Trellodorker - Trello Dorking Tool

Trello is a nice website owned by Atlassian. It lets you create "boards" which contain "cards". Tasks can be moved between cards. It's a great system for keeping track of things. You can configure boards to be public or private. This is where the problems start. Jimmy is impatient. He…

Stored XSS on the DuckDuckGo search results page

This XSS was accidental. For whatever reason, I was messing about with the searchbar, putting various payloads into it without expecting to find anything. So eventually, I put in the following payload into the searchbar: "><img src=x> And of course, nothing happened. But something caught…

On Apache Flink dashboards

I've recently come across an interesting misconfiguration. This is regarding Apache Flink. What is Flink? Flink is a framework for processing data streams. It runs on port 8081 by default. What are data streams? Re the Flink documentation: Any kind of data is produced as a stream of events. Credit…

Bsides Dublin CTF

This is my account of my first CTF. It started at 10:30am or so. Having had no previous experience with CTFs, this CTF really hooked me into the world of competitive hacking. I'll only be talking about the problems I solved here. BSides DublinBSides DublinI ended up in 27th…

On Exposed Jira Dashboards

While doing my own research recently, I discovered exposed Jira dashboards for several companies. While there is no guarantee that those companies own those dashboards, it is a reasonably safe assumption to make. Circle K: https://circlek.atlassian.net/jira/filters?searchName=&Search=Search&filterView=search Waterstones: https:…

January 2021 - My first bounty

The first bounty is a milestone that many hope to hit. It marks the starting line for a lot of bug bounty hunters today. Mine was interesting. For privacy's sake, I won't disclose the company. My first bug was an IDOR. IDOR stands for Insecure Direct Object Reference - that…