Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Chess.com is the most popular chess website that has cool features like analysis of games, puzzles and online playing modes. Finding vulnerabilities in this could hurt the reputation of big time players if used in targeted attacks.

At first, the author found a reflected XSS. Using this, an attacker could use the Connect to Google feature to add a backdoor into their account. Even though this is an impactful bug, it does require user interaction.

Using Burp interceptor, the author decided to look at the traffic being sent over from chess.com. From just viewing the traffic, he realized that a substantial amount of data was being sent over in requests about other users (while searching) for them. Initially, he only realized that an email was being sent over.

The requests were being signed though. So, tampering with the requests was not trivial to do. Because this was being done client-side, altering this was possible, but would be tedious to figure out.

Besides an email, the session id was being sent in the request! This session id was the same value as the PHPSessId value... this meant a simple query for a user would allow you to take over the account.

And that is game over folks! The author decided to take over the account of a known administrator on the site, just for the fun of it though.