Bug hunting is not always about looking for classic vulnerabilities (XSS, SQLi, SSRF, RCE, etc). Sometimes it is a search for a new problem domain. In this article, I will tell you how this not-so-standard approach to vulnerability searching helped me to find many critical problems.
One evening I came up with the idea of crossing Credential Stuffing and Bug bounty hunting. Credential stuffing is the search for leaked usernames and passwords for their use in popular online services, as most of the users love to use the same password everywhere. More often than not, “black hats” hack accounts in…
A couple of months ago, an interesting story happened to me. At that time I was working in a field not strongly connected with application security. And every month it became more and more obvious that something had to change. During the COVID-19 period, it was not very smart to change jobs. But the stars aligned and I was hired as an application security engineer for a very cool company. In between contracts, I was forced to take accrued vacation days. That’s how I arranged my vacation for three weeks. …
One morning, I was asked to participate in a private bug bounty program. In general, my experience in security is based on such private projects. This is good on the one hand, as there is almost no rush to find the most dangerous bug before the others. On the other hand, it’s a bad growth point. The growth point is definitely there, but the growth rate in this situation is quite slow. The person who wrote to me asked for a link to my HackerOne account. I shared the link to my profile. But I was a little embarrassed. My…
An SSL VPN is a type of virtual private network that uses the Secure Sockets Layer protocol — or, more often, its successor, the Transport Layer Security (TLS) protocol — in standard web browsers to provide secure, remote-access VPN capability. SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take over all users connecting to the SSL VPN server!
And both main VPN vendor clients was hacked. Pretty interesting chains of vulnerabilities can lead to RCE.
Once upon a time, a friend of mine asked me a question — "Do you know any fresh RCE for the Jenkins environment ?". I was informed already about some old RCE PoC's but that was not what we need at that time. It was a fresh Jenkins environment. With a quick search, I realized that it was discovered fresh vulnerability CVE-2019–1003000. Big thanks Orangetsai Tsai for such clear and interesting research from his blog. So I tried to understand his research with trying to make the right POC on our target.
It was a long time from my last article. It was so many interesting results in my work. Seems that it's right time to share my knowledge and experience with you. But first, I wanna inform that two issues in that article well known. And both of that have CVE numbers with patches and software updates. So maybe you will be lucky to find old versions in your testing scope.
That story happened when I saw that disclosed report.
And funny thing is that I remembered that saw some Sentry requests in my BuprSuit Proxy in my current project. From that point of view, I highly recommend to not filtering Proxy history. Who knows what kind of interesting information can be loose from filtering with only “in scope” view.
In our day's many things trying to be "smart". In that article, I wanna share an interesting story about smart vending machines. In order to use it, you need to register an account and link a credit card. Once I accidentally managed to open the menu of the operating system of one "smart" vending machine screen. It was just basic windows submenu with a swipe from the right of the screen.
Actually, it was a Windows 10.
Once I performed pentest for one famous company. The object of testing was a platform for searching, licensing and managing music with using it on youtube. In the process of testing, I found a form for uploading my videos in the user’s personal account.
But in such a simple action for uploading video, I found two critical security issues.
The first problem was Unrestricted File Upload.
During uploading, you could change Content-Type and upload not only videos files.
POST /user/video/upload/submit/?ajax=1 HTTP/1.1
Content-Disposition: form-data; name="video"; filename="Demo.php"
Actually, the php webshell was loaded for verification reasons.
Unfortunately, the page…