A path traversal vulnerability is usually well known as an issue which can either allow you to read or write files on a server, but what if there's a path traversal in a fetch request by the browser? We've seen several examples, like Medi's research, which entered the top 10 web hacking techniques of 2022.
In this blog post, I will describe a technique I often used when attempting to escalate a client-side path traversal to an account takeover, and discuss how this specific exploitation scenario may be partially mitigated now.
When a React Native application is built, a source map and application bundle is generated. Source maps are files that link the original source code of the (front-end) application (before it was built or bundled using tools such as Webpack). They are not interpreted by the client and are often used by error tracking tools such as Sentry or Bugsnag to provide more detail in generated bug reports.
I encountered a common misconfiguration when applications are using the Web SDK of Gigya to manage user identities across their application, which usually leads to a client-side account takeover. SAP's Customer Data Cloud (or Gigya) is an identity and access management platform, which allows customers to have authentication and authorization features implemented across their application. This is not vulnerability in SAP's Gigya platform, but rather describes a potential misconfiguration by its customers.
In this write-up, I walkthrough the different steps of the H1-2006 capture-the-flag challenge. I'll go through the thinking process, steps to reproduce, failed attempts and other details.
H1702 was another amazing CTF organized by HackerOne. It was an amazing competition to participate in, despite the fact that I haven't been able to complete all challenges.