this is me! Adrian Belen WEB APPLICATION SECURITY ENTHUSIAST, BREAKING THINGS FOR FUN & profit :D

PoC for robotlegs—a MVC Flex applications vulnerable to CVE-2011-2461

PoC for robotlegs—a MVC Flex applications vulnerable to CVE-2011-2461

Scriptless attack—Use Unobtrusive scripting in malicious way(Bypassing XSS Mitigations Via Script Gadgets)

Stored on-site request forgery

Profiles Of The Top 7 Bug Hunters From Around the Globe

link here: http://www.darkreading.com/…

Oauth security misconfiguration on facebook

facebook oauth flaws

XSS on confluence comment module

On `02/Jul/2015 3:27 AM` i found a XSS flaw on confluence, https://jira.atlassian.com/browse/CONF-38127

Abusing Thumbnails to see Vimeo private video

https://vimeo.com/upload/select_thumb uri is used set a thumbnails on your vimeo video. https://vimeo.com/upload/.............

OCULUS VR account hijacking via password reset vulnerability

Oculus VR is a virtual reality technology company founded by Brendan Iribe and Palmer Luckey. Their first product, still in development, is the Oculus Rift, a head-mounted display for immersive virtual reality(VR). In March 2014,Facebook agreed to acquire Oculus VR for US$2 billion in cash and Facebook stock. While testing the forgot password functionality of oculusVR .I have found that it's possible to abuse this functionality. Here is a algorithm how the reset password functionality of oculus VR works.

Flowdock XSS or RCE(malicious file upload)

One day I accidentally uploaded a `.pdf` filetype on https://www.flowdock.com/oauth/applications page. it was sucessfuly uploaded. So I tried to upload some arbitary filetype, But flowdock rejected it. Flowdock backlisted all arbirtary content-type such as.....

Bypass anti CSRF token of Yandex!

When you browse a link in docviewer.yandex.com, The site will recreate a token named `sk`, which is used to validate a redirection and anti-csrf token `sk` is also an anti-csrf token on {% highlight text %} http://webmaster.yandex.ru`,.....