David Sopas

web security researcher

David Sopas – Web Security Researcher
START READING
03/08/15 Warning # ,

It wasn’t me…

Some people say that it’s the price of fame but I don’t think it’s the case.
Someone is using my name and reputation to contact site owners and sell their security services. Apparently it’s a guy from Pakistan with the Paypalcaxper.pay@gmail.com.

Continue reading

7 likes no responses
31/08/15 Interesting Readings # , ,

Ashley Madison it’s the final countdown

Ashley Madison it’s the final countdown

The final chapter of BinaryEdge work about Ashley Madison attack. Interesting data and just a little pick on it the percentage of female [fembots] are incredible low – 13.8%.

http://blog.binaryedge.io/2015/08/31/ashley-madison-a-conclusive-analysis/

0 likes no responses
28/08/15 Interesting Readings # , ,

Ashley Madison hack and world map data

Ashley Madison hack and world map data

The guys from BinaryEdge did an excellent job on a world map data with the Ashley Madison information. Take a look at their blog post.

Also the Brian Krebs article about who hacked Ashley Madison is very good. Nice step-by-step investigation by the popular security journalist.

 

0 likes no responses
27/08/15 Bug Bounty , Meetings # ,

Bounty ChitChat canceled

Bounty ChitChat canceled

Why? I forgot that’s my grandmother birthday. I could lie and tell something technical or something, but no… It’s true :)
I’ll try to post another date next week.

Sorry!

0 likes no responses
21/08/15 Bug Bounty , Meetings # , ,

Bounty Chitchat

Bounty Chitchat

On 28th august at 09:00PM (UTC/GMT +1 hour) I’ll create a channel on hack.chat where security researchers working on bounties could talk together and share ideas.
I’m thinking about an hour duration.

The main topic is bounty programs so everything around it could be discussed.
I’ll provide the link to the chat on Twitter 5 minutes ealier so don’t forget to follow me @dsopas.

Remember: Save the date!

0 likes no responses
19/08/15 Bug Bounty , Challenge # , , , , ,

Results for the XSS challenge

For the first challenge it was very interesting. It was easy challenge but it’s a start. New challenges will be up soon.

The winners are [they were the first ones to give one solution]:

1º Luciano Corsalini – $50 Amazon gift card

#<svg/onload=alert(`xss`)>

2º Kenan – $25 Amazon gift card

#<svg/onload=alert(/xss/)>

For the bonus prize it wasn’t easy to choose. I decided to give $25 Amazon gift card to the most creative XSS vector.

The winner was Abdulrahman Alqabandi

#<iframe/src=//14.rs>

Also I would like to share another pretty good solution from Ashar Javed:

<p/oncut=alert`xss`>x

Congratulations to the winners and to all participants. Thanks for your time and effort.
Winners will be contacted soon by email.

 

0 likes 3 responses
18/08/15 Swag # , ,

Tshirt, deck of cards and stickers from Cobalt.io

Tshirt, deck of cards and stickers from Cobalt.io

I would like to thank Cobalt.io team for the gift pack they sent me.
Working with them it’s awesome and I hope to keep helping and growing with you guys.

PS: Nice to be a Ace of Diamonds :)

Cheers!

0 likes no responses
14/08/15 Challenge # ,

Win $50 Amazon Gift card with a XSS challenge

Win $50 Amazon Gift card with a XSS challenge

I’m a big fan of XSS and to make my new website more visible to the infosec guys I’m offering two Amazon gift cards.
The first correct solution will have a $50 Amazon Gift card. The second one will receive $25 Amazon Gift card.

The rules are simple (like the challenge). Show a alert box in the following vulnerable code with a message containing the word xss.

<script>
function go()
{
var w = location.hash;
w = w.replace(/['", ]+/g, "");
document.getElementById("say").innerHTML = w.substring(0,26);
}
</script>

<div id="say"></div>

<a onclick="go()">Say it</a> 

Rules:

  • You can’t use some of the chars represented in the w.replace line of code
  • You can only use Chrome, Firefox, Opera, Internet Explorer or Safari latest versions
  • XSS vector must be less or equal to 26 chars long
  • When commenting your entry use the [ code]code[ /code] to write your code (without the leading space)

The challenge will end on 19 august at midnight. All the solutions must be added in this post comments.
All the comments will be inactive until the challenge finishes.

UPDATE: I’ll give a bonus to the user who replies with the most creative XSS.

Good luck! Happy hunting :)

0 likes 15 responses
13/08/15 Bug Bounty , Interesting Readings # , ,

Interview to Tek Sapo about bug bounty

I was covered in a portuguese article for Tek Sapo about my bug bounty activities, specially at Cobalt.io.

If you know portuguese language feel free to take a look: http://tek.sapo.pt/expert/artigo/ha_um_portugues_no_top_de_um_dos_maiores_programas_de_caca_ao_bug-43785gpm.html

Or else translate it at Google.

0 likes no responses
13/08/15 Interesting Readings # ,

Data, Technologies and Security – Part 1

My portuguese friends at BinaryEdge published the first part of an interesting article about big and critical data lying around the web.

Take a look into it @ http://blog.binaryedge.io/2015/08/10/data-technologies-and-security-part-1/

0 likes no responses
1 2 3