Hi everyone It’s Yasser Again,

First of all i wanted to thank you all for sharing my last write-up and I got a lot of positive responses so I decided to write about another nice finding that i found lately.

I was testing a mobile application which was written in React-Native for private program on HackerOne about 5 months ago,

While my server-side testing I didn’t found a lot of functions but as always I was working on developing a similar application as school project, and i got some problems with Synchronization, so while testing 2fa functionality I was…

Hi Every one, My name is Yasser (AKA Neroli in CTF’s) and I wanted to share this Finding with you :)

Since its a private program on Bugcrowd i will call it example.com

Let’s start

While I was testing this target I wanted to test the OAuth flaw since it has a lot of misconfigurations that developers don’t recognize,
So I found that the target allows users to log in using either a classic, password-based mechanism or by linking their account to a social media profile using OAuth.

So let’s test this.

OAuth misconfiguration

First thing i opened burp and started…

Yasser Mohammed (@boomneroli)

My Name Is Yasser and I am a CTF player and Competitive programmer, I Love to build things then break into it.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store