Sam Curry, one of the best hunters out there, wrote a blogpost about the topic of motivation in bug bounty. I think it’s always valuable to see words like this from someone like him because it can be puzzling of why even the best hunters out there don’t do it...
#74
Bug bounty stats for the first 8 months
Shreyas Chavhan shared his exact roadmap for the first 8 months in bug bounty. I am a huge fan of initiatives like this that show us the real image, with the amount of time invested and not just the best parts. One of the things we can see here is the power of...
npm search RCE – Escape Sequence Injection
The bugs in this blogpost are very interesting. In short, the author uses escape sequences to execute a terminal command while only controlling the command’s output. I’ve read it a few times and I still don’t understand 100% how does it work. I think it might also...
Burp’s automatic comments with GQL operation names
One thing that annoys me when working with GraphQL targets is that in the request log, all I see is a list of requests to the /graphql endpoint and I have to manually click each of them to find the interesting one. Thus, I used Burp’s underrated extension - Piper - to...
Attacking internal hosts for bug bounty
This is a very fun thing that Truffle Security has done! We all know many servers have misconfigured CORS, including internal websites. The problem with them is that from outside, we can’t reach them so so how do we exploit them? Truffle Security decided to purchase a...
OAuth #1 – How does it even work?
For a long time, the only Oauth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with Oauth and I see many more attack scenarios. In this multi-part series,...