Photo by FIN on Unsplash

Unleashing the power of CSS injection: The access key to an internal API

Jan 24

--

In this write-up, we will be explaining a vulnerability that was discovered in an online accounting application. The vulnerability was a CSS injection flaw that could be exploited in the application’s PDF generator. We will explain to you how we discovered the vulnerability and how we were able to exploit it to get internal API access.

Temporarily unavailable…

We hope you found this write-up entertaining, informative and interesting to read. Thank you for your attention.

Don’t forget to share your thoughts, feedback or even your own endeavours with CSS injections!

— The Vismagicians 🪄 (bandjes, floerer, holme and iQimpz)

Sander Wind

Written by Sander Wind

Security researcher at Mission CTRL. Developer at Alserda. Bug bounty hunter on Intigriti. https://www.missionctrl.nl

More from Sander Wind

Escalating SSRF to RCE

Sander Wind

Escalating SSRF to RCE

Retrieving AWS metadata and use it for RCE

4 min readFeb 5, 2021

--

2

Personal data of all Dutch public transport cards ("OV-Chipkaart") accessible

Sander Wind

Personal data of all Dutch public transport cards ("OV-Chipkaart") accessible

Full disclosure about how I discovered a way to access personal data of all Dutch public transport cards ("OV-Chipkaart")

4 min readMar 23, 2018

--

Stored XSS on funda, funda desk and funda emails

Sander Wind

Stored XSS on funda, funda desk and funda emails

Full disclosure about how I discovered a Stored XSS vulnerability on funda, funda desk and funda emails.

4 min readJul 11, 2018

--

See all from Sander Wind

Recommended from Medium

Mass Hunting XSS vulnerabilities

Ott3rly
in
InfoSec Write-ups

Mass Hunting XSS vulnerabilities

In this article, I would like to cover how it is possible to efficiently check thousands of endpoints for potential Cross Site Scripting…

6 min readNov 22

--

4

How to find vulnerabilities in a web page in 10 minutes

127.0.0.1 is safe.📡⚠️

How to find vulnerabilities in a web page in 10 minutes

Hi friends..

2 min readNov 17

--

Lists

AI Regulation

6 stories205 saves

ChatGPT prompts

30 stories729 saves

ChatGPT

22 stories285 saves

Generative AI Recommended Reading

52 stories458 saves

Semi-Automating IDORs: A Practical Approach to Working Smarter, Not Harder

Muhammed K. Sayed

Semi-Automating IDORs: A Practical Approach to Working Smarter, Not Harder

semi-automating idors for making extra $$$$

5 min readNov 22

--

Top Recon Tools for Bug Bounty Hunters

Piyush Kumawat (securitycipher)

Top Recon Tools for Bug Bounty Hunters

In this blog, we explore top-tier reconnaissance tools that empower bug bounty hunters. From Shodan’s IoT device insights to Waymore’s web…

5 min readNov 21

--

How I found an XSS via multiple parameters

Erick Fernando

How I found an XSS via multiple parameters

Hello everyone, after receiving a generous reward at Bugcrowd for an XSS, I would like to share a discovery from a Bug Bounty I found a…

2 min readNov 7

--

1

Authentication Bypass

Harsh Jain

Authentication Bypass

Learn about different ways website authentication methods can be bypassed, defeated, or broken. These vulnerabilities can be some of the…

9 min readJul 16

--

1

See more recommendations

Help
Status
About
Careers
Blog
Privacy
Terms
Text to speech
Teams