Sander WindUnleashing the power of CSS injection: The access key to an internal APIIn this write-up, we will be explaining how a CSS injection point let us access an internal API exposing customer data.4 min read·Jan 24, 2023--2--2
Sander WindEscalating SSRF to RCERetrieving AWS metadata and use it for RCE4 min read·Feb 5, 2021--2--2
Sander WindStored XSS on funda, funda desk and funda emailsFull disclosure about how I discovered a Stored XSS vulnerability on funda, funda desk and funda emails.4 min read·Jul 11, 2018----
Sander WindPersonal data of all Dutch public transport cards ("OV-Chipkaart") accessibleFull disclosure about how I discovered a way to access personal data of all Dutch public transport cards ("OV-Chipkaart")4 min read·Mar 23, 2018----