Case Studies

How to find CSRFs despite SameSite cookies? CSRF Case Study

I was very curious about the CSRF case study. It’s a bug class that had been very popular but then came the SameSite cookie attribute that’s a very effective measure against this bug class. There was only one way to find out if the SameSite attribute did kill CSRFs or...

RCE – where to look for them? RCE Case Study

This was definitely the hardest case study. Usually, I am able to quite well, reduce the number of different labels that I have. But there's a huge variety of bugs that can result in a command execution. It also shows how much we have to learn to be able to find...

How to make money for DoS bugs? DoS case study

DoS bugs were very intriguing to me. On one hand, I thought they were usually out of scope of web programs anyway. On the other, I saw big, even 5-digit bounties being awarded for them. So I decided to do what I like to do - extract all DoS reports from the Internet...

How to make money with IDORs? IDOR case study

IDORs are often recommended as the easy vulnerability class, good to start the bug hunting journey. “Just change the ID in the URL parameter” they say. But are they really that easy? Well, there’s only one way to find out - to do the case study. This week, I analysed...

SQLi Case Study

I never look for SQL injection vulnerabilities. To be honest, I don’t even think about SQLi these days, considering it’s a thing of the past. But am I right doing that? Well, there’s only one way to find out! Extract all the disclosed reports from the Internet and do...

XSS – case study of 174 reports

XSSes are everywhere. They’ve been the most common vulnerability class for years. But while popping an alert may seem simple, there’s much, much more to cross-site scripting. What payloads are people using? Where are people finding XSSes? What about CSP? Can you...

SSRF – Case study of 124 bug bounty reports

In theory, SSRF is a really simple vulnerability class - you can make requests to arbitrary locations. In practice, however, it’s often more complex. Where to look for SSRFs? What parameters are most likely to be vulnerable? Do we actually need all those complex...