TL;DR: This is how I was able to exploit a HTTP Request Smuggling in some Mobile Device Management (MDM) servers and send any MDM command to any device enrolled on them for a private bug bounty program.

What is HTTP Request Smuggling? 📖

If you already know what is HTTP Request Smuggling you can skip this section but if you want to know the basics I’d recommend read carefully.

In this section I’ll try to put everyone under the same page covering only the basics about HTTP Request Smuggling. If you want to learn in details I recommend you read this documentation, …

TL;DR: This is about how I got Account Takeover (ATO) vulnerabilities on two big e-commerce companies and a bypass after the first fix for one of the issues with a nice exfiltration technique. These two companies have private bug bounty programs so I’m not allowed to reveal their names. 🤐


Every time that I need to do a penetration test in a web application I always start by understanding the business behind in order to find the feature with the biggest impact. Most of the time authentication related feature is my choice which some times lead to an ATO.


TL;DR: There are a bunch of sensitive data stored on search engine cache servers related to some Microsoft services but this is fine.

Let’s begin at the end 🏁

I tried to report what I’m going to describe in this post three times and got the email below as final answer.

TL;DR: A simple and straightforward evaluation of subdomain enumeration tools available on the internet based on number of subdomains found and in how much time.


Subdomain enumeration become more and more important for an attacker in the last few years and different tools with different approaches are been developed so far.

In a world with so many tools a simple evaluation can help to decided which tool should use in each case.

In this post I’ll provide the results of a simple and straightforward evaluation of the following subdomain enumeration tools:

TL;DR: This is a story how I accidentally found a common vulnerability across similar web applications just by reusing cookies on different subdomains from the same web application.

The accident

I usually do bug bounty in my free time and for every single target I always try subdomain takeover using a tool called tko-subs. Of course even before running tko-subs I need to enumerate all possible subdomains that I can find and for that I use Amass and SubFinder tools.

I was playing with a private bug bounty program for a big private company called as Example in this post. …

Meu objetivo inicial era levantar um grana extra e em segundo lugar aprender mais sobre web security então escolhi um Bug Bounty Program no HackerOne que era recente, para ter mais chances de achar algo, e que pagava razoavelmente bem. Infelizmente acabei atingindo somente o segundo objetivo.

Não me lembro exatamente como foi, mas acabei escolhendo um grande serviços de streaming o qual já utilizava a versão gratuita por um bom tempo. De cara achei um XSS que só funcionava no IE 7 e ainda por cima era fora de escopo do programa. Depois achei algo que prefiro nem comentar…

Ricardo Iramar dos Santos

Alguém a procura de autoconhecimento constantemente.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store