Sign up to save your podcasts
Or
Share Ep. 11 – Account Takeover, Token Misuse, and Deserialization RCE: When Trust Goes Wrong
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Ep. 11 – Account Takeover, Token Misuse, and Deserialization RCE: When Trust Goes Wrong
One flawed password reset. One shared session token. One dangerous object.
In Episode 11 of Hacked & Secured: Pentest Exploits & Mitigations, we break down three real-world vulnerabilities where trust between systems and users broke down—with serious consequences.
- Account Takeover via Forgot Password – A predictable ID and exposed tokens let attackers reset passwords without access to email.
- Session Hijack in OTP Login – A logic flaw in how login tokens were handled allowed full account access with just a user ID.
- Remote Code Execution via Java Deserialization – A community-contributed finding where an exposed service deserialized untrusted input, leading to code execution.
These aren’t complex chains. They’re common mistakes with big impact—and important lessons for developers, security teams, and testers.
Chapters:
00:00 - INTRO
00:59 - FINDING #1 - Account Takeover via Forgot Password
06:26 - FINDING #2 - Shared Session Token in SMS Login Flow
10:39 - FINDING #3 - Java Deserialisation to Remote Code Execution
16:13 - OUTRO
Want your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!
🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram
📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A
📧 Feedback? Email Us → [email protected]
🔗 Podcast Website → Website Link
View all episodes
By Amin MalekpourOne flawed password reset. One shared session token. One dangerous object.
In Episode 11 of Hacked & Secured: Pentest Exploits & Mitigations, we break down three real-world vulnerabilities where trust between systems and users broke down—with serious consequences.
- Account Takeover via Forgot Password – A predictable ID and exposed tokens let attackers reset passwords without access to email.
- Session Hijack in OTP Login – A logic flaw in how login tokens were handled allowed full account access with just a user ID.
- Remote Code Execution via Java Deserialization – A community-contributed finding where an exposed service deserialized untrusted input, leading to code execution.
These aren’t complex chains. They’re common mistakes with big impact—and important lessons for developers, security teams, and testers.
Chapters:
00:00 - INTRO
00:59 - FINDING #1 - Account Takeover via Forgot Password
06:26 - FINDING #2 - Shared Session Token in SMS Login Flow
10:39 - FINDING #3 - Java Deserialisation to Remote Code Execution
16:13 - OUTRO
Want your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!
🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram
📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A
📧 Feedback? Email Us → [email protected]
🔗 Podcast Website → Website Link