Retrieving AWS metadata and use it for RCE

When researching a web application, I stumbled upon an endpoint which allowed me to perform SSRF. I’ll use the endpoint `http://example.com/fetch?url=[path]` as example.

Performing curl http://example.com/fetch?url=http://169.254.169.254/latest/meta-data/ results in listing the directory contents of the Amazon metadata service.

$ curl http://example.com/fetch?url=http://169.254.169.254/latest/meta-data/ami-id …

CyberTalents — CatchMomen(Web Security) Writeup

When you open the web page you will see a normal company website but let’s try to login

go to http://3.126.138.80/catch/login.php

let’s looking at the source code I found a credential which maybe will allow me to login but it is not working.

it gives me an error message ‘User…

Full Account Takeover worth $1000 Think Out of the box

hello everyone , Today’s story is about a bug I found on public disclosure program which allows me to take over any user’s account. It was a P4 issue but I didn’t report and chain it to P1. Without further ado let’s start .

I don’t have permission to disclosure…

Retrieving AWS metadata and use it for RCE

When researching a web application, I stumbled upon an endpoint which allowed me to perform SSRF. I’ll use the endpoint http://example.com/fetch?url=[path] as example.

CyberTalents — CatchMomen(Web Security) Writeup

Full Account Takeover worth $1000 Think Out of the box

Muhammad Aldiansyah

When researching a web application, I stumbled upon an endpoint which allowed me to perform SSRF. I’ll use the endpoint `http://example.com/fetch?url=[path]` as example.