When attacking any target, sooner or later you will want to take a look at some URLs. Where you can obtain them? From directory brute-force, gau, copy URLs from burp and many, many other sources. This article is not about obtaining URLs. It's about what to do next...
#11
I have no time. Or do I?
*I have no time is one of the most common sentences these days. To be fair - I hate it *and I try to avoid it by all means. Why? Because I don't have time to spend 25 hours a day writing this newsletter. But I do have the time to spend 24 hours on it. Why I don't?...
SAML security
SAML stands for Security Assertion Markup Language. It's a way some applications implement SSO. It relies on signed data in XML. If you read the 9th issue of the newsletter, you know how to exploit differences in XML parsers😏. For SAML authentication there are even...
Strategy for a year of bug bounties
A few issues ago I promised to cover the presentation from zseano named PUTTING YOUR MIND TO IT: BUG BOUNTIES FOR 12 MONTHS and here it is. In this talk, he gives a very concrete strategy for the whole year of bug bounty. Here are my notes: First things first You must...
Escalating blind SSRFs
In my career, there were a few times where I found functionality that allowed making requests to arbitrary locations but it didn't show me the response. Even though I suspected there might be an SSRF but I wasn't able to show the impact. In case of bigger bug bounty...
Exploiting E-Mail Systems
Inti, head of hackers in Intigriti, is known for finding really cool vulnerabilities in places omitted by others. In 2020, on NahamCon he had a really insightful presentation about attacking email systems. How complicated can they be? Turns out much more than we...
API security cheat sheet
A few newsletters ago, I was linking to an article from detectify blog about testing API security. Today, I have something even better. arainho created a repository where he gathers all the information about API security. Apart from things that are in most...
How I found thousands of criticals and all I got was $100
2 years ago, in 2019 I had some time for bug bounty on holidays in between two semesters at the university. Back then, my friend Jarek discovered exposed spring boot actuator endpoints during the pentest. It's a framework for monitoring and managing the Java...