#android #pentest #training #bughunting
Let try to find bugs
(https://github.com/t0thkr1s/allsafe)— InsecureShop
(https://github.com/hax0rgb/InsecureShop)— OWASP: OMTG-Hacking-Playground
(https://github.com/OWASP/MASTG-Hacking-Playground)— Damn insecure and vulnerable App (DIVA)
(https://github.com/payatu/diva-android)— Damn-Vulnerable-Bank
(https://github.com/rewanthtammana/Damn-Vulnerable-Bank)— InjuredAndroid
(https://github.com/B3nac/InjuredAndroid)— Damn Vulnerable Hybrid Mobile App (DVHMA)
(https://github.com/logicalhacking/DVHMA)— InsecureBankv2
(https://github.com/dineshshetty/Android-InsecureBankv2)— sievePWN
(https://github.com/tanprathan/sievePWN)— Dodo vulnerable bank
(https://github.com/CSPF-Founder/DodoVulnerableBank)— Android security sandbox
(https://github.com/rafaeltoledo/android-security)— OVAA (Oversecured Vulnerable Android App)
(https://github.com/oversecured/ovaa)— SecurityShepherd
(https://github.com/OWASP/SecurityShepherd)— OWASP-mstg
(https://github.com/OWASP/owasp-mastg/tree/master/Crackmes)— Purposefully Insecure and Vulnerable Android Application (PIIVA)
(https://github.com/htbridge/pivaa)— VulnDroid
(https://github.com/mihir-shah99/VulnDroid)— FridaLab
(https://rossmarks.uk/blog/fridalab/)— Vuldroid
(https://github.com/jaiswalakshansh/Vuldroid)— DamnVulnerableCryptoApp
(https://github.com/DamnVulnerableCryptoApp/DamnVulnerableCryptoApp/)
#android #pentest #training #bughunting
I'm so glad to see that my work on ".DS_Store" parsing has finally landed on the Spider add-on of @zaproxy!
https://www.zaproxy.org/docs/desktop/addons/spider/#ds_store-files
When turned on, this option will tell the Spider to parse ".DS_Store" files inadvertently published on websites to find potential other hidden assets.
The code of the parser has been generated from a description of the ".DS_Store" file format that I made with Kaitai Struct years ago.
#security #bughunting #infosec
The early bird pricing for my training ends in one month!
https://www.blackhat.com/asia-23/training/schedule/index.html#bughunting-bootcamp-virtual-29840 #training #bughunting #securityresearch #blackhat
#training #bughunting #securityresearch #blackhat
Yes! Finally found the root cause for a long-standing bug in #openproject
https://community.openproject.org/projects/openproject/work_packages/44182/activity
#openproject #opensource #bughunting #cache #cleanup #rake #ruby #rails
We've spent weeks tracking down a bug at work. Turns out that SQL Server happily updates an index's "last changed" date before anything is committed, even if the transaction is rolled back. Madness! #SQLServer #BugHunting #SoftwareDev
#sqlserver #bughunting #softwaredev
I just submitted the last #bugbounty ticket of the year 2022. The past year has definitely been the year of logic flaws for me. #fuzzing definitely is not dead, but the fuzzing coverage being so great and memory safe languages getting more prominent it kind of leaves other types of vulnerabilities left, logic flaws being the most prominent. Caveat: This of course is just my personal experience, and YMMV depending on what you're poking at specifically.
#bugbounty #fuzzing #infosec #research #bughunting #vulnerabilities
No #bounty for me... the vendor pointed out (correctly) that the bug was noted in a previous report... though it was buried as a lower-priority and hadn't been fixed. I hope they now properly prioritize it as a "critical" fix now. On to the next! #bughunting #vulnerabilities #pentesting
#bounty #bughunting #vulnerabilities #pentesting
Bismuth’s YouTube content is fascinating if you’re interested in #SpeedRunning or #ReverseEngineering or #BugHunting.
His most recent video (https://youtu.be/beib_oYeaxE) is the final one in his series on the A Button Challenge, and I highly recommend you watch the whole series and definitely take a look at his other work on describing in wonderful detail how bugs are exploited in other games.
#speedrunning #reverseengineering #bughunting
Bismuth’s YouTube content is fascinating if you’re interested in #SpeedRunning or #ReverseEngineering or #BugHunting.
His most recent video (https://youtu.be/beib_oYeaxE) is the final one in his series on the A Button Challenge, and I highly recommend you watch the whole series and definitely take a look at his other work on describing in wonderful detail how bugs are exploited in other games.
#speedrunning #reverseengineering #bughunting
Hacking CDN Caching Servers - CDN cache poisoning write up by @bxmbn
Part1:
https://infosecwriteups.com/how-i-made-15-000-by-hacking-caching-servers-part-1-5541712a61c3
Part2:
https://infosecwriteups.com/how-i-made-16-500-hacking-cdn-caching-servers-part-2-4995ece4c6e6
#bugbountytips #bughunting #redteamingtips #pentesters #CachePoisoning #CDNSecurity
#bugbountytips #bughunting #redteamingtips #pentesters #cachepoisoning #cdnsecurity
What tools and services do people use when #bughunting and doing #exploitdev research on #email? Not touched on this at all yet and while i have found some python libs for crafting specific MIME headers im wondering if there is anything more advanced/mature/refined than me rolling it all myself?
Also, taking recommendations for #smtp services for testing, socketlab or mailgun look good and have pretty fleshed out APIs, any others?
#bughunting #exploitdev #email #smtp
New section in our wiki for people starting basic #bughunting and #hacking in Spanish https://man.sr.ht/~rek2/Hispagatos-wiki/documentos.md #bughunting #hacking
#HackingIsNotACrime #hispagatos #spanish
#bughunting #hacking #hackingisnotacrime #hispagatos #spanish
Warum man als #Mastodonadmin demnächst mal aktualisieren sollte... (Ich weis, ich habs schon re...tootet(?) aber hier nochmal:
@tinker
THANK YOU! Thats an interesting read.
@n3ll4 evtl willst du das auch lesen ;-) Könnte nützlich werden
https://infosec.exchange/@tinker/109348917460542876
#Mastodon #cybersec #infosec #bughunting #keepyourshituptodate
#mastodonadmin #mastodon #cybersec #infosec #bughunting #keepyourshituptodate
Lol, when a bunch of hackers migrate to new services, they tend to kick the tires a bit 😂.
Here, some hackers found a way to steal Mastodon passwords by manipulating the way Mastodon allows (and sidestepping the way Mastodon protects) HTML imbedded into posts.
It also highlights the ways that third party plugins (here Glitch, found on the Mastodon server infosec(dot)exchange and others) introduce interesting attack vectors that core maintainers don't initially control (thoughts go out to Wordpress).
The hackers then reported the issues to the Mastodon team and the Glitch team so they could issue security patches.
Big shoutout for finding/reporting the vuln:
Kudos to the Mastodon & Glitch teams for coordinating and issuing a timely security patch.
I expect we'll see a lot of more of these initially (this is good, means the website is getting more secure).
Takeaways:
Full writeup here: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp
#infosec #WebAppPentesting #hacking #bughunting
Sta arrivando "Betti"! Il fumetto di Red Hot Cyber sulla Cybersecurity!
Red Hot Cyber, credendo che occorra trovare dei metodi non convenzionali per stimolare le persone verso la #consapevolezza al rischio e alla #cultura #hacker, ha realizzato la prima Graphic Novel di una collana, dal titolo: “#BettiRHC”.
2022!
Una guerra silenziosa per la conquista dei dati fa la prima vittima. Un semplice rettore di #università, creatore di un #software segreto in grado di cambiare radicalmente la #programmazione, muore in circostanze misteriose, lasciando nei guai la moglie Anna e la figlia Betti.
Per i pre ordini, potete registrarvi qua: https://lnkd.in/dfjWvQTc
SAVE THE DATE: GENNAIO 2023
#hackerhood #redhotcyber #ethicalhacking #hacking #hacker #community #bughunting #cybersecurity #infosecurity #fumetto #consapevolezza #comics
#comics #fumetto #infosecurity #cybersecurity #bughunting #community #hacking #ethicalhacking #redhotcyber #hackerhood #programmazione #software #università #BettiRHC #hacker #cultura #consapevolezza
RT @nullcon
😎Hey #Bughunters! @airtelindia Business Live Bug Hunting👉 We have sent out email to all selected participants
🎉Congratulations to all selected & Happy #BugHunting 8-9 Sep at Grand Hyatt, Goa
👊Go #secure
cc: @SushilSin
#BugHunters #bughunting #secure #NullconGoa2022 #infosec #bugbounty #airtel #telecom
Referenced link: https://www.adico.me/post/xss-in-gmail-s-amp4email
Discuss on https://discu.eu/q/https://www.adico.me/post/xss-in-gmail-s-amp4email
Originally posted by The Hacker News / @TheHackersNews@twitter.com: https://twitter.com/TheHackersNews/status/1555576004604997633#m
XSS in #Gmail's Amp4Email format.
https://www.adico.me/post/xss-in-gmail-s-amp4email
#infosec #pentesting #bughunting
via @wir3less2
#gmail #infosec #Pentesting #bughunting
RT @0xAsm0d3us@twitter.com
Bug Hunter Handbook: a book that contains lists of resources that will help bug bounty hunters with resources that are useful during their bug bounty journey.
https://gowthams.gitbook.io/bughunter-handbook/
#hacking #bughunting #cybersecurity
🐦🔗: https://twitter.com/0xAsm0d3us/status/1529101081082740736
#hacking #bughunting #cybersecurity