Bug hunting is not always about looking for classic vulnerabilities (XSS, SQLi, SSRF, RCE, etc). Sometimes it is a search for a new problem domain. In this article, I will tell you how this not-so-standard approach to vulnerability searching helped me to find many critical problems.

One evening I came up with the idea of crossing Credential Stuffing and Bug bounty hunting. Credential stuffing is the search for leaked usernames and passwords for their use in popular online services, as most of the users love to use the same password everywhere. More often than not, “black hats” hack accounts in…

A couple of months ago, an interesting story happened to me. At that time I was working in a field not strongly connected with application security. And every month it became more and more obvious that something had to change. During the COVID-19 period, it was not very smart to change jobs. But the stars aligned and I was hired as an application security engineer for a very cool company. In between contracts, I was forced to take accrued vacation days. That’s how I arranged my vacation for three weeks. …

Many people don’t like client-side vulnerabilities. I’m not a fan of such vulnerabilities as well. And I try to spend less time searching for them. You can’t surprise anyone with endless alert-boxes on the pages. But sometimes these alerts boxes can be worth their weight in gold. Especially if the execution of javascript is necessary for the chain to exploit a serious problem. Under a serious problem today we are talking about stealing user account.

In a classic XSS attack scenario, there is always reading user data, getting a token from local storage or cookies, modifying user data, changing data…

One morning, I was asked to participate in a private bug bounty program. In general, my experience in security is based on such private projects. This is good on the one hand, as there is almost no rush to find the most dangerous bug before the others. On the other hand, it’s a bad growth point. The growth point is definitely there, but the growth rate in this situation is quite slow. The person who wrote to me asked for a link to my HackerOne account. I shared the link to my profile. But I was a little embarrassed. My…

An SSL VPN is a type of virtual private network that uses the Secure Sockets Layer protocol — or, more often, its successor, the Transport Layer Security (TLS) protocol — in standard web browsers to provide secure, remote-access VPN capability. SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take over all users connecting to the SSL VPN server!

And both main VPN vendor clients was hacked. Pretty interesting chains of vulnerabilities can lead to RCE.

Some of you…

Once upon a time, a friend of mine asked me a question — "Do you know any fresh RCE for the Jenkins environment ?". I was informed already about some old RCE PoC's but that was not what we need at that time. It was a fresh Jenkins environment. With a quick search, I realized that it was discovered fresh vulnerability CVE-2019–1003000. Big thanks Orangetsai Tsai for such clear and interesting research from his blog. So I tried to understand his research with trying to make the right POC on our target.

I can't disclose the name of the target…

It was a long time from my last article. It was so many interesting results in my work. Seems that it's right time to share my knowledge and experience with you. But first, I wanna inform that two issues in that article well known. And both of that have CVE numbers with patches and software updates. So maybe you will be lucky to find old versions in your testing scope.

And I don't want to make hype on that article as Avinash Jain with old Jira vulnerability in Shared filters. …

That story happened when I saw that disclosed report.

And funny thing is that I remembered that saw some Sentry requests in my BuprSuit Proxy in my current project. From that point of view, I highly recommend to not filtering Proxy history. Who knows what kind of interesting information can be loose from filtering with only “in scope” view.

The root of that issue happened from the Sentry configuration with JavaScript source fetching settings.

So basically you have 50% chances with having success SSRF vulnerability in that place on your target. …

In our day's many things trying to be "smart". In that article, I wanna share an interesting story about smart vending machines. In order to use it, you need to register an account and link a credit card. Once I accidentally managed to open the menu of the operating system of one "smart" vending machine screen. It was just basic windows submenu with a swipe from the right of the screen.

Actually, it was a Windows 10.

Once I performed pentest for one famous company. The object of testing was a platform for searching, licensing and managing music with using it on youtube. In the process of testing, I found a form for uploading my videos in the user’s personal account.
But in such a simple action for uploading video, I found two critical security issues.

The first problem was Unrestricted File Upload.
During uploading, you could change Content-Type and upload not only videos files.

POST /user/video/upload/submit/?ajax=1 HTTP/1.1
Host: www.redacted.com

Content-Disposition: form-data; name="video"; filename="Demo.php"

Actually, the php webshell was loaded for verification reasons.

POC with my webshell

Unfortunately, the page…

Valeriy Shevchenko

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store