Hey Mates, Hope you all are Good, This is my first write-up about how i gain access to a company's( dev.to ) fastly account. One Day I got email that dev.to is going to open source on Github . Previously I've found a critical account takeover bug in dev.to via stored XSS and get rewarded(Write-up later), Since I have account in dev.to that's why I receive this mail. Now Let's get started. Email From dev.to Now I was damn sure that there is something that the developer's missed while making dev.to project open source in Github , first i visited their Github project at https://github.com/thepracticaldev and start searching manually for secret key's, private key's and Api key's, When searching for Api key I encountered with cache_buster.rb which is leaking the fastly Api key like this. with( headers: { " Fastly-Key " => "k 15177t3dctdg27138b03c737688c 84g " }) Dont't waste your t
A blog on web application security.