Last active
March 12, 2026 22:10
-
-
Save ratnadip1998/021ab5ed1b74756f7e0ae038d62a2834 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| POST /oauth/token HTTP/1.1 | |
| Host: www.strava.com | |
| Content-Type: application/x-www-form-urlencoded | |
| User-Agent: BurpSuite | |
| Connection: close | |
| client_id=YOUR_CLIENT_ID& | |
| client_secret=YOUR_CLIENT_SECRET& | |
| grant_type=client_credentials | |
| https://www.strava.com/oauth/authorize?client_id=32726&response_type=code&redirect_uri=https://www.getpostman.com/oauth2/callback&scope=activity:read_all&approval_prompt=force | |
| GET /oauth/authorize?response_type=code&client_id=32006&redirect_uri=https%3A%2F%2Fuat.livewellatciti.com%2Fservice-auth&scope=activity:read_all&state=test123 HTTP/1.1 | |
| Host: www.strava.com | |
| User-Agent: BurpSuite | |
| Connection: close | |
| POST /oauth2/token HTTP/1.1 | |
| Host: api.fitbit.com | |
| Authorization: Basic BASE64_ENCODED(CLIENT_ID:CLIENT_SECRET) | |
| Content-Type: application/x-www-form-urlencoded | |
| User-Agent: BurpSuite | |
| Connection: close | |
| grant_type=client_credentials | |
| POST /v2/oauth2/token HTTP/1.1 | |
| Host: api.misfit.com | |
| Content-Type: application/x-www-form-urlencoded | |
| User-Agent: BurpSuite | |
| Connection: close | |
| client_id=YOUR_CLIENT_ID& | |
| client_secret=YOUR_CLIENT_SECRET& | |
| grant_type=client_credentials | |
| POST /oauth2/token HTTP/1.1 | |
| Host: developer.underarmour.com | |
| Content-Type: application/x-www-form-urlencoded | |
| User-Agent: BurpSuite | |
| Connection: close | |
| client_id=YOUR_CLIENT_ID& | |
| client_secret=YOUR_CLIENT_SECRET& | |
| grant_type=client_credentials | |
| POST /v2/oauth2 HTTP/1.1 | |
| Host: wbsapi.withings.net | |
| Content-Type: application/x-www-form-urlencoded | |
| User-Agent: BurpSuite | |
| Connection: close | |
| action=requesttoken& | |
| client_id=YOUR_CLIENT_ID& | |
| client_secret=YOUR_CLIENT_SECRET& | |
| grant_type=client_credentials |
Author
Author
During testing, it was observed that sensitive CI/CD related information was exposed in client-side JavaScript files. The exposed data included internal Jenkins configuration details, service URLs, environment variables, and pipeline metadata, which could aid an attacker in infrastructure reconnaissance and further attack planning.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
During testing, it was observed that the Report Manager functionality does not properly sanitize or encode user-supplied input in the Add Static Text feature. An injected XSS payload was successfully stored in the application and later executed when the content was accessed while creating a new report.