popXSS - XSS Challenges

Hello all,
Here are some XSS Challenges that I created:
https://popxss.000webhostapp.com/

Any feedbacks are welcome :)
Regards,
Achal Pathak.

Read More

Paytm Open URL Redirect - My First Bug :)

Hello people,
The first bug I found was in Paytm which was a simple Open URL Redirect. It was specifically in their mobile version.
The affected url was
 www.paytm.com/login?redirect=///////www.example.com.
As you can see the vulnerable parameter was redirect and I was able to bypass the protection in place by using multiple forward slash and was able to redirect the victim to www.example.com.
This vulnerability was reported to Paytm via their Bug Bounty program ( https://paytm.com/offer/bug-bounty/ ) and now that has been patched.

Video POC :

Timeline:
22-March-2017 → Bug Reported
10-July-2017      → Bug Patched
10-July-2017      → Rs2000 Paytm Cash Rewarded, sadly no HOF :(

Regards,
Achal Pathak.

Read More