🔬 ATLAS SECURITY LAB

Lab Vulnerabilities

Stored XSS in Tweets
Tweet text renders innerHTML — try <img src=x onerror=alert(document.cookie)>
OAuth Token Leak
tw_token exposed in localStorage — no HttpOnly
IDOR on DMs
GET /api/dm/[thread_id] — change ID to read others' DMs
Password Reset Poisoning
Host header not validated in password reset email
𝕏
𝕏

الجارية الآن.

انضم إلى X اليوم.

أو
🔬 LAB ACCOUNTS
@atlas_sec / tw123
@victim_tw / victim99
@tw_admin / admin2024