novelraw Chapter 110: Pentesting 3
Chapter 110: Pentesting 3
You might be wondering why the number is so shocking right, like sixty-four bugs? And it’s from a large platform like SocialHub?
A company worth trillion and was run by thousands of developers? Because it makes sense since its worth trillions.
Don’t assume that companies are airtight, since the scale doesn’t make it bulletproof but a bigger target.
Due to his godly programming skill and his knowledge of how these systems were built, while others worked through enough source code and decompiled enough applications to understand.
He was given the ability by the system to understand one thing clearly and that is unvalidated redirects were everywhere.
They weren’t complicated bugs. In fact, they were ridiculously simple.
This happens because developers often forget to validate redirect parameters, which is a common oversight.
This issue is especially prevalent in login pages, password resets, confirmation emails, ads and anything that needs to send a user somewhere else.
These kinds of flaws weren’t usually dangerous on their own, since they didn’t grant server access or expose databases.
That’s why their severity was considered low, and companies like SocialHub didn’t treat them as high priority.
However, they still mattered, especially on platforms built on trust, because a redirect link from socialhub.com, appears legitimate to most users.
If someone disguises a phishing link using that, then it’s game over. That’s why even if one endpoint is fixed, it doesn’t mean the other hundred like it are.
And that’s the thing about massive platforms like SocialHub. With billions of users and hundreds of services, it was easy for the same bug to exist in ten different places, even if the security team had patched it once before.
Most elite programmers can scan a few hundred endpoints in a day, but Jeff had scanned over 1,700 in an hour.
While elite programmers take 30 minutes to scrape URLs, for his AI it does it in 2. Also, elite programmer test one redirect in 30 seconds, but he does it in 1 seconds.
Validating with curl? 10 seconds for Jeff, and it is 1 or 5 minute for them. Logging, reporting, and formatting were all automated and instant on his side.
The difference you may ask?
Is that elite programmers write great tools like scanners, validators, maybe even automation scripts.
Also, their experience of dealing with same problem over and over again was a big help as well.
They work efficiently, but each step still depends on them. While Jeff on the other hand, builds full systems.
His tools don’t just follow commands they can think, filter, and act on their own.
Example of this is RAZi that scrapes thousands of URLs in minutes, GhostCheck scans and validates each one in seconds, and the report writer documents everything instantly with no manual input.
While elite programmers are still writing scripts or waiting for results, he is already done. With every log reviewed, every flaw documented, and every report packaged.
Work: Reflected XSS Probe
Note: Reflected XSS vulnerabilities typically occur in search boxes, error pages, and query parameters where user input is immediately reflected in the page without proper encoding or sanitization.
Focus your testing on endpoints that dynamically insert query data into the DOM or template without storage.
...
So after choosing this he then began to work, after compiling a custom tool called mirrorcheck, Jeff launched a targeted scan across vulnerable form fields and query parameters.
His script tested payload reflections without rendering JavaScript, allowing RAZi to confirm XSS behavior based on raw responses.
Within 45 minutes, he had confirmed multiple reflected XSS flaws across outdated mobile and support endpoints.
GhostCheck’s output was converted to HTML-safe proof-of-concept links, and RAZi automatically generated clean reports for submission.
Each one included payload, vulnerable parameter, and server response headers.
For the results? Over 12 medium-severity XSS vulnerabilities, were submitted in a single encrypted batch.
...
Work: Improper Auth Redirect Discovery
Note: Several authentication and login flows use redirect URLs to return users to their destination post-login. These redirect parameters must be validated against a whitelist.
If you discover any redirection endpoints that accept unvalidated third-party URLs, they may qualify for a medium severity reward.
...
Seeing this, he developed a redirect abuse detector called AuthHop, which simulated a login session and intercepted redirect chains.
If any login endpoint allowed redirection to an untrusted external site after login without validating the destination, it was flagged.
RAZi integrated the scanner into an active testing loop with rotating dummy accounts, and within half an hour, Jeff had mapped five authentication flows that could be tricked into rerouting users to phishing traps.
Finding some of it, he continued much further and the results?
The results were 26 medium vulnerabilities, each documented with step-by-step token capture and redirect bypass methods.
...
Work: Stored XSS Injection Scan
Note: Dynamic content is supported in various user-facing modules. If user-submitted input (e.g. comments, bios, group names) is stored in the database and rendered to other users without proper sanitization, it may result in stored XSS.
Please limit tests to designated test fields or isolated environments.
...
Reading the description about this specific work, he understood that stored XSS was too risky to test manually because it involved injecting malicious scripts into web applications, which could persist in databases and execute whenever a user accessed the affected page.
Unlike Reflected XSS, which required immediate interaction, Stored XSS could spread silently, targeting multiple users over time.
Testing it manually could inadvertently expose sensitive data, compromise accounts, or even escalate privileges within an application.
Automated tools were necessary to safely detect and analyze these vulnerabilities without triggering real-world consequences.
Because of that, Jeff developed a Rust-based payload injector that safely delivered test scripts into comment fields, message boxes, and user bios.
Each script was enclosed in harmless