Vickie Li

Vickie Li
Investigator of Nerdy Stuff

Vickie Li is a professional investigator of nerdy stuff, with a primary focus on web security. She began her career as a web developer and fell in love with security in the process. Now, she spends her days hunting for vulnerabilities, writing, and blogging about her adventures hacking the web.

Vickie Li

Why Is It So Hard To Prevent Open Redirects?

In my last post, we talked about how open redirects can allow attackers to steal tokens from OAuth systems. Today, let’s take a deeper dive into open redirects and explore why it’s so prevalent in web applications! Sites often have HTTP or URL parameters that cause the web application to redirect to a specified URL without any user action. Open redirects are a type of vulnerability that happens when an attacker can manipulate the value of this parameter and cause users to be redirected...

Vickie Li

Stealing OAuth Tokens With Open Redirects

SSO is a feature that allows users to access multiple services belonging to the same organization without logging in multiple times. For example, if you are logged into “facebook.com”, you won’t have to re-enter your credentials to use the services of “messenger.com”. This way, companies with many web services can manage a centralized source of user credentials instead of keeping track of users for each site. And, users won’t need to log in multiple times when using the different services...

Vickie Li

More Than Subdomain Takeover: Ways To Takeover, Hijack And Impersonate Your Website

In my last post about subdomain takeovers, we talked about what subdomain takeovers are and how hackers can use them to attack shared-session SSO. Today, let’s dive deeper into subdomain takeovers and some other ways hackers can hijack your website. Subdomain Takeover Recap Subdomain takeover is when a hacker takes control over a company’s unused subdomain. It happens when a stale DNS entry points to a domain that is available for registration. Let’s say a company hosts its site on a...