Get a bounty on a WordPress blog

I would like describe a step-by-step of my latest “appreciation program” reward on a security issue in a WordPress plugin. First things first – check if the blog is in-scope of the program. If it is, continue to read this article. If not, you can just see my other tips about #bugbounty (here  and here).… Continue reading Get a bounty on a WordPress blog

Free online proxy using Bing Translator

This method is already known on many other servers like Google Translator and other online services. I don’t know if I might consider this to be a security issue. Let’s call it a special Bing Translator feature 🙂 Using Bing Translator service anyone can use their IP addresses as a proxy. Malicious users could use this… Continue reading Free online proxy using Bing Translator

Free online tools to help your #bugbounty

I’m getting a few emails asking some tips on how to get some bounties. Because I like to help others and I’m a share knowledge believer 🙂 I wrote this small article about using the right online tools and earn some bucks on bounty programs. Most experience bug hunters already know most of this tools… Continue reading Free online tools to help your #bugbounty

A tip for bug hunters – Sell your service

As a bug hunter at Cobalt, HackerOne and BugCrowd I always try do my best to give programs the best information needed to understand the security report. Sometimes I notice that some public disclosures on HackerOne have just two or three paragraphs like: You guys don’t have SPF header on your mail server. Check it… Continue reading A tip for bug hunters – Sell your service

Yahoo! and other sites vulnerable to Open Redirect

A couple of portuguese security researchers published a article about a vulnerability on Linkedin and Yahoo! that allows a malicious user to redirect victims to other sites. The problem is/was located on a vulnerable version of Express – Node.js web application framework. So with a simple modification in the URL you get a Open Redirect… Continue reading Yahoo! and other sites vulnerable to Open Redirect

No parenteses allowed? location.hash is here

I come across a web application in a bounty private program that reflected my var – xss – with the following code: [code lang=”js”] var _s_tab = xss; var _s_params = ""; var _s_autoScroll = true; setTimeout("try { s_callAjax(‘search’, ”); } catch(ex) { setTimeout(\"s_callAjax(‘search’, ”);\", 2000);}", 50); [/code] So what I tried next was to… Continue reading No parenteses allowed? location.hash is here

Tiny XSS vector

I needed a small XSS vector that could fit in a 10 char limit variable in a limit 10 char on a private client to show him that limiting chars on a variable is not secure… [code lang=”js”]central.push({ ‘var1’: ‘INJECT_HERE’ });[/code] So after some attempts I was unable to find one so I called for… Continue reading Tiny XSS vector