Posts
All the articles posted by the community.
-
Second-Order SQL Injection: When Trusted Data Turns Hostile
How a crafted display name stored through a product review becomes a SQL injection payload when an admin filters reviews on the moderation panel.
-
Malicious File Upload: Stored XSS via SVG
Exploiting insufficient file upload validation to achieve stored cross-site scripting through malicious SVG files that execute JavaScript for every visitor.
-
Brute Force Attack: Exploiting a Login Endpoint With No Rate Limiting
Exploiting the absence of rate limiting on a login endpoint to brute force a user password using a common wordlist.
-
Broken Object Level Authorization: Accessing Private Wishlists
Exploiting a Broken Object Level Authorization vulnerability in OopsSec Store's wishlist feature to access other users' private wishlists and retrieve sensitive internal data.
-
Prompt Injection: Extracting Secrets from the AI Assistant
Exploiting prompt injection vulnerabilities in OopsSec Store's AI customer support assistant to bypass safety filters and extract confidential information embedded in the system prompt.
-
SQL Injection via X-Forwarded-For Header: Exploiting IP Tracking
Exploiting a SQL injection vulnerability in OopsSec Store's visitor tracking by injecting malicious payloads through the X-Forwarded-For HTTP header.
-
Stored XSS in Product Reviews
Exploiting stored cross-site scripting in OopsSec Store's product review functionality to execute JavaScript in every visitor's browser.
-
JWT Weak Secret: Cracking the Key to Forge Admin Access in OopsSec Store
Exploiting a JWT implementation that uses a weak signing secret to crack the key, forge admin credentials, and access restricted endpoints.
-
Chaining SQL Injection and Weak MD5 Hashing to Compromise the Admin Account
Exploiting a database leak combined with weak MD5 password hashing to gain administrative access.
-
Insecure Direct Object Reference: Unauthorized Order Access
Exploiting an insecure direct object reference vulnerability in OopsSec Store to access other customers' order details.
