About Me
YoKo has spent more than 9 years (from total of more than 12 years) in information security field, focused in risk from security testing point of...
July 25, 2014
Tagged: About Me
Search
Recent Posts
- Optimizing Hunting Results in VDP for use in Bug Bounty Programs - From Sensitive Information Disclosure to Accessing Hidden APIs which can be used to Retrieve Customer Data
- From Recon to Bypassing MFA Implementation in OWA by Using EWS Misconfiguration
- From 3,99 to 1,650 USD (Part I) – Simple Vertical Privilege Escalation by Changing HTTP Response
- From Recon to Optimizing RCE Results – Simple Story with One of the Biggest ICT Company in the World
- If Allah willed it, will be back soon!
- 5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!)
- CVE-2019–18624 – Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO)
Categories
- About Me (3)
- Achievements (2)
- Bug Report (27)
- Desktop Apps (4)
- Mobile Apps (5)
- Random Things (8)
- Terms of Use (1)
- Web Apps (18)
- Write-Up (17)
- Write-Up in Bahasa (4)
Latest Tweets
Ibnul Qoyim berkata:
"Lisan punya 2 kesalahan yg besar, di mana jika seseorang bebas dari yg satu, dia sulit bisa selamat dari yg satunya: salah dalam bicara & salah dalam diam.
Yang diam dari kebenaran adalah setan yg bisu. Yang mengucap kebatilan adalah setan yang berbicara. https://twitter.com/200Abdulaziz/status/1380717677270949889
@ninetyn1ne_ The WAF didn’t fully anticipate the underlying application to convert
> to >
by double HTML encoding (which is just encoding the & to &) we can resolve normal HTML entities which are parsed in the javascript event handler.
cloudflare tries to spot alert(1) but fails
just disclosed my first real report on Hackerone!
https://hackerone.com/reports/789689
might have to do a full write up on HTML entity parsing weirdness :)
#BugBounty #bugbountytips
🚨🚨 . . New & Free Security Zine . . 🚨🚨
Finally Hashing Zine is here !!!
Must read for devs and bug hunters.
And yes its free.
One single read, will make your knowledge one level above.
https://securityzines.com/zines/hashing.html
#security #infosec #zines #100DaysOfCode #hashing
Of course had to be included in best recon methodologies: https://securib.ee/beelog/the-best-bug-bounty-recon-methodology/