Feed it garbage, read the debug output, grab the flag.
-
Race Condition: abusing a single-use coupon with concurrent requests
OopsSec Store validates a coupon and increments its counter in two separate database calls. Send enough concurrent requests and several slip through the check before any of them completes the increment.
-
Middleware Authorization Bypass: Skipping Next.js Auth with a Single Header (CVE-2025-29927)
Exploiting CVE-2025-29927 to bypass Next.js middleware-based authentication using the x-middleware-subrequest internal header, accessing a protected internal status page without credentials.
-
Malicious MCP Server: Poisoning an AI Agent Through Tool Responses
We host a malicious MCP server whose tool responses trick OSSBot into calling a restricted internal tool and leaking the flag.
-
Padding oracle attack: forging encrypted share tokens
A padding oracle in OopsSec Store's share feature leaks whether decryption produced valid PKCS#7 padding. That's enough to forge a token for an internal report and grab the flag.
-
Profile Takeover: Chaining Self-XSS with CSRF
A Self-XSS in the profile bio editor is harmless on its own. Chain it with a missing CSRF token on the update endpoint and you get cross-user profile takeover.
-
Open Redirect: Accessing Internal Pages via Login Redirect
Exploit an unvalidated redirect parameter on OopsSec Store's login page to reach a restricted internal OAuth callback endpoint.
-
Session Fixation: Hijacking an Admin Account Through Support Access
Exploiting a mass assignment flaw in a support access token endpoint to generate a session for the admin account and access the admin dashboard.
-
Insecure Password Reset: Predictable Token Forgery
Exploit a predictable password reset token generation mechanism to take over any user account.
-
XML External Entity Injection: Exploiting a Legacy Supplier Import Endpoint
Exploiting an insecure XML parser in the supplier order import feature to read arbitrary server-side files and retrieve a flag.
-
Plaintext Password Exposure: Exploiting Server Logs via a Hidden SIEM Interface
Exploiting a forgotten debug statement that logs plaintext passwords and a hidden SIEM dashboard with hardcoded credentials to retrieve a flag.
-
Exploiting a Product Search SQL Injection
How to exploit a vulnerability in a tiny search box to quietly expose an entire database.
-
Second-Order SQL Injection: When Trusted Data Turns Hostile
How a crafted display name stored through a product review becomes a SQL injection payload when an admin filters reviews on the moderation panel.
-
Malicious File Upload: Stored XSS via SVG
Upload a malicious SVG to the admin product image field and get stored XSS that fires for every visitor.
-
Brute Force Attack: Exploiting a Login Endpoint With No Rate Limiting
Brute forcing a user password through an unprotected login endpoint using rockyou.txt.
-
Broken Object Level Authorization: Accessing Private Wishlists
A BOLA vulnerability in OopsSec Store's wishlist API lets any logged-in user read anyone else's private wishlist, including an admin one that contains the flag.
-
Prompt Injection: Extracting Secrets from the AI Assistant
A walkthrough of prompt injection attacks against OopsSec Store's AI assistant, bypassing its input filters to extract a flag from the system prompt.
-
SQL Injection via X-Forwarded-For Header: Exploiting IP Tracking
The app tracks visitor IPs via the X-Forwarded-For header and drops the raw value into a SQL query. Here's how to exploit it.
-
Stored XSS in Product Reviews
Exploiting stored cross-site scripting in OopsSec Store's product review functionality to execute JavaScript in every visitor's browser.
-
JWT Weak Secret: Cracking the Key to Forge Admin Access in OopsSec Store
Exploiting a JWT implementation that uses a weak signing secret to crack the key, forge admin credentials, and access restricted endpoints.
-
Chaining SQL Injection and Weak MD5 Hashing to Compromise the Admin Account
Exploiting a database leak combined with weak MD5 password hashing to gain admin access.
-
Insecure Direct Object Reference: Unauthorized Order Access
How changing one number in the URL lets you read anyone's order on OopsSec Store.
-
Server-Side Request Forgery: Accessing Internal Pages via Support Form
Exploiting a server-side request forgery vulnerability in OopsSec Store's support form to access restricted internal pages.
-
Client-Side Price Manipulation
Exploiting a server-side validation failure in OopsSec Store's checkout process to purchase products at arbitrary prices.
-
Mass Assignment: Admin Privilege Escalation via Signup
Exploiting a mass assignment vulnerability in OopsSec Store's signup endpoint to create an account with administrator privileges.
-
React2Shell: Exploiting CVE-2025-55182 in React Server Components
A technical analysis of CVE-2025-55182, demonstrating how React Server Components deserialization leads to remote code execution.
-
SQL Injection: From Dropdown to Database Dump
How a simple order status filter can be exploited to extract every user's credentials from the database.
-
Adding new posts in AstroPaper theme
Sat Naing Updated:Some rules & recommendations for creating or adding new posts using AstroPaperr theme.