Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Instagram is an extremely popular website in the social media category. Finding XSS in this is a huge deal!

The XSS is fairly straight forward: an unvalidated link in a URL is passed directly into an href on an anchor tag. By adding a JavaScript:// URI, clicking on the link will result in code execution within the context of the victim account.

With the XSS, the author demonstrates that a Facebook OAuth token can be asked for, which results in an account compromise. Boom goes the dynamite!

There is a small caveat to this though: the link has to be middle clicked. This is because the event handler for a regular click is overwritten by some fancy JavaScript. Regardless, the researcher was paid almost 10K for their finding.