https://dedsec-2.github.io/tags/html-injection/Recent content in Html-Injection on DedsecHugoenSat, 09 May 2026 14:00:00 +0200https://dedsec-2.github.io/posts/client-side-auth-bypass-injection-chain/Sat, 09 May 2026 14:00:00 +0200https://dedsec-2.github.io/posts/client-side-auth-bypass-injection-chain/<h2 id="-intro">$ ./intro</h2> <p>Some targets look locked down at first glance. Login page, redirect on every protected URL, role-gated sections marked &ldquo;Not Authorized.&rdquo; You open Burp, run a few requests, and think <em>&ldquo;this is going to be a long day.&rdquo;</em></p> <p>Then you notice that none of the HTTP responses ever return a <code>302</code>. And your whole afternoon changes.</p> <p>This is a writeup of a web application penetration test against an internal manufacturing dashboard — a platform used by engineers, factory leads, and regional teams to track production data, file technical issues, and manage order queues. The application had a multi-role access model with pages supposedly gated behind authorization checks. What it did not have was any of those checks running on the server.</p>