<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Bijan</title>
    <description>The latest articles on DEV Community by Bijan (@bijan53c).</description>
    <link>https://dev.to/bijan53c</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3985731%2F41ac23dc-f551-4d29-a8a0-3fd79a35d893.jpeg</url>
      <title>DEV Community: Bijan</title>
      <link>https://dev.to/bijan53c</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/bijan53c"/>
    <language>en</language>
    <item>
      <title>A simple recon led me to a big rabbit hole from google dorks to find same company assets (web endpoints) to nuclei templates to separate python code. Day 3 in the rabbit hole :)</title>
      <dc:creator>Bijan</dc:creator>
      <pubDate>Tue, 30 Jun 2026 13:50:44 +0000</pubDate>
      <link>https://dev.to/bijan53c/a-simple-recon-led-me-to-a-big-rabbit-hole-from-google-dorks-to-find-same-company-assets-web-37ab</link>
      <guid>https://dev.to/bijan53c/a-simple-recon-led-me-to-a-big-rabbit-hole-from-google-dorks-to-find-same-company-assets-web-37ab</guid>
      <description></description>
      <category>automation</category>
      <category>cybersecurity</category>
      <category>python</category>
      <category>security</category>
    </item>
    <item>
      <title>Email Verification Link Leading to Forced Account Takeover</title>
      <dc:creator>Bijan</dc:creator>
      <pubDate>Sat, 27 Jun 2026 18:24:56 +0000</pubDate>
      <link>https://dev.to/bijan53c/email-verification-link-leading-to-forced-account-takeover-3dgp</link>
      <guid>https://dev.to/bijan53c/email-verification-link-leading-to-forced-account-takeover-3dgp</guid>
      <description>&lt;p&gt;What if clicking a completely legitimate verification link from a trusted domain could silently log you out and into an attacker's account — without you realizing it?&lt;br&gt;
That's exactly what this bug does.&lt;/p&gt;

&lt;h1&gt;
  
  
  The Bug:
&lt;/h1&gt;

&lt;p&gt;A email verification flow was allowing an authenticated user's session to be hijacked by simply sending them a valid verification link belonging to a different account.&lt;br&gt;
No phishing. No fake domains. Just a real link from a real service.&lt;/p&gt;

&lt;h1&gt;
  
  
  How I found it
&lt;/h1&gt;

&lt;ol&gt;
&lt;li&gt;Register account A and verify it — stay logged in&lt;/li&gt;
&lt;li&gt;Register account B in a private window but don't verify it yet&lt;/li&gt;
&lt;li&gt;Copy account B's verification link&lt;/li&gt;
&lt;li&gt;Open it in the browser where account A is logged in&lt;/li&gt;
&lt;li&gt;Result: Account B gets verified, account A gets forcefully logged out, and the session switches to account B&lt;/li&gt;
&lt;/ol&gt;

&lt;h1&gt;
  
  
  Real attack scenario
&lt;/h1&gt;

&lt;p&gt;The attacker registers an account with a similar looking email to the victim (s0mestring vs somestring) then sends the verification link to the victim — disguised as a support request:&lt;br&gt;
"Hi, I'm having trouble verifying my email, can you help?" + LINK&lt;br&gt;
Since the link is from a legitimate domain, the victim clicks it without suspicion.&lt;br&gt;
From that point:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;If the victim was buying a subscription → attacker gets it&lt;/li&gt;
&lt;li&gt;If uploading files → they go to attacker's storage&lt;/li&gt;
&lt;li&gt;If granting access → attacker gets the permissions&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Even worse, the link uses a GET request, meaning it can be embedded as an image tag on any website, triggering the attack silently with zero clicks from the victim — a classic CSRF scenario.&lt;/p&gt;

&lt;h1&gt;
  
  
  Impact:
&lt;/h1&gt;

&lt;ul&gt;
&lt;li&gt;Forced session hijacking&lt;/li&gt;
&lt;li&gt;Silent account switching via CSRF&lt;/li&gt;
&lt;li&gt;Subscription theft&lt;/li&gt;
&lt;li&gt;Access control manipulation&lt;/li&gt;
&lt;li&gt;Data theft&lt;/li&gt;
&lt;/ul&gt;

&lt;h1&gt;
  
  
  Mitigation:
&lt;/h1&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;Single-use tokens&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Once the verification link is clicked, invalidate the token immediately. It should never work a second time regardless of who clicks it.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Short token expiry&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Verification links should expire within 15-60 minutes of being issued. A link valid for days or forever is a much larger attack surface.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Session-aware verification&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;This is the core fix for this specific bug. When a verification link is clicked, the backend should check:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Is there already an active authenticated session in this browser?
Does that session belong to a different account than the one being verified?
If yes → reject the verification attempt and return an error, never switch sessions&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Don't touch existing sessions&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Verification of account B should have zero effect on an existing session for account A. These should be completely independent server-side operations.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Bind tokens to the registering context&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Tie the verification token to the email address it was issued for. Clicking account B's link while logged in as account A should fail the context check immediately.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ol&gt;

&lt;h1&gt;
  
  
  Takeaway:
&lt;/h1&gt;

&lt;p&gt;Authentication flows are some of the most overlooked attack surfaces. A verification link feels safe — it comes from a trusted domain, it's expected behavior. That's exactly what makes it dangerous when session management isn't handled correctly.&lt;br&gt;
Always ask: what happens if this link is opened by the wrong person?&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>cybersecurity</category>
      <category>bugbountyhunting</category>
      <category>security</category>
    </item>
    <item>
      <title>No user verification leading to subscription bypass and pre-register</title>
      <dc:creator>Bijan</dc:creator>
      <pubDate>Fri, 19 Jun 2026 18:30:00 +0000</pubDate>
      <link>https://dev.to/bijan53c/no-user-verification-leading-to-subscription-bypass-and-pre-register-3dje</link>
      <guid>https://dev.to/bijan53c/no-user-verification-leading-to-subscription-bypass-and-pre-register-3dje</guid>
      <description>&lt;p&gt;For security reasons, we consider "Target app", as the target we practiced on, and the real name won't be disclosed in this post.&lt;/p&gt;

&lt;p&gt;The target app, was a niche music streaming platform, available in web and mobile PWA, meaning the structure is same but access is easier for cross platform.&lt;br&gt;
The app worked in this way :&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;You register using an account, 3rd party like google or via email&lt;/li&gt;
&lt;li&gt;After that you can use the app for free with a 3 day window (3 day trial)&lt;/li&gt;
&lt;li&gt;After the 3 day you gotta buy subscription to continue listening&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The flaw, existed in the first step, when you register using an email, no verification happens! You could enter any type of &lt;a href="mailto:string@something.com"&gt;string@something.com&lt;/a&gt;, a random password and start your free trial.&lt;br&gt;
So what happens is that first I use &lt;a href="mailto:string1@something.com"&gt;string1@something.com&lt;/a&gt;, for 3 days. When the time runs out, I use &lt;a href="mailto:string2@something.com"&gt;string2@something.com&lt;/a&gt; for another 3 days. And since the app's trial and actual subscription don't have any difference, and the 3 day time window is the only limitation, the user with such knowledge from the app doesn't need to buy any subscriptions while such flaw exists!&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Mitigation&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Apply email verification step after user input, so they have to use the received link to verify their address&lt;/li&gt;
&lt;li&gt;Blacklist "temporary email" service's address or IPs, so users won't generate any email to register after their trial has expired.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This way, the registration process isn't too complex while keeps app from attackers avoiding a "For ever free" usage on the app.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>infosec</category>
      <category>security</category>
      <category>webdev</category>
    </item>
    <item>
      <title>Mobile view bug</title>
      <dc:creator>Bijan</dc:creator>
      <pubDate>Wed, 17 Jun 2026 19:30:00 +0000</pubDate>
      <link>https://dev.to/bijan53c/mobile-view-bug-5bdd</link>
      <guid>https://dev.to/bijan53c/mobile-view-bug-5bdd</guid>
      <description>&lt;p&gt;There is a music streaming platform, which is supposed to only let registered users to play and download musics from it. On the desktop view of web app, as expected you can only see available playlists but no play button. So you have to register or log in, buy a subscription and then play or download a playlist.&lt;br&gt;
One of steps in testing a web app, is to check the mobile view of it. There are multiple ways to test that. The simplest is to make your browser window small, so according to viewable pixels the front end of the web app changes to the mobile mode. Some apps like this target have different views for different devices and viewable pixels. So we could now see the musics in the playlist, and &lt;code&gt;*click*&lt;/code&gt; we can play the musics in playlist.&lt;br&gt;
We still couldn't download it via the app, this one was hard coded for the users with subscriptions. But there was a way to save the musics which you can read here ==[[2026-05-03-WebApp-MobileView-SaveMusics-DRAFT]] &lt;em&gt;VIP&lt;/em&gt;== .&lt;/p&gt;

&lt;p&gt;As I said, we could turn to mobile view just by making our browser window smaller (vertical) to get a mobile view. But some apps identify mobile devices using different methods. So if that didn't work, you can change your user agent string to an exact IOS or Android browser user agent. If that is hard, use your browser's developer options / debugger to apply mobile view based on mobile device models (This can be different on different browsers, so I recommend to google it based on what you use). These 3 methods must work, but if you face a different scenario, I recommend you to check the HTTP headers too (These can lead to the backend but can be useful). &lt;/p&gt;

&lt;p&gt;I hope this comes in useful for ya.&lt;/p&gt;

</description>
      <category>web</category>
      <category>cybersecurity</category>
      <category>bugbounty</category>
      <category>security</category>
    </item>
    <item>
      <title>403 bypass scenarios</title>
      <dc:creator>Bijan</dc:creator>
      <pubDate>Tue, 16 Jun 2026 19:35:00 +0000</pubDate>
      <link>https://dev.to/bijan53c/403-bypass-scenarios-2cg6</link>
      <guid>https://dev.to/bijan53c/403-bypass-scenarios-2cg6</guid>
      <description>&lt;h2&gt;
  
  
  A.Bad code :
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1
&lt;/h3&gt;

&lt;blockquote&gt;
&lt;p&gt;I explain the security aspect of it and how to stop such vulnerabilities in separate post&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3&gt;
  
  
  2.A Bad session management
&lt;/h3&gt;

&lt;p&gt;There are times that simple &lt;code&gt;Admin&lt;/code&gt; string in the &lt;code&gt;cookie&lt;/code&gt; or &lt;code&gt;session&lt;/code&gt; (or related custom headers), can cause you to authenticate to the app. For advance this simple string can be encoded to a commonly used format by the app (For example they use base64 a lot)&lt;br&gt;
This &lt;/p&gt;

&lt;h2&gt;
  
  
  B. WAF restriction
&lt;/h2&gt;

&lt;p&gt;There was an app that we had confirmed a reflected user input on it. We had to make sure they don't sanitize the input so we could send they payload for reflected XSS. We sent and we got 403. WTF? You could just remove the restricted part... why so serious? Got back on our recon data, we saw that they had a local made WAF using in front of web app which was not really well known. So we had to do a little bit of reverse engineering to understand how the waf works and what is bad in it's idea. After some tests we found out that the WAF as defined rules which work on the base64 format. They get the user input, turn base64 and check on the encoded data for malicious payloads, if OK it would decode the payload from base64 to URL and sent to web app. So first thing we tried was to encode the XSS to BASE64 and Viola. DONE! What we think is that the WAF encoded our base64 one more time, then checked it so the codes were different now (since they were encoded 2 times) and then decoded completely and sent to web app. And web app didn't have input sanitized and relied completely on the WAF as security so we got our payload running.&lt;/p&gt;

</description>
      <category>writeup</category>
      <category>cybersecurity</category>
      <category>web</category>
      <category>security</category>
    </item>
    <item>
      <title>Concept on bypassing 403 pages</title>
      <dc:creator>Bijan</dc:creator>
      <pubDate>Mon, 15 Jun 2026 14:41:25 +0000</pubDate>
      <link>https://dev.to/bijan53c/concept-on-bypassing-403-pages-21p0</link>
      <guid>https://dev.to/bijan53c/concept-on-bypassing-403-pages-21p0</guid>
      <description>&lt;p&gt;On web application security, whether there's a pentest going on or hunting for vulnerabilities, there's a concept or technique for bypassing restrictions. In here we are going on details of bypassing 403 restrictions which usually lead to finding impactful vulnerabilities.&lt;/p&gt;

&lt;h1&gt;
  
  
  How the restriction works?
&lt;/h1&gt;

&lt;p&gt;For bypassing the restriction, we need to know how it works and what it does restrict; and it's obvious that different apps use different mechanisms so, let's explore some real world scenarios. &lt;/p&gt;

&lt;h2&gt;
  
  
  The overall concept
&lt;/h2&gt;

&lt;p&gt;For making a restriction, it has to be defined, so imagine it like a blacklist or whitelist mechanism which has to be bypassed. Now for bypassing them, you gotta understand what factors they are considering for restricting so, you would change focus on that item. Here we explore some types of restrictions:&lt;/p&gt;

&lt;h3&gt;
  
  
  IP restriction
&lt;/h3&gt;

&lt;p&gt;It's the simplest type, turn on your VPN. But remember that the IP can be set to whitelist some static IP's (e.g the admin's specific IP) which can make your job so much harder.&lt;/p&gt;

&lt;h3&gt;
  
  
  Parameters restriction
&lt;/h3&gt;

&lt;p&gt;As you know, in each HTTP request we have some headers or parameters in the URL (For more simplicity I'm referring to both as &lt;em&gt;"Parameters"&lt;/em&gt;). Which they look something like these :&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;GET /somedirectory/?p=parameterdata
HOST: somesite.com
User-Agent: Mozilla...
Cookie: somestuff
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In above HTTP request, you can see parameters with &lt;code&gt;parameterdata&lt;/code&gt; value in URL, and &lt;em&gt;Headers&lt;/em&gt; as &lt;code&gt;HOST&lt;/code&gt;, &lt;code&gt;User-Agent&lt;/code&gt; and &lt;code&gt;Cookie&lt;/code&gt;. &lt;/p&gt;

&lt;p&gt;Now imagine, the admin uses the &lt;em&gt;Admin Cookie&lt;/em&gt; as he has authenticated to visit &lt;code&gt;/OnlyAdmin/dash.html&lt;/code&gt;. So Anyone without the &lt;em&gt;Admin Cookie&lt;/em&gt; are not allowed to visit that page. So as our small example above, when you have a random cookie (not authenticated as admin) and visit the &lt;code&gt;/OnlyAdmin/dash.html&lt;/code&gt;, you face a 403 status code since you are not authenticated and allowed to visit that admin dashboard.&lt;/p&gt;

&lt;p&gt;So what is happening is that there is a restriction on that parameter/header. It's defined like ==If cookie = Admin --&amp;gt; allowed to visit &lt;code&gt;/OnlyAdmin/dash.html&lt;/code&gt; and if cookie !=(not equal) to Admin, return 403 and don't allow to visit.== &lt;br&gt;
So you are facing a whitelisting mechanism here. &lt;/p&gt;

&lt;p&gt;Before exploring more scenarios and bypassing them, let's have some blacklist examples too.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Sites restricting certain user agents&lt;/li&gt;
&lt;li&gt;Restricting certain IP ranges (like people from certain country)&lt;/li&gt;
&lt;li&gt;Restricting users who send too much requests (rate limit)&lt;/li&gt;
&lt;li&gt;Bad user input (Like XSS, SQLi payloads)&lt;/li&gt;
&lt;li&gt;...&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  So, how they are defined
&lt;/h2&gt;

&lt;p&gt;Usually they are set in 3 major ways which are :&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Some are defined by the &lt;em&gt;WAF (web application firewall)&lt;/em&gt; : For example blocking IP's or malicious parameters (e.g XSS,SQLi payloads)&lt;/li&gt;
&lt;li&gt;Some are put by the &lt;em&gt;reverse proxy&lt;/em&gt; : similar to waf but only processes what waf allowed to go in.&lt;/li&gt;
&lt;li&gt;Some are hardcoded by the developer (&lt;em&gt;source code&lt;/em&gt;): like the cookie scenario we explored&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;In next post I explain some bypass scenarios&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>security</category>
      <category>web</category>
      <category>writeup</category>
    </item>
    <item>
      <title>A bug that led to infinite likes on video sharing platform</title>
      <dc:creator>Bijan</dc:creator>
      <pubDate>Mon, 15 Jun 2026 14:30:48 +0000</pubDate>
      <link>https://dev.to/bijan53c/a-bug-that-led-to-infinite-likes-on-video-sharing-platform-5faj</link>
      <guid>https://dev.to/bijan53c/a-bug-that-led-to-infinite-likes-on-video-sharing-platform-5faj</guid>
      <description>&lt;p&gt;There's a little fun bug I found on a video sharing website, which I can't tell the name of it, but I'm amazed that such bug exists on that platform cause it is more than 10 years for this platform to be online. &lt;br&gt;
With this bug, you can like a video infinite times without the need to log in. So you can become pretty popular with the likes you give to your own video (since more likes cause your video to get seen by more people), or idk, offer someone else amount of likes and get money instead?  Yeah this bug might not be that high impact at first glance or at all (Since I didn't investigate it further). But I'm gonna get into details here.&lt;/p&gt;

&lt;h1&gt;
  
  
  Normal behavior of web app (Getting a lead)
&lt;/h1&gt;

&lt;p&gt;The web app let you to like a video without authorization. That's already sus isn't it? But it could track you across browsers and sessions. E.g you use Firefox to like the video, you make a private tab to like again but... you see the video is already like by you. You switch to Chrome same happens. So you know what is going on, they are tracking users with the IP!&lt;/p&gt;

&lt;p&gt;In that moment I smiled, turned VPN on, checked the site with a fresh session, liked the video, changed IP again and ... What? Video is already liked?! First it might seem strange but, since there isn't an authentication for account to count likes (Exactly unlike Youtube), there must be a way.&lt;/p&gt;

&lt;p&gt;And the most interesting part is that this is not known as a bug from the developer (That's how they are working more than 10 years by the way). &lt;em&gt;It's a feature!&lt;/em&gt; This way people don't have to create and own accounts to like a video they see so it's easier for them to like the videos (Since the platform is not really popular and creating an account can take long so people would ignore and don't like and get on with their lives as they watched the video already and information was useful to them.) So the content creator would get likes easier.&lt;/p&gt;

&lt;h1&gt;
  
  
  The bug
&lt;/h1&gt;

&lt;p&gt;As I said, they track users from IP and setting session on browser side, since we changed IP on same session but the video was already liked. So how can we &lt;em&gt;Hack&lt;/em&gt; it for infinite likes?&lt;br&gt;
Easy, change both of the IP and session cookie/token/whatever that is set on browser side, and the app won't recognize you anymore.&lt;br&gt;
I changed IP while I opened a private tab, liked a random video, repeated the same loop again with a fresh IP and session, liked it again and so on. (I promise the content creator got really happy that day :) )&lt;/p&gt;

&lt;h2&gt;
  
  
  Automating the process
&lt;/h2&gt;

&lt;p&gt;In theory, you just would need a proxy list or a script to change your system's IP while the like request is being made in fresh sessions.&lt;br&gt;
So 3 steps:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Fresh session (probably selenium)&lt;/li&gt;
&lt;li&gt;Like the video &lt;/li&gt;
&lt;li&gt;Change IP (you can deploy scripts based on your solution (proxy,VPN,...))&lt;/li&gt;
&lt;li&gt;Repeat &lt;/li&gt;
&lt;/ol&gt;

&lt;h1&gt;
  
  
  How to fix it?
&lt;/h1&gt;

&lt;p&gt;Apply user account authentication for liking videos. Authentication can be applied by an OTP to user phone number for faster and more effective authentication, or force user to authenticate before watching the video at first place.&lt;/p&gt;

</description>
      <category>security</category>
      <category>web</category>
      <category>cybersecurity</category>
    </item>
  </channel>
</rss>
