2114
Talk and help about bugbounty
Yeah, but when I see a lot of online gurus preaching how anyone can earn thousands, I can help but laugh my ass off and then shed a tear. 🥲
Читать полностью…
You just go and find e.g exposed WordPress admin creds on the dark web, then put your webshell in it.
But bug bounty!? Argh
But bug bounty is a lot harder and the uncertainty is a real deal
Читать полностью…
I don't have much experience in Programming, but gonna learn it anyways
Читать полностью…
Testing for 50 hours and all you got is n/a and dupe
Читать полностью…
Right 🥲 ngl working for a company a lot better than this
Читать полностью…
I also found a bug on a popular site in which you can bypass 2fa in Password Change and can send spam emails to any users which will block them for a certain time from changing their password.
Читать полностью…
Well this is privacy violation 😅
I also found similar things but they closed it as informative and they fixed it after closing it 😆 toxicity of bug bounty
P.S. the wallet addresses and the PII are hidden from the low level users on the frontend.
Читать полностью…
Damn! Living in Europe and earning in USD is not a good tradeoff according to a lot of people because of the exchange rate. Is it true?
Читать полностью…
I'm from Europe. I also have experience in black hat hacking 🥲
Читать полностью…
I'm trying to do that rn. I have experience in programming as well but the job market is very tough as u said
Читать полностью…
Ikr! But when I see how little the job holders are getting paid nowadays, it's such a turn off! And also the job market is really really tough these days
Читать полностью…
I think I'm gonna become a bug bounty hater too. It has a lot of negative impact on life.
Читать полностью…
But I am afraid if they mark it as N/A, I am gonna lose reputation and signal 🥲
Читать полностью…
But didn’t report it yet as I am not sure if they will accept it.
Читать полностью…
Damn! That's absolutely ridiculous!
One guy from discord told me a story about a similar situation. One of his friends found a bug on MacDonald's website in the + - section of cart. He can increase quantity as many as he wants without changing the price.
He reported it to MacDonald but MacDonald didn’t pay them anything so he started to mass tweet about it, and finally MacDonald gave in and paid them. MacDonald was pissed off because of the mass tweets and also the guy ordered a lot of free food abusing the bug. 😆
He suggested that I do it too.
I am gonna open a resolution on the report, and if I don't get anything Imma head over to twitter.
I can send thousands of emails using a password reset endpoint of a private bug bounty program. There's also authentication bypass (I can register with any email I do not own e.g. elon@tesla.com).
It is usually a p2 since I wrote an exploit, I can use it as a mass scale attack. But they give it a p5 lol I really hate this
👾Mastering Exploit Development & Metasploit – A Step-by-Step Guide👾
Читать полностью…
Hello hello,
I published new bug bounty writeup. Have a read. Please share and clap.
https://vijetareigns.medium.com/email-and-home-address-disclosure-using-unauthenticated-api-endpoint-worth-500-4a497ff0678c
Hey, so I have found a vulnerability on a website from HackerOne. The webapp basically helps its users to transfer crypto currency from one place to another.
The vulnerability allows a low level user on the team to view the crypto wallet addresses which were added by the admin of the team. Also, the vulnerability leaks billing details(PII-full name, street address, zip code, city etc.) of the admin in the same http response.
I reported the bug with a clear PoC. But the H1 triager closed this as an informative saying that there is no significant security impact of this bug.
It just went over my head that how exposing wallet addresses along with PII of an admin does not pose security impact. I am really stunned.
Can someone suggest me what should I do in this situation?
https://mega.nz/folder/96AhRazA#Qci5-I29JIQobl4btJ7w0g
Читать полностью…