Tag: POC

[$15,000 Bounty] M365 Phish: Power Platform Privilege Escalation and Pivoting (29 Feb 2024)
Exploring the M365 Power Platform as a means of privilege escalation and flexing control over a phishing victim's SharePoint, OneDrive, Outlook, and Microsoft Teams data.
[$1250 - High Severity] Bypassing Brower Extension's Geolocation Spoofing with a Malicious Website (Location Guard & ExpressVPN) (28 Aug 2023)
Bypassing the spoof geolocation feature in browser extensions to disclose the physical location of a user. I share two high severity bugs. Bug 1 is a generic payload that works across multiple extensions, and bug 2 is an ExpressVPN specific payload that has been patched. This post is a case study with the Location Guard & ExpressVPN extensions, my bug bounty experience, and a few takeaways that may prove insightful for others.
Optimizing Multi-Destination Routes with Google Maps and a Chrome Extension (07 Nov 2022)
Finding the best route between multiple destinations in Google Maps or other tools can be frustrating. I have created a bespoke Chromium browser extension to help calculate a relatively optimal multi-destination travel route. Usage: Install the extension, navigate to https://maps.google.com, and use the tool.
M365 Internal Phish: Abusing the Power Platform for SharePoint/OneDrive Privilege Escalation (13 May 2022)
An internal phishing POC leveraging Microsoft 365 citizen development tools (Power Platform). Phish for access to a target user's OneDrive and all SharePoint sites they own.
Image Slicing with Python (25 Jan 2022)
Slicing and manipulating images with a Python GUI program using the Pillow and tkinter GUI packages.
Scanning and Hooking Dynamic, Client-Side Data in Modern Web Applications (22 Nov 2021)
Scanning the DOM for interesting data + hooking getters/setters. Demonstrating POC w/ a PowerApps example.
Exploring the WinDbg Preview JavaScript API (22 Oct 2021)
Trying to recreate the x32dbg/x64dbg stacktrace and dereferencing features in WinDbg Preview by leveraging its JavaScript API. Additionally, playing with Time Travel Debugging (TTD) and inspecting memory on the heap. POC included.
Hacking Electron Apps: Joplin (12 Oct 2021)
Adding custom functionality to the Joplin note-taking app by injecting arbitrary JavaScript into source code. POC included.

All Tags

POC Hacking JavaScript reverse-engineering SharePoint PowerApps Debugging Cloud BugBounty TypeScript Tutorial Privilege-Escalation Power-Automate OneDrive Microsoft M365 Joplin Game-Hacking Electronjs Chromium Browser-Extension Browser x64dbg x32dbg pykd mona.py mobile linux il2cpp adb XXS Wordpress WinDbg-Preview WinDbg Web-Appplication Web VPS Unity Race-Condition Python PowerShell Power-Platform Phishing Pentesting Paypal Payment-Gateway Outlook Oracle Optimization Microsoft-Teams Microsoft-Edge Javascript Java Image-Manipulation HackerOne GraphQL Google-Maps Frida ExpressVPN Exploits Email Electron.js Dynamic-Testing Development Credential-Dumping CodeQL CTF BurpSuite BugCrowd Browsers Blender Android .apk