University-application portfolio in Web Application Security & Bug Bounty Research.
This repository documents an end-to-end web-application security research exercise: from passive reconnaissance and threat modelling, through static analysis of client-delivered JavaScript, to formal vulnerability disclosure in HackerOne / Bugcrowd report format.
All work is conducted under strict ethical boundaries: no active exploitation, fuzzing, or unauthorized authentication attempts were performed against any production target. Every finding documented here is reproducible from artefacts that the targets themselves deliver to any visiting browser as part of normal operation (HTML, JavaScript bundles, OAuth redirect URLs).
.
├── threat-model.md # Cross-target threat model
├── client-side-audits/
│ └── 35awards.md # Detailed JS static review
└── reports/
└── 35awards-oauth-state-pkce.md # H1-format disclosure
| Document | Description |
|---|---|
threat-model.md |
Attack-surface analysis of three production targets (IELTS booking platform, photography contest, and a third site that proved unreachable). STRIDE-mapped, OWASP-tagged. |
client-side-audits/35awards.md |
9-finding static review of request_photo.js and the live VK OAuth flow. Two High-severity confirmed findings. |
reports/35awards-oauth-state-pkce.md |
Full HackerOne-format disclosure report for the OAuth state / PKCE finding (CVSS 7.4). |
The "Sign in with VK ID" flow initiates the OAuth authorization-code
grant with empty state, code_challenge, and
code_challenge_method parameters — direct violation of RFC 6749
§10.12 and RFC 7636. Login-CSRF / account-takeover primitive.
CVSS 7.4 | CWE-352, CWE-345.
The photo.setLike endpoint is invoked via dataType: 'jsonp',
which by design bypasses CORS. Any external website can issue
silent vote / favourite actions on behalf of an authenticated
35awards visitor — undermining the contest's core integrity.
CWE-352 | OWASP A01:2021.
URL grammar suggests a PHP front-controller of the form
(new $_GET['type'])->{$_GET['type2']}() — a class-name and
method-name injection primitive (CWE-470) if not server-side
allow-listed.
| Standard | Use |
|---|---|
| OWASP WSTG v4.2 | Test-case taxonomy |
| OWASP API Security Top 10 (2023) | API-tier finding mapping |
| OWASP ASVS v4.0.3 | Verification requirements |
| STRIDE | Threat enumeration per asset |
| CVSS 3.1 | Severity scoring |
| CWE / MITRE | Weakness classification |
| RFC 6749, RFC 7636, RFC 6819 | OAuth-specific compliance |
Every analysed artefact in this repository was obtained passively:
- HTML responses delivered to a browser by visiting public URLs.
- JavaScript bundles loaded as part of normal page rendering.
- OAuth initiation URLs produced by clicking publicly accessible login buttons.
No active probes, no automated scanners, no exploit payloads, and no authentication attempts were issued against any production target. Proofs-of-concept are documented as logical consequences of observed misconfigurations and have not been executed.
I subscribe to a 90-day coordinated-disclosure window in line with ISO/IEC 29147 and the practice of Google Project Zero.
Active testing was performed exclusively against authorized lab environments (PortSwigger Web Security Academy, HackTheBox, TryHackMe).
- OAuth 2.0 / OIDC threat modelling (RFC-level analysis)
- JavaScript static analysis: DOM-XSS sinks, JSONP CSRF, dynamic dispatch
- CSRF / SameSite / cookie-flag analysis
- IDOR / BOLA / API authorization patterns
- File-upload security (legacy Flash /
uploadifyCVE awareness) - HackerOne-format disclosure writing
- CVSS 3.1 scoring, CWE / OWASP mapping
- Coordinated disclosure ethics (ISO/IEC 29147)
- GitHub:
https://github.com/NovaCode37 - Email:
entropq2@gmail.com - LinkedIn:
https://www.linkedin.com/in/saveliy-g-4a70463bb/
This portfolio is presented for academic-admissions purposes. All research conducted in compliance with applicable computer-misuse legislation and platform terms of service.