0xOPOSEC

25/01/2018

$ whoami

miguel regala, full time freelancer, security researcher, part time traveler, half hacker, half mercenary, casabranca, noob surfer, gamer, bitcoin owner (rip savings)

DO YOU KNOW THE WAY

*mass clucking*

https://quizizz.com/join

 

919022

1

400$

1

2

2

20$

3

3

500$

4

4

150$

5

5

500$

6

6

1500$

Question x - exemplo de report

7

7

500$

Question x - exemplo de report

8

Question x - solucao

8

5000$

9

Question x - solucao

9

60$

Question x - exemplo de report

10

Question x - solucao

10

1000$

Question x - exemplo de report

11

Question x - solucao

11

500$

12

12

5000$

13

13

15000$

14

14

2000$

15

15

500$

16

16

500$

17

17

350$

Total bounties paid:

  • 33, 480 $

Meh

Winner?

1 - https://hackerone.com/reports/218287
2 - https://hackerone.com/reports/260648
3 - https://hackerone.com/reports/246995
4 - https://hackerone.com/reports/210331
5 - https://hackerone.com/reports/209223
6 - https://hackerone.com/reports/207042
7 - https://hackerone.com/reports/241008
8 - https://hackerone.com/reports/258117
9 - https://hackerone.com/reports/250243
10 - https://hackerone.com/reports/248693
11 - https://hackerone.com/reports/242213
12 - https://hackerone.com/reports/232174
13 - https://hackerone.com/reports/231460
14 - https://hackerone.com/reports/225243
15 - https://hackerone.com/reports/216379
16 - https://hackerone.com/reports/214763
17 - https://hackerone.com/reports/21408
7

Reference page:

Hidden easter egg?

Hidden easter egg?

  • Inspect image
  • https://s3.amazonaws.com/media-p.slid.es/uploads/441418/images/4540714/4_150.png

 

Other ways? ;)

Business impact

Complexity to find

XSS

CSRF

IDOR

HTTP headers

SSL cipher

CAPTCHA

Manual SQLi

RCE

}

"Low hanging fruit"

< if it falls here you shouldn't be looking for it >

Resources:

CSIRT

  • Computer Security Incident Response Team
  • e.g:

 

 

CSIRT

  • Computer Security Incident Response Team
  • e.g:

 

 


Reporting

  • Actual vulnerabilities
  • Simple, clear, concise
  • Check the scope
  • Working payload
  • Screenshots
    • ​Sometimes video POC helps (unlisted)
  • Patience
    • > 1 year reports sometimes
  • CHECK THE SCOPE AGAIN
  • Don't be a jackass.
  • e.g. of a good report
  • H1 reference

Thank you

🙇

 

Made with Slides.com