David Sopas

web security researcher

David Sopas – Web Security Researcher
21/06/17 Meetings # ,

Speaker at C-Days 2017

Speaker at C-Days 2017

I was invited by AP2SI to represent them in this year C-Days event. I talked about “Hacking for fun and profit – bounty style” and the room was packed. It was a pretty cool event specially because I was able to join a couple of friends to trade some new ideas.

no responses
10/04/17 Donations , Inspiration , Life Style

Why working in application security makes me a better man?

In the last couple of years I was blessed with a good job at application security that made my life much easier. Above all things, I now have more opportunities to help others and provide my family and friends with small things that makes a lot of difference. Sometimes just being happy that day will contribute to the ones that surround you with a smile in their faces. It’s contagious 🙂

Last Sunday I received a warm hug from the lady who runs the animal local shelter. I delivered some food to feed their more than 400 cats and dogs – they really needed. That hug and sincere eyes of the lady made my week. I thought to my self – It’s just a little help but if everyone helps a little, the world will be a better place right?

In the past I tweeted that when I reached 3k reputation points at Cobalt.io I would donate $500 USD to a open-source security project. I got to that goal and donated to sqlmap project. Cobalt helped me on this and had more $500. 1k to a project that is maintained by only two developers. One of the replies I got from this was that I was a inspiration… That’s one of my life goals. To inspire more people to application security and to GIVE to others that need or deserve.

I really love what I do. Hacking is in my blood and without it I would be incomplete.
I have more than 10 years experience in application security and I’m still learning every single day. The day that I’ll stop learning I’ll quit for good.

no responses
11/01/17 Tips and Tricks # , , , ,

Meter HTML5 XSS filter bypass

I was playing around with some new HTML5 features and noticed a funny one.

Meter gives you a cool progress bar on-the-fly – https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meter

Immediately I thought about using it to bypass some WRONG blacklist tags XSS filter and add a event to it:

<meter onmouseover="alert(1)"

You can check it on https://jsfiddle.net/btksfbbx/

Nowadays this doesn’t make any advantage to a researcher because you can use arbitrary tags:

<sopas style=font-size:200px onmouseover=alert(1)>Sopas

Online – https://jsfiddle.net/thnwcjcx/

no responses
12/11/16 Bug Bounty , Meetings # , ,

BSides Lisbon – The way of the bounty

BSides Lisbon – The way of the bounty

Hey guys for those who want to download my presentation at BSides Lisbon you can do it right here.

Also you can watch the 50min video of the talk – https://www.youtube.com/watch?v=6cWHt-h78yY

I had lot’s of interesting questions at the end of the talk which showed me lots of interest in the bug bounty industry.

I also I would like to thank the BSides Lisbon organization because it was a awesome event. I met so many interesting people and got the opportunity to be with my great friends.
Awesome talks in both tracks and lot’s of networking and hacking on the lounge areas.

Next year I’ll be there again for sure!

no responses
24/10/16 Advisories , Bug Bounty

OLX and Adobe full-disclosures on HackerOne

OLX Stored XSS

Adobe Reflected XSS

I asked for full-disclosure of this reports so other users can learn something from it.
The OLX security report was also mentioned on a portuguese media site- Future Behind. If you know portuguese language feel free to read it.

no responses
17/08/16 Donations

Small donation to portuguese firefighters

Small donation to portuguese firefighters

This Summer my country – Portugal – is being devasted with wildfires in Portugal mainland and Madeira archipelago. More than 3000 firefighters made a huge effort to protect people and the forest. Most of them are volunteers so this is my small gift to them… I made a small donation to the local volunteers firefighters.

Thanks, you’re true heroes!

no responses
17/08/16 Bug Bounty , My Events # , , ,

BSides Lisbon 2016

Guys I’ll be a speaker at BSides Lisbon 2016 with the talk – “The way of the bounty”.
If you want to know some of my tips and secrets on bug bounty programs don’t forget to schedule in your calendar – 11th November.

no responses
05/08/16 Advisories , Bug Bounty , Interesting Readings

Latest work done

Latest work done

Just to give a small update on my work… I’ve been more active on my Twitter account so follow me to get the latest updates on my security work 🙂

Also here are some work I’ve done:

Regarding conferences I’ve been on Join 2016 @Braga presenting the talk “Hacking from Black to White”.

no responses
24/03/16 Advisories , Bug Bounty # , , , ,

Hey vendors, researchers are here to help

Hey vendors, researchers are here to help

Yesterday I was exchanging some messages on Twitter – specially with Kymberlee Price (from BugCrowd) – about the relationship between vendors and security researchers when disclosing a security issue.

In my experience I know what’s the feeling of trying to help a vendor and they ignore you or in some extreme cases even “inviting” you to stop what you are doing on their website. Vendors need to understand that most security researchers are here to help – working in the same side against bad guys. The problem in this connection is trust.

Vendors don’t trust researchers.
Researchers are loosing trust on vendors.
We need to fix it.

I had a bad experience with lots of big IT companies. Specially the ones I usually use on their products. I don’t go around companies and test vulnerabilities like crazy. I just like to feel more secure when using some web application.

In my opinion these are the main issues:

  • Lack of information on where to report a security issue
  • Security report gets lost in their support system
  • The vendor don’t reply back or just say it will be forward to the developing team
  • Vendor don’t update the security status
  • Researcher could even get threatened about the report

But not all vendors are like that. I already tried different approaches who seemed to work.

  1. Email the vendor giving them a small presentation telling who you are and ask for the right person to deal with a security threat
  2. After you got the email, try to schedule a online chat or even Skype meeting to establish some kind of trust between both parts.
  3. Talk about that you found, the consequences and a possible solution.

If you manage to do all this I bet the treatment in the future will be better for you and for future researchers who try to contact them.
You as a researcher have the responsibility to prepare the path and improve the communication between vendors.
Don’t give them hell! Give them trust!

Even on bug bounty programs you have issues. Vendors who reply to your report in 1 year without even worrying about getting the researcher a feedback like:

We’re working on it. It will take some time, maybe weeks or months…

Even yesterday – Sean Mealia wrote on his Twitter that Uber changed their in-scope program after he sent a couple of security issues.
It also happened to me in a private program for a popular online newspaper. I reported a security issue where a attacker could steal users information and they categorized as “Informative” and fixed it in a couple of days.
This type of situations are not good for the business. Vendors must respect the researchers and visa-versa.

Well this are my thoughts about this, feel free to share yours in the comments section.

For those who are interested about this topic I recommend watching the video of Kymberlee Price at Kaspersky Security Analyst Summit 2016.

no responses
1 2 3 4 5 6 10