šŸ”¬ ATLAS SECURITY LAB

Lab Vulnerabilities

Stored XSS in Captions
Video caption/title renders innerHTML — try <img src=x onerror=alert(1)>
SSRF via Avatar URL
POST /upload accepts external avatar URL — server fetches it directly
Token Exposed in Storage
tt_session in localStorage — no HttpOnly flag
Rate Limit Bypass
POST /api/like — no rate limit, unlimited likes

Sign in to TikTok

Manage your account, check notifications, comment on videos, and more.

šŸ”¬ LAB ACCOUNTS
atlas_tt / tiktok123
creator_99 / create99
tt_admin / admin2024
For You
Following