Categories
Bug Hunting

Stored XSS Leads to Plaintext Password Disclosure

1. Upload HTML file using image upload feature.
2. Send user link to uploaded file.
3. User opens link and their AUTHH cookie is decoded, revealing their password.

Categories
Bug Hunting

Android App Hacking: Hardcoded Credentials

1. Unpack APK.
2. Recognize that it is a PhoneGap app.
3. View JavaScript source code to find hardcoded test credentials.
4. Login.