Labs.ebay.com SQL Injection After choosing the date, I replayed the request using Live HTTP Headers. I added an apostrophe to the date parameter resulting in a mySQL error.
I will be talking about a vulnerability I found in PayPal's developer website that allowed me to port scan their server using their own tool. Fixed: Unknown
When doing a doing a password reset on the mobile version of Facebook (http://m.facebook.com/recover/password), I noticed the the whole entire process was done over HTTP and wasn't secure. This was done with secure browsing enabled. Figuring this is a flaw, I reported it to Facebook.
Using Google Structured Data Testing Tool, you can received server information of third party websites as well as port scan them. Simply use the URL and a port.
Paymill was using "Allow-From" as an X-Frame-Option, which is ignored by Google Chrome. This allowed me to create a clickjacking page that would delete all of the victim's information. At first, Paymill thought that their page was protected using this option, but must have forgotten about Chrome. Here is the reply I got from them.
In this post, I'm going to be discussing how I got on Google's Hall of Fame. I've been on their Hall of Fame three or four times, but this is my first time since I've opened this blog. This click jacking attack allowed an attacker to change any user's password or personal information. As you can see, in the bottom right corner, it shows that the webpage has no X-frame-Options header. This means that it's vulnerable to click jacking. If you want to see the POC code or learn about the plugins and browser I used when finding this vulnerability, follow their link.