Ethical Hacking Achievements


I've hacked a lot of stuff. Here's some of my greatest achievements.
All vulnerabilities were disclosed to the webmaster after discovery. I did not take any malicious actions, this is purely whitehat.


Notable Hacks


Amazon.com

(Online retailer)
Date: 4/2/2017
Hack: Stored XSS on amazon.com. Allowed for the theft of session cookies (and hence the account) of authenticated users that visited the malicious URL.

Purdue.edu

(Official website of Purdue University)
Date: 9/12/2016
Hack: Reflected XSS on mypurdue.purdue.edu subdomain. Allowed for access to users' payment details and personal information.

Webassign.com

(Online homework website used by Purdue, U of Washington, MIT, and other top universities)
Date: 1/2/2017
Hack: RCE, Privilege escalation, User account takeover, XSS.

G-eazy.com

(Website of famous rapper, G-Eazy)
Date: 4/2/2016
Hack: Complete database takeover, remote code execution, PHP shell. Hacked via a Wordpress plugin vulnerability.

Profit.ly

(Stock trading website for investors)
Date: 2/5/2017
Hack: Stored XSS on profit.ly in profile page and private message system. Allowed for theft of session (and hence the account) of users that viewed my profile and/or anyone I sent a private message to. In addition, I also found a vulnerability in the site's API that allowed thousands of passwords to be tested against a single account at once. By leveraging this vulnerability, I was able to gain access to the website Administrator's account in a matter of minutes.

Wireframe.cc

(An application development prototype tool used by companies such as Uber and Tinder.)
Date: 7/31/2017
Hack: Full remote code execution and database takeover via an unrestricted file upload vunlerability in the profile picture upload tool. Additionally, I was able to find a persistent XSS vulnerability and a content security policy bypass, which allowed for the theft of session cookies (and hence the account) of authenticated users that visited the malicious URL.

Dotabuff.com

(Stats and analysis website for one of the most popular video games in the world)
Date: 9/13/2016
Hack: Stored XSS on dotabuff.com. Allowed for the theft of session cookies (and hence the account) of anyone that visited the malicious URL.

Fun Hacks


McGraw-Hill Connect

(McGraw-Hill Education's online learning platform)
Date: 2/20/18
Hack: Bypassed forced reading system (each assignment forces you to read the online textbook for 30 minutes, using javascript to check for user interaction). This was done by editting HTTP POST data sent via AJAX by javascript running in the browser. By capturing this data with chrome developer tools and analyzing the network request, I was able to spoof a request and send it via CURL to complete any reading assignment instantly. Additionally, I was able to extract the answer database on homework assignments (for some reason they thought it would be a good idea to do the grading client side!)

GoGo In-Flight WiFi

(Paid in-flight WiFi service used Southwest, American Airlines, United, Delta, and more)
Date: 1/23/17
Hack: Bypassed payment system to get free WiFi on any flight. I discovered three ways to do this: Mobile-device cookie replication, SSH tunneling through open port in GoGo inflight proxy, and MAC address theft.

MacmillanHighered.com

(Macmillan Publishers Ltd.'s homework website)
Date: 9/2/2016
Hack: Retrieved answer databases for all online courses. Let's just say I didn't have to do any homework this year ;)

SoCalPrepLegends.com

(High School sports website)
Date: 1/16/2016
Hack: Hacked the voting system to manipulate which school won the class spirit competition (spoiler: my school won).