Clever Geek Handbook

How I found a bug that revealed your PayPal password

In the hunt for security issues, the pursuit of unexplored assets and hidden endpoints often ends up distracting you from the obvious but still essential functionality.





, โ€” , , , - . , , . , , , PayPal: .





PayPal, javascript, , CSRF.





, JS .





  , XSSI, - <script>, [ CORS], , .





, , , , : , .





  , , . , _csrf _sessionID .





  CSRF pay pal _csrf , . , , c .





, , . PayPal, , brute force โ€” . , .





: , , . , , .





, , , Google, , , POST- /auth/validatecaptcha.





  _csrf sessionID, , .





, . , .





  , , .





, , โ€” , . , . , .





  • jse .





  • recapcha , Google , c, , , , .





, , , .





XSSI; , , . , .





PayPal , . โ€” , , /auth/validatecaptcha, .





, .





Bug Bounty PayPal 18 2019 HackerOne 18 . PayPal . $ 15300, 10 . , 8 ( ) CVSS โ€” , .





24 . , 5 โ€” .





/auth/validatecaptch CSRF, .





, , , : .





.  ยซ ยป  . - โ€” , ยซยป, .





, :





  • Data Scientist





  • Data Analyst





  • Data Engineering









  • Fullstack- Python





  • Java-





  • QA- JAVA





  • Frontend-









  • C++





  • Unity





  • -





  • iOS-





  • Android-









  • Machine Learning





  • "Machine Learning Deep Learning"





  • " Data Science"





  • " Machine Learning Data Science" 





  • "Python -"





  • " "









  • DevOps







More articles:


All Articles