Note: In this blog the website will be considered as target.com instead of the original website. The entire parameter name in the application will be written as “Param” and the values will be either in asterisk “*” or some gibberish hand typed. …


As, discussed in the previous blog I have successfully performed HPP attack on the user and now let’s see how I turned it into XSS via HPP.

What is XSS?

Cross Site Scripting (XSS) allows clients to inject scripts into a request and have the server return the script to…


Note: — This blog is divided into two part where part-I will about how I figured out that the application is vulnerable to HTTP Parameter Pollution and in part II how I converted it into stored XSS. Client name some details related to that will not be shared.

What is…


NOTE: In below scenario I will be considering myself as an attacker and will explain accordingly. Consider user1 is mapped on attacker’s mobile number and user2 is mapped on victim’s mobile number.

In this blog I will be talking about the mobile application which I was testing for the client…

Amey Muley

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store