Skip to main content

Posts

Featured

Payment receipt disclosure (Instamojo)

Hello, My fellow readers

So while searching for bounty programs i came across Instamojo (it is a payment portal) in India.
i thought , at first why not give it a try and lets see if i can find something interesting

But Best part of this is that i  found it in the first step i,e. Recon.

so i started with some Google-fu (dorking , and that's where i got my alias.)

after few dorkings i came across a pdf which is actually a book sold by "I*** Foundation" and the crawler found it.

so this is the url

https://www.instamojo.com/payment/status/MOJO5b*********/?token=<token here>&expired=true

so , only the right owner can view the reciept of this book who buyed it. I looked if i can bypass it and then my view shifted to "expired=true" parameter ,
after i changed the "true" to "false" , i was in and can view the reciept.


Payment IDMOJO5b0*********Paid toI**** FoundationPaid onNov 09, 2015 at 9:52am .......................<redacted>

The …

Latest posts

ATT&T infinite loop redirection vulnerability

Drugs.com Open redirect

swfupload XSF_XSS in one of the google acquitions

ESET TYPO3 CMS HOst Header Vulnerability

First Bounty by malwarebytes(http to https redirection)

How i managed to buy burpsuite license for desired price.

sony infinite loop vulnerability leads to DOS

weak RC4 ciper suite usage

localhost disclosure(spreaker.com)

Story of a Bug Hunter (My Life)