Authentication OTP bypass AND Information Disclosure (SSRF) || bug bounty poc 2023 || site hack

Рет қаралды 3,042

9 ай бұрын

Hello friends
Today I want to work on a target that easily bypasses the site's authentication system and then tests an SSRF vulnerability.

Пікірлер: 15

@sw4pn3h0x8 8 ай бұрын

But you opened the link in your browser so the http request recieved is of your own not the server’s

@entertainment6655 8 ай бұрын

The SSRF was next level. 😂

@gouthamas532 4 ай бұрын

Verification bypass is fine, but it's not a SSRF

@huzifaahmed1426 8 ай бұрын

OTP is serious finding but in the ssrf the calling came from your own network not the server IP. the important think in ssrf is the calling and its hould came from the original website server

@bkg2190 8 ай бұрын

Awesome 👍

@user-tf3gr2sd6x 6 ай бұрын

After watching this POC i am able to do SSRF on every website.

@Avoshsecurity 6 ай бұрын

You're welcome

@gouthamas532 4 ай бұрын

If you follow this step for ssrf, you won't get any bounty for sure 😂 because it's not a valid way of finding ssrf

@Cyber_Sec_ 8 ай бұрын

Nice

@vimalvinz9843 8 ай бұрын

Great finding 👌😏

@IllIIIIIIllll 6 ай бұрын

Wow didn't knew slack would have that OTP verify😂.

@Avoshsecurity 6 ай бұрын

You're welcome

@INFINITY-GAMER7345 9 ай бұрын

is that you reported

@montala3380 6 ай бұрын

It is not vulnerable at SSRF =)) When you remove `tel` and your browser call to the Burp-collab → the IP got recorded is yours not from the Slack. For the second SSRF it could be because I saw 2 different IP as well as DNS. 1 is belonging to you, and the rest could be from Slack