The last few weeks have been fun, I've had a few small bugs fixed here and there as part of a few different bug bounty programs. I've also crawled up a few places in the bugcrowd.com leaderboards. I do intend on keeping this up as a hobby!
To further compliment my massive interest in the security field, I've also just started in a consulting role with Rits information Security. I'm very excited about working, I hopefully have something to offer in this area and I hope my enthusiasm to learn helps me excel in this field of work. I feel so very privileged to be working on something I'm so passionate about.
I've had an interesting month with regards to bug bounties. Since the beginning of the month, I've got confirmed bug bounty bugs for Yahoo, Facebook, Microsoft and Kayako. I should hopefully be included in the Facebook/Microsoft responsible disclosure acknowledgement pages within the next month for my reported issues. I also had a good bit of success with some of the bugcrowd.com and hackerone.com ran bounty programs.
I suppose I better share some of my findings -_-, below you will see two proof of concept videos I used when demonstrating two of the XSS bugs I found for kayako and yahoo respectively. These are just very simple issues, and as XSS is so common, I don't think you'll be surprised to see me posting more to my blog. These are still a majority of the issues I come across. I reported a few more of these to yahoo and microsoft. I think the main reason I tend to focus on them is because of the abundance of them and also because I have had severely limited testing time as a result of college work.
On facebook I found an information disclosure issue in which a django app debug information was accessible from a public facing dev server. Within which various internal network addresses and configuration settings was exposed. I don't believe in sharing information disclosure bugs publicly. I think it defeats the purpose of helping a company hide the information that was disclosed by the bug. So for an example of this, posting an image of an /etc/passwd file without hiding the user login entries is a little silly. I've seen this plenty of times on various blog posts of bug reports.
I did also get a nice thank you message from house.gov for reporting an SQL injection I accidentally stumbled across. (It was actually an accident). Some would say that was a stupid move and borderline illegal. My reason for reporting this was out of fear that some other malicious party would find and abuse this bug and I'd be blamed once they go and root through their logs.
I'm leaving now to await my degree results and see how I did in my project. Hopefully you find my month as interesting as I did. Later homes.