limited freemarker ssti to arbitrary liql query and manage lithium cms

we faced (w/ @celalerdik) an interesting ssti vulnerability on a bugcrowd's program. we could show the traditional '49' number when trying the ${7*7} command, also we could execute the assign directive reference like below.…

IDOR (Insecure Direct Object Reference) Vulnerability

There can be many variables in the application such as "id", "pid", "uid". Although these values ​​are often seen as HTTP parameters, they can be found in headers and cookies.…

a little open redirect bypass story

in one private program at bugcrowd, i came across three different open redirect bug methods.…

xss attack vector at "style" context for less.js

less & sass suddenly came to my mind when researching about of css injection attacks.…

parameter pollution bug at twitter

twitter sends an e-mail to you when someone followed you when someone favorited your tweets etc.…