Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Wodify gym management web application is designed to help gyms grow. It is heavily used among CrossFit boxes, mainly in the US, but also across other continents and countries.

The application had three vulnerabilities. The first two are fairly standard: 4 stored XSS and insufficient access controls via an IDOR. These are normal and not very unique though.

The final bug was a bit more interesting though! There is a specific page that exposes the user's hashed password and JWT, but only to the main user. At first thought, this does not seem like a terrible security problem as only the user can see it.

However, one of the stored XSS vulnerabilities mentioned above could be used in order to exfiltrate this information. Now, this is definitely an issue and should be fixed as a defense-in-depth finding.

Just because the authorization works properly, does not mean that an information disclosure is not valid. To me, anything that allows for persistent access to an account from a single vulnerability or a single view should be cause for concern. For instance, the ability to change a password without knowing the current password would be an issue. Interesting callout!