In April of this year I participated in a private program on HackerOne that was vulnerable to a series of IDOR that led to a complete takeover of an application. Unfortunately because this is a private program, I cannot disclose the name or company related information per their request. However I wanted to share the details on how I escalated my basic privileges from a regular “customer” account to an admin user.
After presenting “Doing Recon Like a Boss” at levelUp and releasing a blog post on HackerOne about the same topic, I decided to start looking for a few vulnerabilities on public programs to see if that methodology is still applicable to public programs. As a part of this I decided to look at Slack and Snapchat’s bug bounty programs and preforming my recon exactly as described in the talk.
On 5/5/2016 ImageMagick was assigned CVE-2016-3714 “ImageMagick Delegate Arbitrary Command Execution”. Now let’s dig to this vulnerability and how to exploit this. Having ImageMagick locally installed is advised in order to validate the POC (but not required). For this particular report, I created a file named exploit.png with the following in the “source code” to get the target’s `id`:
In June of 2015, Patrik Fehrenbach and I were able to identify a series of vulnerabilities in a few of Apple’s productivity applications: Pages, Numbers, as well as Keynote available for OS X and iOS 8.x (or older). In short, the application failed to validate the input while parsing a document.
In this blog post I will be showing a few recent vulnerabilities reported and patched by the Yahoo Security Team. In July of 2014 I was able to identify a SSRF vulnerability affecting all of Yahoo’s services that required an image processing (such as flickr and Yahoo groups). This vulnerability was patched a few weeks ago (June 2015). Now let’s get to the good stuff:
Last month, we were able to report a vulnerability to Google where we were able to email from any domain that has not been claimed by its owner previously. For example, using google itself as a victim, we were able to claim domains such as ytimg.com and gstatic.com.
Recently I was given the opportunity to speak at NBTCon (No Big Thing Con) held at the Sales Force office in San Francisco. In my talk I explained the basics of bug bounties, some ways to maximize your revenue, and also talked about how to make a productive report. Here’s a summary of the talk (with a little bit of extra info/details) and links to the slides:
Hello everyone. Today I will be covering a very short and fast write-up in regards to two of my latest findings while participating in Yahoo Bug Bounty! First of all I want to apologize for not having any visual (pictures/videos) for this write-up. Unfortunately, I lost a lot of data due to my malfunctioning laptop.
Hello, In my last research with Y! Toolbar and Flickr I was able to identify and report a few vulnerabilities to Yahoo. Keep in mind that before starting this research as I was installing a few things on my new box, I had accidentally installed Y! Toolbar on chrome (so my Windows box has chrome, but not my linux box). While poking around Flickr to find a few vulnerabilities, I had set a few titles as different XSS payloads which in the past had never worked but suddenly something was triggering the XSS payloads (keep in mind that I wasn’t able to reproduce my own vulnerabilities on my linux box). So what was causing these to suddenly work ONLY for me?
Hello. Normally I don’t write a write-up for XSS vulnerability; however this XSS was a bit different because it affects 100s of Yahoo! subdomains. After my SQL Injection on the HK sub-domains, I decided to actually start focusing on the more major sub-domains of Yahoo, and as a result I was able to XSS quite a few of Yahoo’s services.