When attacking any target, sooner or later you will want to take a look at some URLs. Where you can obtain them? From directory brute-force, gau, copy URLs from burp and many, many other sources. This article is not about obtaining URLs. It's about what to do next...
#11
I have no time. Or do I?
*I have no time is one of the most common sentences these days. To be fair - I hate it *and I try to avoid it by all means. Why? Because I don't have time to spend 25 hours a day writing this newsletter. But I do have the time to spend 24 hours on it. Why I don't?...
SAML security
SAML stands for Security Assertion Markup Language. It's a way some applications implement SSO. It relies on signed data in XML. If you read the 9th issue of the newsletter, you know how to exploit differences in XML parsers?. For SAML authentication there are even...
Strategy for a year of bug bounties
A few issues ago I promised to cover the presentation from zseano named PUTTING YOUR MIND TO IT: BUG BOUNTIES FOR 12 MONTHS and here it is. In this talk, he gives a very concrete strategy for the whole year of bug bounty. Here are my notes: First things first You must...
Escalating blind SSRFs
In my career, there were a few times where I found functionality that allowed making requests to arbitrary locations but it didn't show me the response. Even though I suspected there might be an SSRF but I wasn't able to show the impact. In case of bigger bug bounty...
API security cheat sheet
A few newsletters ago, I was linking to an article from detectify blog about testing API security. Today, I have something even better. arainho created a repository where he gathers all the information about API security. Apart from things that are in most...
Exploiting E-Mail Systems
Inti, head of hackers in Intigriti, is known for finding really cool vulnerabilities in places omitted by others. In 2020, on NahamCon he had a really insightful presentation about attacking email systems. How complicated can they be? Turns out much more than we...
How I found thousands of criticals and all I got was $100
2 years ago, in 2019 I had some time for bug bounty on holidays in between two semesters at the university. Back then, my friend Jarek discovered exposed spring boot actuator endpoints during the pentest. It's a framework for monitoring and managing the Java...