Sander WindUnleashing the power of CSS injection: The access key to an internal APIIn this write-up, we will be explaining how a CSS injection point let us access an internal API exposing customer data.Jan 24, 20232Jan 24, 20232
Sander WindStored XSS on funda, funda desk and funda emailsFull disclosure about how I discovered a Stored XSS vulnerability on funda, funda desk and funda emails.Jul 11, 2018Jul 11, 2018
Sander WindPersonal data of all Dutch public transport cards ("OV-Chipkaart") accessibleFull disclosure about how I discovered a way to access personal data of all Dutch public transport cards ("OV-Chipkaart")Mar 23, 2018Mar 23, 2018