Photo by FIN on Unsplash

Unleashing the power of CSS injection: The access key to an internal API

Jan 24

--

In this write-up, we will be explaining a vulnerability that was discovered in an online accounting application. The vulnerability was a CSS injection flaw that could be exploited in the application’s PDF generator. We will explain to you how we discovered the vulnerability and how we were able to exploit it to get internal API access.

Temporarily unavailable…

We hope you found this write-up entertaining, informative and interesting to read. Thank you for your attention.

Don’t forget to share your thoughts, feedback or even your own endeavours with CSS injections!

— The Vismagicians 🪄 (bandjes, floerer, holme and iQimpz)

Sander Wind

Written by Sander Wind

Security researcher at Mission CTRL. Developer at Alserda. Bug bounty hunter on Intigriti. https://www.missionctrl.nl

More from Sander Wind

Escalating SSRF to RCE

Sander Wind

Escalating SSRF to RCE

Retrieving AWS metadata and use it for RCE

4 min readFeb 5, 2021

--

2

Personal data of all Dutch public transport cards ("OV-Chipkaart") accessible

Sander Wind

Personal data of all Dutch public transport cards ("OV-Chipkaart") accessible

Full disclosure about how I discovered a way to access personal data of all Dutch public transport cards ("OV-Chipkaart")

4 min readMar 23, 2018

--

Stored XSS on funda, funda desk and funda emails

Sander Wind

Stored XSS on funda, funda desk and funda emails

Full disclosure about how I discovered a Stored XSS vulnerability on funda, funda desk and funda emails.

4 min readJul 11, 2018

--

See all from Sander Wind

Recommended from Medium

How did I get 3300$ With Just FFUF!!

Ahmed Najeh

How did I get 3300$ With Just FFUF!!

By searching inside one of the Bitcoin platforms I found there a place to document accounts by sending documents such as ID or passport…

1 min readJul 2

--

2

From Self XSS to Account Take Over(ATO)

Mostafa Elguerdawi

From Self XSS to Account Take Over(ATO)

Hello there ,

3 min readAug 9

--

3

Lists

AI Regulation

6 stories135 saves

ChatGPT prompts

24 stories427 saves

ChatGPT

21 stories168 saves

Generative AI Recommended Reading

52 stories260 saves

Unveiling Security Vulnerability on a Microsoft Subdomain: Open Redirects to RXSS Exploitation

Sawrav Chowdhury

Unveiling Security Vulnerability on a Microsoft Subdomain: Open Redirects to RXSS Exploitation

In this article, I am going to cover another security bug that I found on a Microsoft subdomain. Initially, when I visited…

1 min readMay 18

--

Interesting XSS in dutch website

Kushal Shrestha

Interesting XSS in dutch website

Some months ago, I found an XSS vulnerability in one of the dutch website. It was a bit interesting for me and I really enjoyed researching…

3 min readSep 19

--

1

Getting email address of any HackerOne user worth $7,500

Japz Divino
in
Pinoy White Hat

Getting email address of any HackerOne user worth $7,500

Severity: High (7.5) Weakness: Sensitive Information Disclosure Bounty: Duplicate (First researcher receives $7,500)

5 min readJul 4

--

1

Recon For Web Pen-Testing!!

theUnixe

Recon For Web Pen-Testing!!

Reconnaissance, or recon for short, is the process of gathering information about a target to identify vulnerabilities and potential attack…

7 min readApr 30

--

4

See more recommendations

Help
Status
Writers
Blog
Careers
Privacy
Terms
About
Text to speech
Teams