Yaswanth Mangalagiri

Reacting to Facebook Messages  An Admin can interact with his Facebook Page through Facebok page's Inbox, there is no UI to react to the messages like HAHA, LOVE etc.  Reply to the messages . You must be knowing about the WhatsApp messenger's Reply feature where you can reply to a particular message. There is something for Facebook messenger too. You can reply to message by hovering over the message and there will be "Reply" option. Click on that.  Now type some random message and click on "Send" and intercept the request. You can find in the HTTP Request that there is a parameter "message_id" in the message body. Change to some other message_id that doesn't belong to chat that you currently opened. Now I sent the request. There was an error that was thrown saying .. "The content is longer available".  Now my next adventure to try to find a bug in the Messaging continues. If you have a conversation with your girlfriend you can alway

Facebook comments doesn't allow you to post same comment all the type and this is the story how I bypassed this spam protection. It was very hot afternoon and I was scrolling the news feed of my Facebook News Feed which is flooded by the posts of the actors and others.  I was continuously posting the video URL of YouTube . Actress and Other Facebook Pages  allow commenting. So when I was commenting the same URL on lot of posts including the actors. Suddenly there was a pop up that was shown saying You can't post at this time and it was going against our terms of service. So I thought in my mind I need to bypass this. I just posted another URL of the video. Now it allowed me to post !!! What a surprise!! It allowed me to post a different URL. I was curious to know why it happened and next I posted the previous URL that I was posting continuosly once again. Again there was an alert popup saying the same message about spam. If you are aware about the Linkshim that facebook uses.

Last Sunday, I was testing for Instagram stories . With two devices one with the Android phone and other was the desktop with Windows OS. User A is on Android Device and User B on Windows. Scenario 1:  Story settings of User A. Who could reply to your stories has 3 options: Your followers. People you follow back No one can reply From User B account. I turned on Web proxy. I opened up the story of the User A who had just posted. Now I start replying to his story and eventually turned on the proxy. I clicked on the  Send  button. I also started to reply to the stories of few celebrities of India, but all good comments.😂 There was a POST HTTP Request that was sent from my browser to the Instagram Servers: POST direct/***//**/send Cookie: ajdslfkjalksdjfl;jasldjflajsdf X-INSTAGRAM-Header: qlwejrjqwejjqw X-CSRF:aljslkjflk;ajsldfj text="USER"&repliedToMedia=[STORY_ID] Now I sent this to repeater. Now with User A's account I changed the se

What is Cross site scripting or XSS? XSS is ranked among the top 3 Web App Vulnerabilities in OWASP . It is basically the injection of Scripts that run on the web, JavaScript(JS). The Scripts are called the Payloads. For example, alert(document.domain) or any inline scripts like <img src=x onerror = alert("XSS exists")> What's the use of XSS? Well, you could steal the cookies of other users. What are Cookies ? Cookies are small piece of data that is sent by the server of the Web Application so that it may know you are an authenticated user. Here is an example of the alert box of the executed JS code. I injected an inline script that you see it as a broken image. Now you Click on the image --> Did your browser prompt an alert box?  Yes.... the script is executed. If you could execute the script you entered. You could inject your own piece of JS scripts inside the web Apps and could do anything with the user account like sending a friend request on

Facebook Business lets you add Ad Account in you account. This bugs lets a facebook ad Account to be added into the Facebook business with public permission for Access Token. To add the Ad Account to your Facbook Business then you need to have permissions of Business and Ad Account for the access token. Once you click on "Confim" button on the dialog window after addding the ID of the Ad Account to add you get the Following HTTP Request intercepted. Then there was a flaw. I tested for the with access token with no permissions or also public profile permissions and found that it actually works and gets the ad account added into the Facebook Business. Bounty $500

Google Pay CSRF vulnerabilty. Google Pay app is service that lets you do payments online using the UPI . But I found in on the Web Application where user can request money from a user. The HTTP Request for the following when a user requets for money is as seen in the image: It contains the HTTP Header that contains the anti-csrf token. I deleted the anti-csrf token and sent the request. After few seconds you get a mail from the victim that has requested money After I submitted the report. I got reply within 24 hours Bounty $500