YoKo Kho

Category: Web Apps

Collection of the bug that specifically found at web application

From Recon to Optimizing RCE Results – Simple Story with One of the Biggest ICT Company in the World

How I Finally could Got into an Internal Network (and could accessing all of their internal assets) at One of the Biggest ICT company in the...

February 19, 2020

Bug Report / Web Apps / Write-Up

Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)

In the name of Allah, the Most Gracious, the Most Merciful. – Part I from (hopefully) IV Parts – Update I: Added a “Reference” Section. Update...

September 14, 2019

Bug Report / Web Apps / Write-Up

IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release in simple:[English Version] IDOR...

April 17, 2018

Bug Report / Web Apps / Write-Up

Ribose – IDOR with Simple CSRF Bypass – Unrestricted Changes and Deletion to other Photo Profile

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release in simple:[English Version] Ribose — IDOR...

April 16, 2018

Bug Report / Web Apps / Write-Up

Bypassing the Current Password Protection at PayPal Tech-Support

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release (December, 2017 Article):[English Version]...

December 26, 2017

Bug Report / Web Apps / Write-Up

Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork – 1,000 USD

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release:[English Version] PayPal – Information...

December 26, 2017

Bug Report / Web Apps / Write-Up

Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal”

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release:[English Version] PayPal — Turning Self-XSS into...

November 12, 2017

Bug Report / Web Apps / Write-Up

FortiNet – Unrestricted Deletion to All Other Sub Account via IDOR at Support Portal

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release in simple:[English Version] FortiNet...

May 3, 2017

Bug Report / Random Things / Web Apps

Oppo – Reflected XSS at Activation Link via Base64 Value

In the name of Allah, the Most Gracious, the Most Merciful. Description: an Reflected XSS issue at Activation Link that could be triggered via Base64 Encoding....

May 2, 2017

Bug Report / Random Things / Web Apps

Oppo – Open URL Redirection at Activation Link via Base64

In the name of Allah, the Most Gracious, the Most Merciful. Description: an Open URL Redirection issue at Activation Link that could be triggered via Base64...

May 2, 2017

Latest Tweets

Retweet on Twitter YoKo Kho Retweeted

Jorge Orchilles @jorgeorchilles·

February 19, 2020

Posted the Purple Team Summit talk I gave on running effective adversary emulation exercises (via in-person #purpleteam) to @SlideShare

https://www.slideshare.net/jorgeorchilles/purple-team-work-it-out-organizing-effective-adversary-emulation-exercises

@1njection check out slides 9-11 for what we were discussing
@SANSInstitute @SANSPenTest @Ch33r10 @scythe_io

Twitter 1230247406840745984

Retweet on Twitter YoKo Kho Retweeted

TrustedSec @TrustedSec·

February 18, 2020

In our latest #blog post, Senior Security Consultant @nyxgeek takes us through a simple, passive method of performing user #enumeration via @onedrive

https://hubs.ly/H0n2S1g0

Twitter 1229798845959299077

Retweet on Twitter YoKo Kho Retweeted

DirectoryRanger @DirectoryRanger·

February 19, 2020

PassFiltEx. A password filter for #ActiveDirectory that uses a blacklist of bad passwords/character sequences.

https://github.com/ryanries/PassFiltEx

Twitter 1230118597109919746

Retweet on Twitter YoKo Kho Retweeted

eForensics Magazine @eForensics_Mag·

February 19, 2020

Tips for reverse-engineering malicious code - cheat sheet

http://bit.ly/39Mg80f

#tips #reverseengineering #malicius #code #cheat #sheet #cheatsheet #digitalforensics #infosec #cybersec #cybersecurity

Twitter 1230266058906443778

Retweet on Twitter YoKo Kho Retweeted

Ashley Frazer @HighViscosity·

February 19, 2020

I’m very excited to share my first blog post on LNK files and user search history!! Please join my Mom and Dad in giving it a read. 😊#dfir #infosec
https://www.fireeye.com/blog/threat-research/2020/02/the-missing-lnk-correlating-user-search-lnk-files.html

Twitter 1230206612171702272

Category: Web Apps

From Recon to Optimizing RCE Results – Simple Story with One of the Biggest ICT Company in the World

Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)

IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks

Ribose – IDOR with Simple CSRF Bypass – Unrestricted Changes and Deletion to other Photo Profile

Bypassing the Current Password Protection at PayPal Tech-Support

Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork – 1,000 USD

Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal”

FortiNet – Unrestricted Deletion to All Other Sub Account via IDOR at Support Portal

Oppo – Reflected XSS at Activation Link via Base64 Value

Oppo – Open URL Redirection at Activation Link via Base64

Search

Recent Posts

Categories

Latest Tweets