Why does my title say “Hacking” when it’s just an XSS challenge? Because I didn’t solve the challenge, I hacked the game.

When you open the challenge page, the first thing you see is this:

This is a game called “18 Game” and its goal is to have three cards of which the sum adds up to 18. This is done by selecting one card from each pile, and after your three cards are selected, you will know if you’ve won or not.

So is there a strategy of some sort to win this game? No. The cards that you…

While I was reading some of Inti De Ceukelaire’s old writeups, I came across “How I got your phone number through Facebook”. Facebook’s reply on his submission was that the “Who can look me up” settings are set to Public.

After reading this, I decided to have a look at the “Who can look me up settings. I set them to “Only me” and started testing whether it does what it is supposed to do. The first thing I did was log out and try the password reset function. I filled in my phone number and there it was, my…

As always, I started with reading the rules. The goal is to execute alert(document.domain) on the challenge-1220.intigriti.io domain. Self XSS and MiTM attacks are not in scope, and the solution should work on the latest version of Firefox and Chrome.

The first thing I did was using the calculator like it’s supposed to be used, to see how it reacts on my input. It looks like the first number, the operator and the second number of the calculation are set as parameters in the URL. …

Like you should do with every challenge, I started with reading the rules. Those were clear. The goal was to execute alert(document.domain) on the challenge-1120.intigriti.io domain, without using self-xss or MiTM attacks. The attack should work in the latest version of Chrome and Firefox.

While looking at the html of the page, I quickly noticed that the QR code was an iframe with a page that accepts a parameter ‘URL’ in the URL and displays the URL in the form of a QR code. When the code is clicked, the url will be opened in a new tab.

When I started with bug bounty hunting, I became interested in all bugs related to URLs, one of my favorite and easy to exploit / find bugs, are broken link takeovers.

I have found a few since I started, but all of them were links to nonexistent social media accounts. So nothing really critical here, but it’s always fun to have a big company link customers to your social media account. Some companies even give you a bounty if you report it to them!

I’ve noticed that most of the broken links to social media, happen because companies rename their…

While I was looking at companies to do my internship at, I found a company with a link to an nonexistent Twitter account. I thought it would be original to use this takeover to apply for an internship, and immediately show them that their site has a broken link. So I created the application with a few tweets, and mailed the company to tell them to look at the twitter account linked to on their site.

A few hours later, I noticed the URL on their site was updated, but I never got a reply on my email. I don’t think this company was very happy with my application :).

Takeaways

• If you apply for a job application via broken link takeover, keep in mind that there is a chance the company wont like your application.

I picked my target and started looking around. I found a web page that was not up-to-date anymore and it contained a link to a non-existing Instagram account. I quickly created the account and submitted my report. I started searching to see if this link occurred on more web pages. I found out that their Flemish emails also contained the link.

When I finally got an update on my submission, I was disappointed. They marked it as a duplicate. I didn’t understand it because the account was owned by me. How is it possible to be a duplicate? I asked…