Hacking on Bug Bounties for Four Years

Hacking on Bug Bounties for Four Years

I very highly appreciated transparency, especially in the field of generability. The priz e-making money around the world has submitted many reports, using the discovered problems in many fields, using many techniques and methodology. However, if you are already an active prize money and do not understand what the prize program expects or what you will pay, you have such knowledge. You will have a big handicap compared to that. Through this blog post, I would like to be able to elucidate the prize program paid to the bounty bug program.

The last blog post in this series was about four years ago, 120 days, 120 bugs. There have been many things in the last four years. Moving to Europe for six months, traveling to the Australian state expressway twice, winning a live hacking event, establishing a company, and those who think that they are families are the target area management platform. I helped with the construction.

Unlike the previous blog post, I did not impose the goal of finding one bug a day. Instead, he participated in an unreasonable bug as long as time allowed. There were many months when I couldn't find anything, and when I evaluated myself as a hacker, I was often afraid. He may be an excellent hacker, but he acknowledged that there was always a better hacker in the world, and decided to accept it as a very competitive individual.

I think it's a waste of time if you don't understand the basic application security attacks and vulnerabilities before working on Bug Bounty. Practice here and learn more.

If you're looking for a paid, wider resource, check PentesterLab and practice.

By participating in bugs bounty, assetNote gained knowledge of the security team that really cares. This is why we can maintain a high reputation when we always find a report.

The main motivation for this blog post is to educate the masses about the bug reward payment program.

For example, do you know that you can submit a locking EC2 IP (subdomain indicating the EC2 IP that the company no longer owns) without reading the proof of the following pudding? I'm clearly grateful for this information because I'm paying the program.

Findings

The following are my survey results for the past four years. The necessary information has been posted again, but if you read the title, you should be able to understand what kind of program I have reported.

date insect repayment
2020-09-02 14:04:11 UTC [Redacted] 1. 000, 00 $
2020-07-16 18:39:22 UTC Spring's debug endpoints were executed, and [Redacted] & amp; amp; amp; AMP Heapdump revealed all secrets; buying accounts from trace. 2. 500, 00 $
2020-06-30 22:54:07 UTC [Redacted] blind SSRF via a billing AP I-access to internal hosts 60, 00 $
2020-06-10 13:53:43 UTC Full account redemption by sub domain redemption via Redacted] 300, 00 $
2020-06-10 13:24:10 UTC Full account redemption by sub domain redemption via Redacted] 300, 00 $
2020-06-10 13:21:57 UTC Full account redemption by sub domain redemption via Redacted] 300, 00 $
2020-06-08 14:28:05 UTC Amazon S3 Subdomain Hijack- [Redacted] 256, 00 $
2020-06-08 05:29:58 UTC Redacted] Route53 host zone take over 500, 00 $
2020-06-05 16:27:42 UTC Redacted] Cisco IP Conference Station CEP-7937G administrator table released on the Internet in the IP series 400, 00 $
2020-06-03 21:07:51 UTC PRE-Auth BLIND MSSQL injection that affects Redacted] 1. 024, 00 $
2020-06-03 14:18:24 UTC Pr e-certified MSSQL injection that affects Redacted] 1. 024, 00 $
2020-06-02 15:28:50 UTC Pr e-certified SQL injection that affects Redacted 1. 024, 00 $
2020-06-02 15:26:58 UTC RCE via arbitrary writing file and pass route [Redacted] 1. 024, 00 $
2020-06-02 15:25:08 UTC RCE via arbitrary writing file and pass route [Redacted] 1. 024, 00 $
2020-05-18 10:12:38 UTC Redacted] Route53 host zone take over 1. 000, 00 $
2020-05-18 10:11:58 UTC Redacted] Route53 host zone take over 1. 000, 00 $
2020-05-18 10:06:22 UTC Redacted] Route53 host zone take over 1. 000, 00 $
2020-05-18 10:05:20 UTC Redacted] Route53 host zone take over 1. 000, 00 $
2020-05-11 18:47:54 UTC Redacted] Route53 host zone take over 100, 00 $
2020-05-11 14:59:23 UTC Subdomain acquisition [Redacted] (Cookie Disclosure-& Amp; Amp; Gt; Account) Account Account 2. 500, 00 $
2020-05-11 14:31:18 UTC Subdomain acquisition [Redacted] (Cookie Disclosure-& Amp; Amp; Gt; Account) Account Account 2. 500, 00 $
2020-05-07 01:47:49 UTC Displays all [Redacted] IDor [Redacted] metadata. 1. 000, 00 $
2020-04-29 22:58:57 UTC See all IDOR [Reward] 4. 000, 00 $
2020-04-29 22:57:55 UTC See IDor [Reward] 2. 500, 00 $
2020-04-24 18:19:23 UTC Acquisition of [Redacted] sub domain via Heroku 300, 00 $
2020-04-24 18:18:45 UTC Acquisition of [Redacted] sub domain via Heroku 300, 00 $
2020-04-23 19:45:04 UTC Redacted] The horizontal bluetret force function of the [Redacted] account that exploits streaming registration 500, 00 $
2020-04-22 17:44:29 UTC Displays all [Redacted] IDor [Redacted] metadata. 500, 00 $
2020-04-22 17:42:51 UTC IDor Today, [Redacted] View [Redacted] of Redacted 500, 00 $
2020-04-22 17:42:06 UTC See all [Redacted] of IDOR [Redacted] [Redacted] 500, 00 $
2020-04-06 19:13:19 UTC Facebook- [Redacted] payment 5. 000, 00 $
2020-03-07 15:12:24 UTC Access QueryBuilder in Redacted and access secrets 3. 000. 00 $
2020-02-25 15:02:20 UTC Get [Redacted] subdomain via Amazon S3 750, 00 $
2020-02-20 23:01:58 UTC Possibility of HTML injection, e-mail reception, and template injection via the "Info Info" section in Redacted] 500, 00 $
2020-02-18 14:45:40 UTC Redacted]/Libs/granite/content/login. html of administrator's Blue Forces 500, 00 $
2020-02-15 12:24:57 UTC Blind XSS by subscribing to Redacted] 500, 00 $
2020-02-04 03:45:38 UTC HTML injection by email when posting to Redacted] 700, 00 $
2020-01-21 17:13:58 UTC A function that attaches malicious attachment (any name, any type of content) to [Redacted] support staff via [Redacted]. 2. 000, 00 $
2020-01-15 11:41:59 UTC Redacted] No authentication is required for displaying and deleting the lock of the terrace. 250, 00 $
2019-12-12 16:25:11 UTC URL + WebHook + object of [Redacted] leaks to JavaScript of [Redacted] 3. 000. 00 $
2019-11-21 22:15:20 UTC Screenhero JWT authentication information from AWS & amp; amp; amp; Redacted] is still working 1. 000, 00 $
2019-10-17 13:44:23 UTC [Redacted] RCE via IBM Aspera Exploit leads to safe file storage 1. 000, 00 $
2019-10-15 14:29:25 UTC [Redacted] SSO bypass that leads to access to internal documents and portals 250, 00 $
2019-10-11 18:07:51 UTC Administrator access to [Redacted] by guess authentication 1. 500, 00 $
2019-10-11-18: 06: 15 UTC The Responsibility for Third Party Su b-Domain -[Redacted] EC2 IP is no longer controlled by [Redacted]. 250, 00 $
2019-09-30 16:56:50 UTC Several server problems (SSRF, management table that affect Redacted] 2, 660, 00 $
2019-09-25 22:10:00 UTC Use the UUI D-IDor of Redacted to read the details of any [Redacted]. 1. 000, 00 $
2019-09-10 16:17:59 UTC Redacted] SSRF 2. 000, 00 $
2019-09-03 15:28:36 UTC Redacted] SSRF 17. 900, 00 $
2019-08-29 00:43:00 UTC White list override of the organization registration flow of Redacted] 250, 00 $
2019-08-09 05:15:44 UTC [Pre-submission] SSRF in [redacted] (iframely) 2, 970, 30 $
2019-07-29 16:32:59 utc [Workaround] SSRF via [redacted] leads to internal network access and allows reading of internal JSON responses 23. 000, 00 $
2019-07-24 02:52:42 utc Phpinfo exposed to [redacted] 100, 00 $
2019-07-24 02:46:02 utc SSRF in [redacted] leads to AWS compromise via security credentials 5. 000, 00 $
2019-07-08 14:44:23 utc Remote command execution (via TSI parameters) in production [REDACTED] - CVE-2017-12611 2. 000, 00 $
2019-06-12 17:42:53 utc Aspera and other leaked private usernames/passwords in [REDACTED] 1. 500, 00 $
2019-06-12 17:42:08 utc Bypass SSO/authentication for APIs hosted in [REDACTED] 1. 500, 00 $
2019-06-12 14:45:09 utc Remote Code Execution (Multiple Endpoints) - [REDACTED]. 4. 500, 00 $
2019-06-10 17:29:35 utc Export all drivers' emails, DOBs, full addresses, federal tax IDs and other PII to [REDACTED]. 1. 800, 00 $
2019-06-10 16:53:22 utc Receive [redacted] customer email, mobile by harness via lead ID via API 12. 600, 00 $
2019-06-10 16:52:40 utc Ability to leverage all opportunities (IDOR) Export PII to customers [REDACTED]. 12. 600, 00 $
2019-06-07 18:51:24 utc [REDACTED] [IDOR] - Access all accounts via regression vector/re-attack with abuse [redacted] (regression?) 2. 500, 00 $
2019-06-07 18:17:31 utc Blind [redacted] via RPC call to checkAvailableLiveChatagents SSRF 62, 50 $
2019-06-07 18:07:22 utc HTML injection in email when adding reviewer to [REDACTED] 125, 00 $
2019-06-07 17:42:09 utc [IDOR] Display employee [redacted] via /API/readhandler in [redacted] 1. 500, 00 $
2019-06-07 15:33:31 utc Export mobile number and [redacted] using only one email address for any [redacted] 750, 00 $
2019-06-07 14:36:01 utc Opportunities to use IDOR IDOR IDOR / IDOR IDOR IDOR / [REDACTED] 125, 00 $
2019-06-07 14:24:15 utc Export mobile number and [redacted] with only one email address for any user [redacted]. 750, 00 $
2019-06-07 14:11:20 utc HTML injection into [redacted] receipt when printed from [redacted] 100, 00 $
2019-06-07 13:56:46 utc Ability to access AirWatch Admin Panel and API in [REDACTED] 1. 000, 00 $
2019-06-07 13:21:31 utc IDOR of [redacted] allows access to information [redacted] of any user [redacted]. 250, 00 $
2019-06-07 10:13:20 utc [REDACTED] [IDOR] - Access all accounts via regression vector/re-attack with abuse [redacted] (regression?) 15. 000, 00 $
2019-05-22 19:33:27 utc Sqli and ID bypass in [redacted] 4. 500, 00 $
2019-04-29 14:14:42 utc XS resurrected in [REDACTED] 500, 00 $
2019-04-29 14:14:29 utc Redacted] SSRF 1. 500, 00 $
2019-04-25 07:33:22 utc Local file disclosure via Rails CVE-2019-5418 at [REDACTED]. 100, 00 $
2019-04-19 02:28:54 utc SSRF - in [REDACTED]. 4. 950, 00 $
2019-04-19 02:28:35 utc SSRF to [redacted] & amp; amp?#39;url' parameters 4. 950, 00 $
2019-03-29 11:23:14 utc redacted] meeting leaks AWS S3 secrets, giving attackers access to [redacted] 364, 50 $
2019-03-27 18:41:51 utc Acquisition of [Redacted] sub domain via Heroku 750, 00 $
2019-03-20 17:08:11 utc XS resurrected in [REDACTED] 500, 00 $
2019-03-18 17:29:00 utc XS resurrected in [REDACTED] 500, 00 $
2019-03-18 17:28:49 utc XS resurrected in [REDACTED] 500, 00 $
2019-03-18 17:28:35 utc [redacted] leaked CVS repo containing usernames and passwords 750, 00 $
2019-03-18 15:35:10 utc [redacted] form leaks usernames and passwords for [redacted]/wowza steaming servers 500, 00 $
2019-03-15 15:08:35 utc Extract any [redacted] pin code in Bcrypt, associated phone numbers and emails 5. 000, 00 $
2019-03-14 17:51:32 utc Multiple identifiers in [redacted] 500, 00 $
2019-03-14 17:51:18 utc Multiple persistent XSS vulnerabilities in [redacted] 1. 000, 00 $
2019-03-14 17:51:02 utc Authentication bypass in [redacted] allowing full access to anonymous users (including private streams) 1. 000, 00 $
2019-03-14 17:50:45 utc Slack webhook token leaks to JavaScript in [redacted] 500, 00 $
2019-03-11 23:06:12 utc Any subject + HTML verified as [redacted] Ability to send emails 900, 00 $
2019-03-04 21:58:43 utc Getting the WP-motor subsection of [redacted] 500, 00 $
2019-03-04 19:04:59 utc Extract any [redacted] pin code in Bcrypt, associated phone numbers and emails 500, 00 $
2019-02-22 18:41:36 utc [redacted]'s 8. 000, 00 $
2019-02-13 17:59:01 utc Ability to close any [redacted] using the identifier of [REDACTED] 8. 000, 00 $
2019-02-07 00:05:37 utc HTML to [redacted]'s writing stream of [redacted] Injection 500, 00 $
2019-01-30 16:59:57 utc [redacted]'s VHOST header hopping gives access to MSSQL DB Explorer 1. 900, 00 $
2019-01-30 16:14:57 utc [redacted]'s Rce via objectStateFormatter deserialization 4. 000, 00 $
2019-01-30 16:13:00 utc [redacted]'s zip file on webroot containing all source code and database 3. 000. 00 $
2019-01-29 21:52:20 utc [redacted]'s multiple reflected XS 500, 00 $
2019-01-29 17:54:05 utc Report sensitive data in debug file via redacted 100, 00 $
2019-01-23 16:09:32 utc Git repo is publicly available on many subdomains [redacted] and [redacted] 600, 00 $
2019-01-22 23:02:09 utc Critical: Product access to all [redacted] admins and employees - gain access to all email uuids and administrative actions 4. 500, 00 $
07-01-2019 21:02:45 utc SSRF via [redacted] leading to internal network access, ability to read internal JSON responses 23. 000, 00 $
2018-12-06 15:58:56 utc Reflect XSS in [redacted]/pay/alipay/wap. php. 400, 00 $
2018-12-06 15:37:27 utc This reflects XSS via the `http_referer` parameter in the [redacted] JavaScript environment. 400, 00 $
2018-11-30 15:35:15 utc Enabling Django debug feature leads to Postgres password leak in [redacted] 500, 00 $
30-11-2018 15:20:07 utc Ability to send SWF files to [redacted] via CKFinder 400, 00 $
30-11-2018 15:08:41 utc [redacted] discloses sensitive information leading to access to customer data via API 800, 00 $
30-11-2018 13:46:33 utc [redacted] Leaked Newsroom (China) CMS source code leaked on GitHub, including secret WeChat - leads to RCE on subscriber machines 200, 00 $
29-11-2018 17:41:02 utc White list override of the organization registration flow of Redacted] 500, 00 $
29-11-2018 15:29:00 utc redacted] blind MSSQL injection 2. 000, 00 $
2018-11-28 15:02:39 utc redacted] reveals RSA private key of Alipay merchant. 200, 00 $
2018-11-21 16:58:25 utc redacted] to get recursive [redacted]UUIDs 1. 000, 00 $
2018-11-20 22:19:04 utc redacted] API allows unauthenticated users to send messages to [redacted]Slack 100, 00 $
2018-11-15 10:13:13 utc redacted] Externally available MSSQL server reveals large amounts of data + local read files 400, 00 $
2018-11-02 20:18:53 utc redacted] Ability to customize your own order prices 1. 500, 00 $
2018-10-24 14:40:13 utc Arbitrary file upload leading to permanent XSS in [redacted] 400, 00 $
24-10-2018 10:36:13 utc Extract [updated] details (name, openid, unionid, mobile, nickname, state, city, gender, day of week) for each user via [redacted] 400, 00 $
2018-10-22 14:26:23 utc Critical: Product access to all [redacted] admins and employees - gain access to all email uuids and administrative actions 500, 00 $
2018-10-12 18:56:47 utc redacted]Unauthenticated XXE in /OA_HTML/lcmServiceController. jsp 166, 67 $
2018-10-06 18:26:10 utc redacted]PhantomJS SSRF response fully readable via AWS 500, 00 $
2018-09-30 00:29:08 utc readacted]Multiple issues (SSO bypass, Git repository with employee credentials and broken application logic) 2. 000, 00 $
2018-09-03 09:55:32 UTC Multiple instances of MSSQL injection based on "redacted]" "30 databases can be accessed to a database 5. 000, 00 $
2018-09-03 09:15:04 UTC REDACTED] /cms/Handler/kvimupload. ashx RCE with any file uploading 3. 000. 00 $
2018-09-03 09:13:37 UTC REDACTED]/STAFF/CMS/Handler/Toolsupload RCE by any file uploading. 3. 000. 00 $
2018-09-03 09:03:06 UTC MSSQL injection via redacted] /ninCentive/report. aspx 2. 000, 00 $
2018-08-30 17:52:47 UTC Redacted's direct list is connected to Russia's [Redacted] PII and internal documents/ Discovery Ride Deck 1. 000, 00 $
2018-08-28 07:07:34 UTC Highly confidential repo containing "Redacted] application source and database, over 700 cases~More than 700 emails leaked 800, 00 $
2018-08-20 13:01:40 UTC The server variable leaks to [Redacted] /servar. asp and can steal cookies httponly 400, 00 $
2018-08-14 17:08:24 UTC The accountability of the thir d-party sub domain- [Redacted] EC2 IP is no longer controlled by [Redacted] 62, 50 $
2018-08-13 18:25:52 UTC XS S-based DOM of Redacted] 125, 00 $
2018-08-12 07:04:32 UTC [First 30] [Redacted]/Handle_pasted_images blind SSRF 375, 00 $
2018-08-10 06:36:30 UTC [First 30] Publish accessable CA and Secrets. Enc files to VPN- [Redacted] 1. 250, 00 $
2018-08-10 02:11:48 UTC [First 30] Acquisition of subsection [redacted] 1. 555, 00 $
2018-08-09 08:08:16 UTC Once you know the UUID of any user [Redacted], you can get the profile information and metadata (email, payment, account type, associate). 1. 000, 00 $
2018-08-09 07:39:29 UTC Ability to brute force for any [REDACTED] table user without restrictions 500, 00 $
2018-08-09 05:56:38 UTC UUID (including internal employee transfer code) and [Redacted] employee UUID (including payment profiles) 1. 000, 00 $
2018-08-09 05:49:26 UTC If you know the UUID, you can download which user [Redacted] payment profile and confidential information 1. 000, 00 $
2018-08-09 05:47:46 UTC Once you know the UUID of any user [Redacted], you can get the profile information and metadata (email, payment, account type, associate). 2. 000, 00 $
2018-07-26 16:21:23 UTC XSS has been revealed in JPlayer. swf in the S3 bucket [Redacted] of the Redacted property. 250, 00 $
2018-07-19 18:46:43 UTC Redacted]/API/UTILS/Postbase XSS via sig n-up 300, 00 $
2018-07-11 22:48:23 UTC (Dynamic) IDor in `/API/[Redacted]` via [Redacted] 500, 00 $
2018-07-11 22:44:36 UTC Redacted] A function to enumerate [Redacted] via `/API/[Redacted]` 2. 000, 00 $
2018-07-06 06:53:19 UTC A large number of users registered in [Redacted] can be accessed without authentication on the incentive management table 800, 00 $
2018-07-06 06:47:06 UTC RCE on [Redacted] with any file upload 3. 000. 00 $
2018-07-06 06:40:07 UTC Authentication bypass that leads to administrator access to Redacted]/ LocationCms/ (Can be changed/ deleted/ added) 800, 00 $
2018-07-06 06:31:23 UTC Redacted] /locationCMS/template/storelist. aspx MSSQL injection 2. 000, 00 $
2018-07-02 12:08:16 UTC Serious issues related to Redacted] (database authentication information, source code of the entire application and leakage of SQLI) 800, 00 $
2018-06-28 20:17:38 UTC Export the payment method ( e-mail or last four tab numbers) used via redacted] 500, 00 $
2018-06-22 15:48:11 UTC [Redacted] API `/API/UTILS/Download-File`, which leads to an internal access to the assets 3. 250, 00 $
2018-06-22 15:47:31 UTC Redacted] API`/API/Partner/[Redacted] `` `` `` multiple ful l-action SSRFs that lead to internal access to [Redacted] have occurred. 625, 00 $
2018-06-16 19:14:30 UTC Post on Facebook [Redacted] 500, 00 $
2018-06-16 17:56:17 UTC Post on Facebook [Redacted] 4. 000, 00 $
2018-06-16 17:55:00 UTC Post on Facebook [Redacted] 5. 000, 00 $
2018-06-16 15:54:20 UTC Post on Facebook [Redacted] 500, 00 $
2018-06-16 15:10:50 UTC Post on Facebook [Redacted] 500, 00 $
2018-06-16 14:56:58 UTC Post on Facebook [Redacted] 500, 00 $
2018-06-16 14:38:05 UTC Post on Facebook [Redacted] 3. 000. 00 $
2018-06-16 13:47:59 UTC Post on Facebook [Redacted] 5. 000, 00 $
2018-06-16 13:27:27 UTC Post on Facebook [Redacted] 500, 00 $
2018-06-13 21:24:58 UTC [Redacted] . zendesk. com's Zendesk administrator certification information via Redacted] 2, 250, 00 $
2018-06-13 21:21:41 UTC A function to receive support calls with the [Redacted] ID of another store using the ID of Redacted] 1. 500, 00 $
2018-05-31 13:02:19 UTC The implementation of CloudFlare in Redacted is incorrect 500, 00 $
2018-05-26 17:51:18 UTC Redacted] The SSRF above allows access to the internal host [Redacted] 1. 000, 00 $
2018-05-26 16:52:38 UTC XSS is stored in the roll dialog of [First 30] - [Redacted] 1. 206, 00 $
2018-05-26 13:59:34 UTC Redacted] The SSRF above allows access to the internal host [Redacted] 1. 728, 00 $
2018-05-26 12:40:45 UTC The EC2 IP of [First 30] - [Redacted] is no longer controlled by [Redacted]. 216, 00 $
2018-05-26 11:45:03 UTC XSS is stored in the roll dialog of [First 30] - [Redacted] 125, 00 $
2018-05-26 09:10:39 UTC A function to brute the current user password without locking using an active session 125, 00 $
2018-05-25 13:34:24 UTC [Redacted] Bruteforcable [Redacted] via Cisco 375 0-Telnet/ssh/http. 250, 00 $
25-05-2018 13:33:35 UTC Two WordPress management boards for WPENGINE [Redacted] [Redacted] 400, 00 $
2018-05-23 21:59:17 UTC In Redacted], secrets (sessions) such as AWS secret keys are leaked 500, 00 $
02-05-2018 12:35:46 UTC The serve r-side source code has been released in [Redacted]. 250, 00 $
2018-04-20 13:29:13 UTC The released Rabbit-MQ management table was found in Redacted. 250, 00 $
2018-04-11 22:41:51 UTC Multiple vulnerabilities in the Russian Telegram bot API in Russia, which leads to an important [Redacted] data exposure 3. 750, 00 $
2018-04-05 21:07:29 UTC REDACTED] API has discovered vulnerabilities that do not require approval, leading to the outflow of AWS cloud data and user data (20. 000 staff detailed information leaked. 15. 000, 00 $
05-04-2018 21:06:52 UTC Postgres SQL injection of [Delete] that may lead to AWS cloud account hijack 15. 000, 00 $
23-03-2018 22:29:19 UTC Secrets from Config/Secrets/Secrets. json found in Redacted (CloudFront authentication information, private key, server settings). 9. 500, 00 $
2018-03-22 15:33:20 UTC Django management panel published in Redacted]. 250, 00 $
16-03-2018 17:32:47 UTC Multiple vulnerabilities in the Russian Telegram bot API in Russia, which leads to an important [Redacted] data exposure 500, 00 $
09-03-2018 17:01:55 UTC Any origin trusted when performing a verified API call on Redacted 250, 00 $
09-03-2018 16:58:16 UTC Published Django Management Table @ [Redacted]. 750, 00 $
2018-03-02 12:53:11 UTC Published Django Management Table @ [Redacted]. 750, 00 $
2018-03-02 12:48:41 UTC Redacted] Inherit the ownership of the domain [Redacted] Amazon S3 bucket is not claimed 500, 00 $
28-02-2018 22:48:14 UTC Vulnerability of multiple SQL injections in Redacted] 2. 500, 00 $
2018-02-20 02:34:49 UTC Secrets from Config/Secrets/Secrets. json found in Redacted (CloudFront authentication information, private key, server settings). 500, 00 $
06-02-2018 17:40:24 UTC Located in Django's P2P refiner table management panel@ [Redacted]. 250, 00 $
06-02-2018 17:34:27 UTC Redacted] Su b-domain acquisition 4. 000, 00 $
2018-01-31 23:17:37 UTC Acquire [Redacted] and [Redacted] sub domain via azure VM 4. 000, 00 $
2018-01-31 14:59:44 UTC AWS Credential disclosure via SSRF of Atlassian Confluence [Redacted] 2. 500, 00 $
2018-01-24 15:11:23 UTC Test scripts for PHP and phpmyadmin are available on the public web at [Redacted]: 81. 200, 00 $
2018-01-05 07:00:59 utc exposing AWS keys via SSRF in [redacted] leads to privileged AWS access 10. 000, 00 $
2018-01-04 13:05:48 utc getting domains/subdomains of [redacted] via Azure 400, 00 $
2018-01-04 13:04:15 utc [redacted] points to an IP address that no longer belongs to [redacted] 200, 00 $
2017-12-27 16:15:40 utc [redacted] ability to extract all uuids, emails, and first names of users via queries 20. 000, 00 $
2017-12-11 17:46:11 utc HTML injection via email to company name of [redacted] 500, 00 $
2017-12-11 17:41:39 utc Persistent XSS by [redacted] via subdomain hijacking 500, 00 $
2017-11-28 15:57:33 utc Unable to subscribe to [redacted] . s3. amazonaws. com due to incorrect S3 ACL 400, 00 $
2017-11-24 11:32:26 utc Elmah exposed by [redacted], exposing usernames, session details, and sensitive information 800, 00 $
2017-11-21 00:48:14 utc [redacted] ability to extract all uuids, emails, and first names of users via queries 2. 500, 00 $
2017-11-14 18:30:11 utc [redacted] ability to extract all uuids, emails, and first names of users via queries 500, 00 $
2017-11-13 23:43:58 utc Persistent XSS by [redacted] via subdomain hijacking 500, 00 $
2017-10-23 11:10:21 utc Administrative panel for OpenVPN exposed in [REDACTED] 250, 00 $
2017-10-02 23:33:44 utc Allows the ability to forward brute force event forwarding codes without limiting the interest rates imposed on [redacted] 1. 150, 00 $
2017-08-29 16:33:52 utc 5. 000, 00 $ 2017-08-29 16:33:19 utc 5. 000, 00 $ 2017-08-29 16:32:25 utc 1. 500, 00 $ 2017-08-29 16:32:04 utc 1. 0, 00 $ 2017-08-29 16:31:24 utc 500, 00 $ 2017-08-29 16:31:04 utc 500, 00 $ 2017-08-29 16:30:45 utc 500, 00 $ 2017-08-29 16:30:25 utc 500, 00 $ 2017-08-29 16:30:05 utc 500, 00 $ 2017-08-29 16:29:44 utc 500, 00 $ 2017-08-29 16:29:22 utc 500, 00 $ 2017-08-29 16: 29:00 utc 500, 00 $ 2017-08-29 16:28:34 utc 500, 00 $ 2017-08-29 16:28:04 utc 500, 00 $ 2017-08-29 16:27:16 utc 100, 00 $ ███████████ 5. 000, 00 $
100, 00 $ ██████████████ 5. 000, 00 $
https: // Source code disclosure in [redacted] (including current mysql db credits). ████████ 1. 500, 00 $
2017-08-02 22:55:18 utc ██████████ 1. 500, 00 $
9. 000, 00 $ ████████████ 500, 00 $
https: // SQL injection in [redacted]/job. php. ████████████ 500, 00 $
2017-08-02 22:53:40 utc █████████ 500, 00 $
2. 000, 00 $ ████████████ 500, 00 $
SQL injection in https: // [redacted] /controls/pe/loaddata. ██████████ 500, 00 $
2017-07-28 12:58:25 utc ████████████ 500, 00 $
2. 000, 00 $ █████████████ 500, 00 $
Exposed [Redacted] statistics/ management team █████████████ 500, 00 $
2017-07-20 01:18:15 UTC █████████████████ 500, 00 $
400, 00 $ ███████████ 500, 00 $
Access to Git storage on QA machines on Redacted and Redacted reveals source code and production secrets. ███████████ 100, 00 $
2017-07-14 23:00:16 UTC ███████████ 100, 00 $
300, 00 $ 2017-06-09 10:13:30 UTC 1. 000, 00 $
250, 00 $ 2017-06-05 09:42:55 UTC Administrator access by disclosure of Credits to Grafana instance
500, 00 $ 2017-06-02 09:32:33 UTC 2. 000, 00 $
1. 000, 00 $ 2017-05-12 11:20:10 UTC 2. 000, 00 $
1. 000, 00 $ 2017-05-12 11:19:28 UTC 2. 000, 00 $
250, 00 $ 2017-05-12 11:18:36 UTC 2. 000, 00 $
600, 00 $ 2017-05-12 11:11:24 UTC 500, 00 $
250, 00 $ 2017-05-12 11:09:23 UTC 400, 00 $
1. 500, 00 $ 2017-05-12 11:07:07 UTC 10. 000, 00 $
500, 00 $ 2017-05-04 00:25:09 UTC 300, 00 $
9. 500, 00 $ 2017-05-04 00:24:11 UTC 250, 00 $
2. 000, 00 $ 2017-05-04 00:22:00 UTC 500, 00 $
9. 500, 00 $ 2017-04-21 04:00:55 UTC 1. 000, 00 $
1. 000, 00 $ 2017-04-21 04:00:00 UTC 1. 000, 00 $
250, 00 $ 2017-04-21 03:59:44 UTC 250, 00 $
200, 00 $ 2017-04-21 03:57:58 UTC 600, 00 $
500, 00 $ 2017-04-21 03:57:44 UTC 250, 00 $
500, 00 $ 2017-04-21 03:57:26 UTC 1. 500, 00 $
500, 00 $ 2017-04-21 03:47:11 UTC 500, 00 $
1. 000, 00 $ 2017-04-18 12:51:50 UTC 9. 500, 00 $
250, 00 $ 2017-04-18 12:47:29 UTC 2. 000, 00 $
17. 500, 00 $ 2017-04-17 23:09:26 UTC 9. 500, 00 $
500, 00 $ 2017-04-14 15:07:24 UTC 1. 000, 00 $
500, 00 $ 2017-04-14 03:13:46 UTC 250, 00 $
9. 600, 00 $ [redacted]'s multiple reflected XS 200, 00 $
3. 100, 00 $ 2017-04-14 03:08:36 UTC 500, 00 $
1. 100, 00 $ 2017-04-11 17:36:38 UTC 500, 00 $
3. 000, 00 $ 30-03-2017 00:53:31 UTC 500, 00 $
150, 00 $ 2017-03-21 19:31:45 UTC 1. 000, 00 $
150, 00 $ 2017-03-03 11:03:03 UTC 250, 00 $
1. 800, 00 $ 2017-03-03 11:01:13 UTC XSS enabled by WordPress vulnerability [Readacted
2. 000, 00 $ 2017-03-01 20:58:14 UTC 500, 00 $
3. 000, 00 $ Allows the ability to forward brute force event forwarding codes without limiting the interest rates imposed on [redacted] 500, 00 $
500, 00 $ 2017-02-24 10:43:09 UTC [Redacted] IIS short name disclosure vulnerabilities
250, 00 $ 2017-02-17 11:48:41 UTC [READACTED] Vulnerable to IIS short names disclosure
250, 00 $ 17-02-2017 11:46:10 UTC Redacted] Brute Force and WordPress management interface via XMLRPC.
1. 000, 00 $ 24-01-2017 00:05:33 UTC 3. 000. 00 $
110, 00 $ The Responsibility for Third Party Su b-Domain -[Redacted] EC2 IP is no longer controlled by [Redacted]. Reflect XSS via FlashMediaElement. swf in Redacted].
2. 000, 00 $ 19-01-2017 23:07:35 UTC Reflect XSS via FlashMediaElement. swf in Redacted].
3. 300, 00 $ 17-01-2017 23:24:01 UTC 1. 800, 00 $
300, 00 $ 2017-01-11 01:37:53 UTC 2. 000, 00 $
3. 000, 00 $ 23-12-2016 21:02:39 UTC 3. 000. 00 $
4. 000, 00 $ 2016-12-20 06:56:47 UTC 500, 00 $
50, 00 $ 16-12-2016 10:46:58 UTC 250, 00 $
1. 000, 00 $ 16-12-2016 10:46:58 UTC 250, 00 $
250, 00 $ 2016-12-09 11:21:36 utc 1. 000, 00 $
750, 00 $ 2016-12-09 11:20:18 utc Critical - Performing administrative operations via identifiers on [REDACTED] - Dealing with leaderboards, etc.
500, 00 $ 2016-12-09 11:16:50 utc 2. 000, 00 $
750, 00 $ 2016-12-09 11:15:00 utc EC2 owned by LucidPress Subdomains pointing to instances of [redacted] (*. lucidpress. com)
750, 00 $ 2016-12-09 11:13:10 utc 300, 00 $
750, 00 $ 2016-12-09 11:13:10 utc 3. 000. 00 $
15. 000, 00 $ 2016-11-29 10:49:02 utc 4. 000, 00 $
750, 00 $ 2016-11-29 10:48:37 utc Information disk of internal moments
250, 00 $ 2016-11-28 14:10:40 utc 1. 000, 00 $
250, 00 $ 2016-11-18 11:52:25 utc 250, 00 $
5. 000, 00 $ 2016-11-18 11:49:29 utc 750, 00 $
3. 000. 00 $ 2016-11-18 11:47:47 utc 500, 00 $
250, 00 $ 2016-11-07 18:18:41 utc 750, 00 $
2. 000, 00 $ 2016-11-04 17:04:57 utc 750, 00 $
750, 00 $ 2016-11-04 16:50:25 utc 750, 00 $
1. 200, 00 $ 2016-11-03 11:58:18 utc 15. 000, 00 $
250, 00 $ 2016-10-31 15:46:05 utc 750, 00 $
200, 00 $ 2016-10-24 19:35:37 utc 250, 00 $
1. 000, 00 $ 2016-10-13 17:25:36 utc 250, 00 $
1. 000, 00 $ 2016-10-13 17:24:47 utc 5. 000, 00 $
1. 000, 00 $ 2016-10-13 17:22:22 utc 3. 000. 00 $
2. 000, 00 $ 2016-10-13 17:03:25 utc 250, 00 $
1. 000, 00 $ 2016-10-10 23:49:06 UTC 2. 000, 00 $
100, 00 $ 2016-09-19 19:35:18 UTC 750, 00 $
500, 00 $ 2016-09-13 20:44:44 UTC Acquire [Redacted] sub domain via Amazon S3 bucket
100, 00 $ 2016-09-07 18:03:11 UTC 250, 00 $
1. 000, 00 $ 2016-09-04 00:38:19 UTC 200, 00 $
1. 000, 00 $ 2016-09-01 21:21:44 UTC 1. 000, 00 $
100, 00 $ 31-08-2016 20:32:42 UTC 1. 000, 00 $
1. 000, 00 $ 31-08-2016 12:56:29 UTC 1. 000, 00 $
250, 00 $ 31-08-2016 01:33:12 UTC 2. 000, 00 $
3. 000, 00 $ 2016-08-30 18:00:10 UTC 1. 000, 00 $
50, 00 $ 2016-08-29 16:15:09 UTC 100, 00 $
25, 00 $ 2016-08-23 17:06:26 UTC 500, 00 $
50, 00 $ 2016-08-23 15:43:27 UTC 100, 00 $
75, 00 $ 31-08-2016 12:56:29 UTC 1. 000, 00 $
200, 00 $ 2016-07-30 13:56:21 UTC 1. 000, 00 $
25, 00 $ 26-07-2016 20:35:16 UTC 100, 00 $
350, 00 $ 2016-07-25 21:01:07 UTC 1. 000, 00 $
3. 000, 00 $ 2016-07-14 01:27:21 UTC 250, 00 $
100, 00 $ 14-07-2016 00:40:57 UTC 3. 000. 00 $
100, 00 $ 14-07-2016 00:29:42 UTC Information disk of internal moments
100, 00 $ 2016-07-11 14:18:03 UTC Redacted] sub domain violation
1. 000, 00 $ Acquisition of [Redacted] sub domain via Heroku Information disk of internal moments
100, 00 $ 04-07-2016 02:13:59 UTC Third Party Su b-domain violation- [Redacted] IP EC2 is no longer controlled by [Redacted].
100, 00 $ Redacted] Su b-domain acquisition 200, 00 $
500, 00 $ 2016-06-24 19:06:43 UTC Redacted] sub domain violation
1. 000, 00 $ 2016-06-17 10:15:30 UTC Remote Blue Tekable MySQL connection to Redacted]
750, 00 $ 2016-06-13 15:22:23 UTC 3. 000. 00 $
250, 00 $ 2016-06-03 10:22:34 UTC 100, 00 $
3. 000. 00 $ 2016-06-03 10:21:53 UTC 100, 00 $
500, 00 $ 2016-06-03 10:21:53 UTC 100, 00 $
250, 00 $ 2016-05-20 12:41:34 UTC 1. 000, 00 $
1. 000, 00 $ 2016-05-18 18:18:11 UTC 100, 00 $
800, 00 $ The Responsibility for Third Party Su b-Domain -[Redacted] EC2 IP is no longer controlled by [Redacted]. 100, 00 $
1. 500, 00 $ 2016-05-13 10:09:19 UTC 500, 00 $
2. 500, 00 $ 2016-05-13 10:08:42 UTC 1. 000, 00 $
500, 00 $ 2016-05-06 10:00:26 UTC 750, 00 $
500, 00 $ 2016-05-06 09:58:21 UTC 250, 00 $
2. 000, 00 $ 2016-04-26 09:47:31 UTC 3. 000. 00 $
1. 750, 00 $ The exact amount after calculating all payments in the table above is $ 635. 387. 47 on 1590 days (4 years and 4 months). This number is only a wheelalon platform, and I have never submitted a reward on other platforms measured in this blog post. I report most of the bugs to the Hackerone program. 500, 00 $
If this amount is divided by the number of days, it is possible to immediately calculate that the average of about $ 400 per day will be about $ 400. If you work as a hig h-day consultant, you would have earned that amount or more, but the difference is that I earned all 6. 35 million yen under my condition. You earned $ 6. 35 million under your own conditions. 250, 00 $
In the table above, there were at least 62 errors that caused automation directly. This is equivalent to 18 % of the total number of bugs I reported in the past four years. This is a very interesting trajectory and prove that automation is one of the aspects that succeeds in finding safety issues. These companies paid a considerable amount of money to block the attack surface. While earning that money and learning new technologies in the process, we have built as many workflows, techniques, tools, and methodology as possible in AssetNote. We succeeded in establishing an important player as an important player in the management field of the target area by converting the bug's generosity into a more likely business product. 1. 000, 00 $
Most of the bugs were only possible by automated asset discovery, but still needed manual inspection and abuse. The discovery of larg e-scale assets has been an important pillar of my success. In terms of criticality, there were 24 SQLIs, 22 SSRF, 20 IDOR, and at least 11 RCES. 800, 00 $
Four years of hijacking Uber, I was able to understand their architecture and development methods deeply, and came up with the methodology of approaching their assets. This is an absolute key to my success, and other successful prize money should have a concrete way to approach the project. Regarding hacking, all companies are different. In the last four years, I worked with a lot of people (although not in order) and learned a lot: 1. 500, 00 $
I found a host and used all the techniques in terms of attack. Around that time, research was published that said if you had a machine, it was possible to achieve RCE via ViewState parameters, via insecure storage. I asked Andre to help me, and he not only succeeded in leaking the machine, but also became one of the first people to create a tool to exploit this vulnerability. 2. 500, 00 $
Joel - We worked together on Facebook through XXE in a vendor product. I asked Joel for help in revoking a product from a vendor that had Facebook being targeted in a corporate domain. 500, 00 $
I couldn't figure out why my exploit wasn't working. Joel's experience when he came to Java was key to our success here. He went through the jar files, created an IntelliJ project, and fixed all the bugs. Then we worked step by step to fix the bugs. 500, 00 $
Naffy-Yahoo helped me understand that the best attack against surface attacks is persistence I've known Nafi for almost 10 years now, and the biggest thing I've learned from him is that any attack method can be broken with time and effort. In the early days of bug bounty, Nafi dominated the leaderboard of Yahoo's generosity program. 2. 000, 00 $
What Nafi taught me is that with enough persistence and time, things will break, and you need to be observant to take advantage of this. Sean - We've done countless things together. When we got into a tough situation where we were struggling to solve a problem due to technical complexity or lack of knowledge, Sean helped drive the proof of concept and helped with development. Sean has been great at translating high-risk security issues into automation, which has led to many vulnerabilities we have discovered together.

Analysis

OSCAR - I worked a lot with Oscar on Bounty during my time at Bishop Fox.

I used to talk to Oscar almost every day when I was at Bishop Fox. Oscar played a big role when he showed me how to improve the speed that DNA brute force can do.

While working with him, I found him to be incredibly energetic and above all a good human being. He contributed to many generous successes while I worked at Bishop Fox.~HUEY - We perfected my methodology together at Uber

JavaScript trackmaps are a great way to better understand the internals of a client-side application. I now look for sourcemap files whenever I find a JavaScript file, and that's because of Huey.

At Uber, we used SourcEmap files to better understand the GraphQL queries and API endpoints used by the Uber app and leverage them further. Huey helped me understand JavaScript better.

Anshuman - We tested source code together at a PayPal Live Hacking event.

At a recent live hacking event, we got hold of a CMS called Pencilblue that was being used by a particular target. Together we controlled the source code and attacked each other with different streams of the application's source code, and bonded over the speed of approaching the target.

Reece - Helped me turn stolen secrets into account takeovers

At a live hacking event, I discovered a Google cached page leaking credentials like secret keys. A development asset that outputs all the variables and secrets of the environment in plain text was proxied through NGROK, and Google was able to not only index it, but also store it with all the secrets.

After stealing these secrets from the cached copy, I asked Reece to help me prove the impact. Sure enough, without any interaction, he converted the tokens I stole into a redeemable account. Reece is also a very switched on person. He won Miles' live hacking event.

Matthias - Read more about our collaboration in the AssetNote blog post.

Collaboration

We used WebPagetest to gain access to Mozilla's internal AWS network.

  • There should be more people who have been working together for many years, but I can't remember right away. What I want to say is that collaboration is really important in the development and success of bug rewards.

Also, don't ask someone to lose something for yourself. In all cases above, the success of the collaboration is that the first classification was performed by the parties. There was always the first foundation and concept shared by trust, which led to the cooperation of actual problems. Don't expect people to exploit things for you without presenting at least half of the chain and concept of exploitation.

As I mentioned in the first half of this presentation, my methodology still focuses on identifying assets owned by organizations on the Internet.

The speed of identifying assets and the discovery of content has been significantly improved. This is also due to the fundamental shift in the security scene of writing tools in Python and writing in Golang and Rust.

  • We use this trend in AssetNote, and the main components of our platform, such as DNS resolva in the company, are rewritten by Huey and optimized.

What I noticed about the analysis of the attack surface is to extract information in a way that emphasizes relationships. For example, the output of a higher speed DNS tool is the worst. The following is how TRACERTEA taught DNS data:

0. Shopify. com -& amp; gt; shopify. com -& amp; 23. 227. Shopify. com -& amp; gt; toilet Shopify. com amp; gt; Toilet SHOPIFY. COM -& amp; gt; toilet Shopify. com- & amp; gt; Toilet shopific. com -& amp; ; gt; toilet Shopify. com-- & amp; gt; toilet. com -& amp; gt; toilet shopify. com- & amp; toilet shopific. com- & amp; Gt; Toilet SHOPIFY. COM p; gt; toilet shop. com -& amp; gt; toilet shopific. com -& amp; gt; toilet 23. 0. Shopify. com -& amp; gt; toilet Shopify. com -& amp; gt; 23.

If you look at thousands of assets at once, you have no idea how much this optimization will create. Regarding the analysis of this DNS data, the relationship between sources and destination can be identified immediately.

It's surprising that this simple has a big impact on me, but the same is true for color coding when displaying content discovery results. Most tools are still inadequate in this field, and anyone who has to take the time to find thousands of content discovery will soon be bored. In the end, I spend a lot of time finding a needle hole, but thanks to this color, it has become much easier.

In terms of methodology, the most impact on me is Uber.

  • In the last four years, Uber has changed software development and deployment methods. In response to this change, it was very important to always think about the methodology to break through the attack surface. The constant evaluation of Internet assets was very effective, especially for larg e-scale attack surfaces.

Attacks are live, evolve, and sometimes complicated.

When I just started hacking with Uber, I saw services such as Redis and Haproxy (Admin Panel) directly on the Internet. At that time, it was trivial to discover such a security misunderstanding, so I thought it was an immature attack target. But over the years, they have evolved.

Recently, exposed services like Redis are not found in Uber's core attacks. This simply reflects the security of the app, and in terms of the entire attack target, the Uber process and compass are mature in the company.

  • Instead, all Uber's internal and confidential assets are routed to OneLogin at the DNS level. In some cases, the protection of confidential assets has not been well protected, but again, but this is a very important reason to always monitor the attack surface.

Who knows? If someone protects assets for a short period of time or rotating confidential assets that OneLogin is forced, you may accidentally disable OneLogin. Perhaps it's because they are trying some changes, or not knowing what they are doing.

Always monitoring assets for security reports is an important part of my methodology and a reasons for receiving natively in AssetNote.

  • Not all of the work I did for United Airlines bug rewards are included in this blog post, and I can't write much in detail due to the regulations of the reward program, but thanks to the attack target area. And I can say that I was able to improve my . NET application security test skills.

When I first saw the IIS server four years ago, I didn't know what to start with. Recently, general IIS servers have proved to be very successful.

In addition, there are many other things that I do when approaching the attack surface, so I plan to post more videos on the YouTube channel next year. If you have not yet, please register. )

  • AssetNote's continuous security platforms bring the power of automatic identification and larg e-scale asset recognition in the hands of security teams around the world so that we can reproduce our methodology and successful cases. Knowing the assets and exposure to the attack is the key to blocking it, and we will do our best to support security teams around the world.

If you are having trouble tracking and monitoring assets, please contact us. < SPAN> All of the work I did for United Airlines bug rewards is not included in this blog post, and it is not possible to write much in detail because of the rules of the reward program Thanks to the area, I have been able to improve my . NET application security test skills.

When I first saw the IIS server four years ago, I didn't know what to start with. Recently, general IIS servers have proved to be very successful.

  • In addition, there are many other things that I do when approaching the attack surface, so I plan to post more videos on the YouTube channel next year. If you have not yet, please register. )

AssetNote's continuous security platforms bring the power of automatic identification and larg e-scale asset recognition in the hands of security teams around the world so that we can reproduce our methodology and successful cases. Knowing the assets and exposure to the attack is the key to blocking it, and we will do our best to support security teams around the world.

  • If you are having trouble tracking and monitoring assets, please contact us. Not all of the work I did for United Airlines bug rewards are included in this blog post, and I can't write much in detail due to the regulations of the reward program, but thanks to the attack target area. And I can say that I was able to improve my . NET application security test skills.

When I first saw the IIS server four years ago, I didn't know what to start with. Recently, general IIS servers have proved to be very successful.

In addition, there are many other things that I do when approaching the attack surface, so I plan to post more videos on the YouTube channel next year. If you have not yet, please register. )

  • AssetNote's continuous security platforms bring the power of automatic identification and larg e-scale asset recognition in the hands of security teams around the world so that we can reproduce our methodology and successful cases. Knowing the assets and exposure to the attack is the key to blocking it, and we will do our best to support security teams around the world.

If you are having trouble tracking and monitoring assets, please contact us.

Methodology

 

avatar-logo

Elim Poon - Journalist, Creative Writer

Last modified: 27.08.2024

lcusoccer.org › watch. I want this guide to be a realistic understanding of what it is like to be a bug bounty hunter and what it involves in order to be successful. According to the BBC, Ethical hackers can earn more than $, yearly. Bug bounty programs award hackers an average of $50, a month, with.

Play for real with EXCLUSIVE BONUSES
Play
enaccepted