Thursday, January 5, 2017

Reflected XSS in Etsy

Last month, I found a Reflected XSS in Etsy and received a bounty + swag. I found the XSS by browsing the mobile version (you can achieve this by changing your user agent to mobile) of Etsy. The vulnerable URL is and to reproduce the XSS, just enter an XSS payload in the searchbar and the XSS will execute. Etsy security team fixed this within a day and the response time was one week (because of weekends). The bug was worth $500



 That's all... Thanks.

Sunday, October 23, 2016

Stored XSS in Google Cloud Console Monitoring (StackDriver)

I have found a Stored XSS in StackDriver which serves as Google's Cloud Console Monitoring. It serves as an app monitoring and enables users to monitor the activities of their apps like an analytics. The Stored XSS executed because of the app name. I have provided an XSS payload in the app name and when I was about to create a "rule", StackDriver will let you choose an app where the rule will be implemented. I was about to select the XSS app but then the XSS executed.

This is the 5th time I was rewarded by Google Security Team

That's all for now. Thanks.

Saturday, August 20, 2016

IDOR in Facebook - Reveal any secret group

Hi. I have found a vulnerability in Facebook in which I was able to reveal a secret group even though a user is not a member of that particular group. The vulnerability can be exploited via Facebook Mobile version ( 

This was the vulnerable URL:[secret group id]. 

Replace the value of the ID in "target" parameter to the value of your target secret group. You must have two test accounts to be able to reproduce the bug. Though this bug is limited since you cannot post in that group, Facebook still resolved it.

This bug has been already fixed by Facebook Security Team and rewarded me with a $1500 bounty.

 I was then again listed in the Whitehat List of Facebook (It's my 2nd time being listed)

Monday, May 16, 2016

AngularJS Template Injection in Spotify Community site

I have found an AngularJS Template Injection vulnerability in the Spotify Community website. I have noticed that the site uses AngularJs when I viewed the page source. The vulnerable part lies within the text format, when you are creating a new post or thread in the forum. Go to the rich text format, enter the URL/link icon and enter an Angular expression like {{1+1}} or {{1==1}} then click the Preview tab. The expression will result to "2" and "true" respectively. The bug was fixed by Spotify security team within 3 days. They have a good response time too. AngularJS Template Injection is very dangerous and can escalate to XSS and RCE if not fixed.




Tuesday, March 22, 2016

Acknowledgement from Microsoft

Being acknowledged by Microsoft is one of the greatest achievement a security researcher can attain. And fortunately I have been acknowledged by Microsoft, twice. I have reported several vulnerabilities to Microsoft (4 times if I remember). The first one was eligible for a bounty, which made me to be listed in their "Bounty Honor Roll". The rest were not and only made me listed in their "Security Researcher Acknowledgement" list. I thank Microsoft and the Microsoft Security team for this. Its been good working with them.


Bounty honor roll:

Security researcher...:

Thanks for reading!

Monday, February 29, 2016

Reflected XSS in

I have found a reflected XSS in The bug was easy to exploit since you will only enter the XSS payload into the searchbar. I have reported it to via HackerOne and was resolved within a few days. I was also listed in their Hall of Fame as thanks.



Saturday, February 27, 2016

My list of Recognitions (Hall of Fame)

As of February 2016, I have found many vulnerabilities and got listed in big companies' Hall of Fame thanks list. Below are the companies that I have reported vulnerabilities and got recognized:

*US - CERT Department of Homeland Security
*Khan Academy
*Urban Dictionary