In my career, there were a few times where I found functionality that allowed making requests to arbitrary locations but it didn't show me the response. Even though I suspected there might be an SSRF but I wasn't able to show the impact. In case of bigger bug bounty...
Server-side hacking techniques
API security cheat sheet
A few newsletters ago, I was linking to an article from detectify blog about testing API security. Today, I have something even better. arainho created a repository where he gathers all the information about API security. Apart from things that are in most...
Exploiting E-Mail Systems
Inti, head of hackers in Intigriti, is known for finding really cool vulnerabilities in places omitted by others. In 2020, on NahamCon he had a really insightful presentation about attacking email systems. How complicated can they be? Turns out much more than we...
How I found thousands of criticals and all I got was $100
2 years ago, in 2019 I had some time for bug bounty on holidays in between two semesters at the university. Back then, my friend Jarek discovered exposed spring boot actuator endpoints during the pentest. It's a framework for monitoring and managing the Java...
How to access @company.com email address?
As promised, here's the hacking technique called ticket trick that I mentioned in the last issue. It was initially found by Inti De Ceukelaire, Head of hackers at intigriti. What is it about? Many companies allow access to some services to employers based on a fact...
Approaching GraphQL with turned off introspection
GraphQL is a query language that sits somewhere between the client and a backend system. The backend doesn't have to be a database - it might also be a microservice or even a 3rd party API. A few years ago it was only "something new" but today more and more companies...
gRPC and protobuf – what is this all about?
I see protobufs and RPC quite a lot lately. First, I saw protobufs in the CloudKit hack (you will see a video on my channel about it). Then I found a $500 bug affecting gRPC (a really simple vulnerability, I hope to disclose it once resolved) and this week I saw an...
Predicting MongoDB IDs for IDORs
MongoDB ID, source below MongoDB is a document-oriented database, known also as NoSQL. By default, objects are identified using 12 bytes IDs. It's too much to think about brute-force but those identifiers are not random. They are built like this: 4-byte value...
Race condition RCEs
When I say race condition, the first thing that comes to your mind might be redeeming a discount code twice thus gaining some money. So what on Earth is the race condition RCE? It will work best in apps where you can upload an executable file, for example, PHP or ASP....
Dependency Confusion POC
Aditya Shende , Bugcrowd top 100, had a talk about dependency confusion lately on DAMNCON. I don't see many practical articles about this vulnerability class and many of you are asking for it. On slides, you can see exactly what steps did he take to reproduce the...