NOVEL WEB Chapter 110: Pentesting 3
You might be wondering why the number is so shocking right, like sixty-four bugs? And it's from a large platform like SocialHub?
A company worth trillion and was run by thousands of developers? Because it makes sense since its worth trillions.
Don't assume that companies are airtight, since the scale doesn't make it bulletproof but a bigger target.
Due to his godly programming skill and his knowledge of how these systems were built, while others worked through enough source code and decompiled enough applications to understand.
He was given the ability by the system to understand one thing clearly and that is unvalidated redirects were everywhere.
They weren't complicated bugs. In fact, they were ridiculously simple.
This happens because developers often forget to validate redirect parameters, which is a common oversight.
This issue is especially prevalent in login pages, password resets, confirmation emails, ads and anything that needs to send a user somewhere else.
These kinds of flaws weren't usually dangerous on their own, since they didn't grant server access or expose databases.
That's why their severity was considered low, and companies like SocialHub didn't treat them as high priority.
However, they still mattered, especially on platforms built on trust, because a redirect link from socialhub.com, appears legitimate to most users.
If someone disguises a phishing link using that, then it's game over. That's why even if one endpoint is fixed, it doesn't mean the other hundred like it are.
And that's the thing about massive platforms like SocialHub. With billions of users and hundreds of services, it was easy for the same bug to exist in ten different places, even if the security team had patched it once before.
Most elite programmers can scan a few hundred endpoints in a day, but Jeff had scanned over 1,700 in an hour.
While elite programmers take 30 minutes to scrape URLs, for his AI it does it in 2. Also, elite programmer test one redirect in 30 seconds, but he does it in 1 seconds.
Validating with curl? 10 seconds for Jeff, and it is 1 or 5 minute for them. Logging, reporting, and formatting were all automated and instant on his side.
The difference you may ask?
Is that elite programmers write great tools like scanners, validators, maybe even automation scripts.
Also, their experience of dealing with same problem over and over again was a big help as well.
They work efficiently, but each step still depends on them. While Jeff on the other hand, builds full systems.
His tools don't just follow commands they can think, filter, and act on their own.
Example of this is RAZi that scrapes thousands of URLs in minutes, GhostCheck scans and validates each one in seconds, and the report writer documents everything instantly with no manual input.
While elite programmers are still writing scripts or waiting for results, he is already done. With every log reviewed, every flaw documented, and every report packaged.
Work: Reflected XSS Probe
Note: Reflected XSS vulnerabilities typically occur in search boxes, error pages, and query parameters where user input is immediately reflected in the page without proper encoding or sanitization.
Focus your testing on endpoints that dynamically insert query data into the DOM or template without storage.
...
So after choosing this he then began to work, after compiling a custom tool called mirrorcheck, Jeff launched a targeted scan across vulnerable form fields and query parameters.
His script tested payload reflections without rendering JavaScript, allowing RAZi to confirm XSS behavior based on raw responses.
Within 45 minutes, he had confirmed multiple reflected XSS flaws across outdated mobile and support endpoints.
GhostCheck's output was converted to HTML-safe proof-of-concept links, and RAZi automatically generated clean reports for submission.
Each one included payload, vulnerable parameter, and server response headers.
For the results? Over 12 medium-severity XSS vulnerabilities, were submitted in a single encrypted batch.
...
Work: Improper Auth Redirect Discovery
Note: Several authentication and login flows use redirect URLs to return users to their destination post-login. These redirect parameters must be validated against a whitelist.
If you discover any redirection endpoints that accept unvalidated third-party URLs, they may qualify for a medium severity reward.
...
Seeing this, he developed a redirect abuse detector called AuthHop, which simulated a login session and intercepted redirect chains.
If any login endpoint allowed redirection to an untrusted external site after login without validating the destination, it was flagged.
RAZi integrated the scanner into an active testing loop with rotating dummy accounts, and within half an hour, Jeff had mapped five authentication flows that could be tricked into rerouting users to phishing traps.
Finding some of it, he continued much further and the results?
The results were 26 medium vulnerabilities, each documented with step-by-step token capture and redirect bypass methods.
...
Work: Stored XSS Injection Scan
Note: Dynamic content is supported in various user-facing modules. If user-submitted input (e.g. comments, bios, group names) is stored in the database and rendered to other users without proper sanitization, it may result in stored XSS.
Please limit tests to designated test fields or isolated environments.
...
Reading the description about this specific work, he understood that stored XSS was too risky to test manually because it involved injecting malicious scripts into web applications, which could persist in databases and execute whenever a user accessed the affected page.
Unlike Reflected XSS, which required immediate interaction, Stored XSS could spread silently, targeting multiple users over time.
Testing it manually could inadvertently expose sensitive data, compromise accounts, or even escalate privileges within an application.
Automated tools were necessary to safely detect and analyze these vulnerabilities without triggering real-world consequences.
Because of that, Jeff developed a Rust-based payload injector that safely delivered test scripts into comment fields, message boxes, and user bios.
Each script was enclosed in harmless <script> tags designed to ping a fake endpoint if executed, allowing him to detect vulnerabilities without causing real security risks.
RAZi will then tracked modifications across multiple test accounts. If a stored payload reappeared in rendered HTML, it was logged as a successful exploitation.
The results you may ask? Over 20 high-severity stored XSS bugs, was compiled in a document with before-and-after screenshots and JavaScript behavior traces.
...
Work: IDOR Resource Access Test
Note: All endpoints involving user-specific data should validate authorization based on the authenticated session. If you discover any endpoint where changing a numeric ID or parameter grants unauthorized access to another user's data, it will be treated as a high-severity issue.
Use test accounts only and avoid tampering with live or third-party data.
...
So with that Jeff activated the scanner, feeding it a list of login and authentication flows extracted from previous mapping results.
Each endpoint was systematically tested with redirection payloads designed to check if they would accept external URLs without validation.
His AI cycled through variations, injecting disguised links and analyzing server responses, pinpointing the ones that failed to enforce strict redirection rules.
Within minutes, the scanner flagged multiple endpoints that allowed unvalidated third-party redirects.
Jeff manually verified a few cases, logging into test accounts and watching as the system sent him to unauthorized destinations.
A simple oversight by developers had left these flows vulnerable to phishing exploits, proving just how widespread the issue was across different services.
After compiling detailed reports, Jeff highlighted five medium-severity vulnerabilities, each complete with proof-of-concept steps and token interception methods.
With that he also made it in a documents to organize it for the moment.
...
Work: Remote Code Execution Vector Discovery
Note: Our platform occasionally deploys developer tools and internal utilities across sandbox environments. If a parameter, file upload, or debug tool can be exploited to execute arbitrary code on the server, it constitutes a critical vulnerability.
Only test within approved sandbox environments. Never attempt RCE on production systems.
...
Following the notes he then initiated a probe by targeting developer tools deployed within the sandbox environment.
His scanner methodically analyzed file upload mechanisms, debug consoles, and exposed parameters, injecting controlled payloads to detect execution pathways.
Within minutes, he identified a misconfigured debug tool that failed to sanitize input, allowing arbitrary command execution.
He replicated the exploit safely, proving how an attacker could escalate access from a harmless test function to full server control.
After mapping the vulnerability, Jeff crafted a detailed exploit report outlining the attack chain.
He demonstrated how improper sanitization could lead to remote code execution, emphasizing the necessity of strict validation on all user-controlled inputs.
His automated script logged every successful injection attempt, ensuring accurate reproduction of results.
With a thorough breakdown of risk factors, he then wrote it in a document about his findings, marking the issue as a high-priority security flaw.
...
Work: Multi-Factor Authentication Bypass Analysis
Note: We use time-based tokens, backup codes, and push-based verification for MFA. If any endpoint or flow allows login completion without verifying the second factor, especially through session re-use or token manipulation, it is considered critical.
So go ahead and detect flaws in MFA flow that allow full access without completing second-step verification
Successful bypass must demonstrate full account access without completing MFA.
...
1st: Special thanks to 'Essos👑' – the GOAT of the month, for both the rewarding gifts and golden tickets! Much love, brotha!
2nd: Big thanks to 'Pat_funding👑' for the unwavering support since the very start of my journey and for the golden tickets and gifts!
3rd: Special shoutout to 'Devon1234👑' – The same GOAT of this month, for all the amazing gifts! You're absolutely RAD!