As always, I started with reading the rules. The goal is to execute alert(document.domain) on the domain. Self XSS and MiTM attacks are not in scope, and the solution should work on the latest version of Firefox and Chrome.

Challenge page
Challenge page
Challenge page

The first thing I did was using the calculator like it’s supposed to be used, to see how it reacts on my input. It looks like the first number, the operator and the second number of the calculation are set as parameters in the URL. …

While I was reading some of Inti De Ceukelaire’s old writeups, I came across “How I got your phone number through Facebook”. Facebook’s reply on his submission was that the “Who can look me up” settings are set to Public.

Who can look me up privacy settings
Who can look me up privacy settings
Who can look me up privacy settings

After reading this, I decided to have a look at the “Who can look me up settings. I set them to “Only me” and started testing whether it does what it is supposed to do. The first thing I did was log out and try the password reset function. I filled in my phone number and there it was, my full name + profile picture. …

Like you should do with every challenge, I started with reading the rules. Those were clear. The goal was to execute alert(document.domain) on the domain, without using self-xss or MiTM attacks. The attack should work in the latest version of Chrome and Firefox.

Image for post
Image for post

While looking at the html of the page, I quickly noticed that the QR code was an iframe with a page that accepts a parameter ‘URL’ in the URL and displays the URL in the form of a QR code. When the code is clicked, the url will be opened in a new tab.

When I started with bug bounty hunting, I became interested in all bugs related to URLs, one of my favorite and easy to exploit / find bugs, are broken link takeovers.

I have found a few since I started, but all of them were links to nonexistent social media accounts. So nothing really critical here, but it’s always fun to have a big company link customers to your social media account. Some companies even give you a bounty if you report it to them!

I’ve noticed that most of the broken links to social media, happen because companies rename their pages. Especially pages made for Belgian customers, or maybe customers from countries where they speak more than one language in general. For example, I’ve seen renames from company_benl to company_be or CompanyBelgium to CompanyBenelux. …

While I was looking at companies to do my internship at, I found a company with a link to an nonexistent Twitter account. I thought it would be original to use this takeover to apply for an internship, and immediately show them that their site has a broken link. So I created the application with a few tweets, and mailed the company to tell them to look at the twitter account linked to on their site.

A few hours later, I noticed the URL on their site was updated, but I never got a reply on my email. I don’t think this company was very happy with my application :).


  • If you apply for a job application via broken link takeover, keep in mind that there is a chance the company wont like your application.

I picked my target and started looking around. I found a web page that was not up-to-date anymore and it contained a link to a non-existing Instagram account. I quickly created the account and submitted my report. I started searching to see if this link occurred on more web pages. I found out that their Flemish emails also contained the link.

When I finally got an update on my submission, I was disappointed. They marked it as a duplicate. I didn’t understand it because the account was owned by me. How is it possible to be a duplicate? I asked customer support how this could be a duplicate and they told me that the first report indeed was about the URL on the page I found. I asked them about the link in the email but they didn’t reply. So I decided to submit it again, this time only mentioning the email in my report. …



Professional My Little Pony addict

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store