bugbounty - ZeroSec - Adventures In Information Security

bugbounty

A collection of 18 posts

Reviving and Refactoring DNS Enum

Reviving and Refactoring DNS Enum

I have been using Lepus for a number of years as it is one of the better subdomain enumeration tools. I integrated some of the lessons learned from DNS Queue [https://github.com/zephrfish/dns-parallel-prober] and added additional functionality to a project that had not been updated in over 2

Leveraging Expression Language Injection (EL Injection) for RCE

bugbounty Featured

Leveraging Expression Language Injection (EL Injection) for RCE

Expression Language injection or EL Injection for short is an attack vector I'd never heard of until recently. This post talks about leveraging EL for RCE.

NMAP Tips: RTFM?

ltr101 Featured

NMAP Tips: RTFM?

NMAP TL;DR It's a tool used for portscanning and this post will explore some of the common and useful flags that can be used while scanning to pick up usful information about targets. What Is NMAP? Nmap or Network mapper is an open source tool for network discovery and

LTR101: My First CloudFront Domain Takeover/Hijack

LTR101: My First CloudFront Domain Takeover/Hijack

Update 2021/2022: This technique no longer works for Subdomain Hijacking as Amazon have patched it. The only way to hijack the subdomain is if you have control over DNS for the domain and that requires deeper compromise. Sub Domain Hijack Issue Hijack/takeover attacks can happen when a company

May the Shells be with You - A Star Wars RCE Adventure!

May the Shells be with You - A Star Wars RCE Adventure!

Intro Continuing the non-ltr101 [https://blog.zsec.uk/tag/ltr101/] posts for a second here is a quick write-up of a cool bug I found recently on a bounty program. It features Remote Code Execution via an abandoned web service. Enabling me to traverse the target internal network and gain

Blind XXE - Hunting in the Dark

Blind XXE - Hunting in the Dark

Before getting into the post, this isn't anything brand new or leet in the area of XML External Entity (Blind XXE) attacks, it is purely something I came across and wanted to share. The tl;dr to start off is essentially: * Found an XXE bug that was blind meaning that

[Tools Release] GoogD0rker & AttackDeploy

[Tools Release] GoogD0rker & AttackDeploy

This post serves as a quick description of two scripts I have written and published on my Github [https://github.com/ZephrFish]. It's not often that I take or even have the time to write things other than blog posts and reports it seems. However last week I saw two

LtR101: Selling Yourself & Hacking Your Career Path

LtR101: Selling Yourself & Hacking Your Career Path

Having the technical skills are great, going to meet-ups and making the social contacts is even better. What really gets you in the door though? Knowing people? A CV? Being somewhat known? All valid points and questions, all worth looking into and all will get you somewhere. Things to Consider

Bug Bounty Forum AMA (x-post from BBF)

Bug Bounty Forum AMA (x-post from BBF)

Introduction What is your name, if you do not want to disclose your name, what is your handle/nickname? Where are you from? How long have you been hacking? How did you get started? What platforms or popular public programs have you hacked on? Hi folks, I’m Andy also

LtR101: Book Published

LtR101: Book Published

After almost 6 months, today is the day I finally finished & published: Breaking Into Information Security: Learning the Ropes 101. What does this mean exactly? Well more blog posts now as the book is out there! Got a few posts lined up made up of weekend projects I've been doing

Web Application Testing - Tooling

Getting Started

Web Application Testing - Tooling

Having given an introduction into web app testing [https://blog.zsec.uk/101-web-testing-1/] it is now time to move onto the tooling. Noting that this is for testing and not specifically bug bounty hunting. The tooling and techniques are slightly different. The art of web testing is made up of

Web Application Testing(Learning the Ropes 101)- Introduction

Getting Started

Web Application Testing(Learning the Ropes 101)- Introduction

To give some background, for those of you who do not already know I work as a pentester and my specialism is web application pentesting/penetration testing(also referred to some as appsec). I started this series to help individuals wanting to get into security & learn about the fundamentals required

gif it time it'll come to you - Finding More Holes in The Hub

gif it time it'll come to you - Finding More Holes in The Hub

Following suit of stored cross site scripting vulnerabilities this post will talk about another issue I found in Pornhub. Unfortunately someone found before me and as a result this bug was a duplicate. However, this is my write-up of it and how it was possible, how it worked and the

Persisting on Pornhub

Persisting on Pornhub

This guy again? More Pornhub [https://hackerone.com/pornhub] bounty things? Well yeah, sort of. Recently I found a stored cross-site scripting vulnerability in Pornhub core(i.e pornhub.com). Allowing any user to post malicious links to their 'steam' aka profile. This post will explain how the attack was

Learning the Ropes 101: Stay Beautiful, Stay Verbose

Learning the Ropes 101: Stay Beautiful, Stay Verbose

Having recently just arrived back from DEFCON 24 Las Vegas, I've not had a chance to write up much in regards to blogging and for that I am sorry! Anyway this post will discuss the importance of reporting and what it means to me to create a beautiful, reproducible and

CSV Injection -> Meterpreter on Pornhub

CSV Injection -> Meterpreter on Pornhub

This post will discuss an issue I found regarding CSV injection on Pornhub.com, allowing a remote attacker to inject malicious code into video titles resulting in potential full compromise of content creators and other users. Note: Pornhub have advised that they will no longer be rewarding for this type

CSV Injection Revisited - Making Things More Dangerous(and fun)

CSV Injection Revisited - Making Things More Dangerous(and fun)

In this post, I will discuss several methods and remediation steps that can be used to help escape and mitigate CSV [https://support.office.com/en-gb/article/Import-or-export-text-txt-or-csv-files-5250ac4c-663c-47ce-937b-339e391393ba] (Comma separated values) injection type attacks. For those of you who may not know what CSV injection is or how it occurs,

Popping the Pornhub Cherry

Popping the Pornhub Cherry

Currently at time of writing I'm ranked #1 finder of Bugs on https://hackerone.com/pornhub which is a nice position to hold. This post is to explain the techniques I've used to get to where I am and how I found my most recent $2500 bug on pornhub. To