infosec write-ups and ramblings



Chaining Bugs to Steal Yahoo Contacts!

👨🏻‍💻 Introduction & Background:This is a write-up of how I chained two vulnerabilities (an XSS and a CORS misconfiguration) that allowed me to steal contacts from a victim's contact book. This data included: names, phone numbers, addresses, etc. ✗ Cross-Origin-Resource SharingCross-Origin Res…

Corben Leo Corben Leo

Stored XSS in BandCamp

Recently, while my friend Alyssa Herrera and I were collaborating on finding ffmpeg vulnerabilities in bug bounty programs, we came to learn that Bandcamp ran a bug bounty program. If you have never heard of BandCamp, it is essentially a platform that allows artists, fans, and labels to interact, co…

Corben Leo Corben Leo

XSS in

I got bored one day and somehow thought of AOL for some reason, so I decided to see if I could find any vulnerabilities in Initially I tried looking in the signature, since it allowed HTML. I did find an XSS there, but it was self-xss, because when you sent an email with the malicious…

Corben Leo Corben Leo