About Me
YoKo has spent more than 9 years (from total of more than 12 years) in information security field, focused in risk from security testing point of...
July 25, 2014
Tagged: About Me
Search
Recent Posts
- From Recon to Bypassing MFA Implementation in OWA by Using EWS Misconfiguration
- From 3,99 to 1,650 USD (Part I) – Simple Vertical Privilege Escalation by Changing HTTP Response
- From Recon to Optimizing RCE Results – Simple Story with One of the Biggest ICT Company in the World
- If Allah willed it, will be back soon!
- 5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!)
- CVE-2019–18624 – Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO)
- Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)
Categories
- About Me (3)
- Achievements (2)
- Bug Report (26)
- Desktop Apps (4)
- Mobile Apps (5)
- Random Things (8)
- Terms of Use (1)
- Web Apps (17)
- Write-Up (16)
- Write-Up in Bahasa (4)
Latest Tweets
https://abdilahrf.github.io/bugbounty/open-redirect-account-takeover-pada-bukalapak-com
Sharing my writeup to escalate open redirection into an account takeover, nothing fancy but i hope someone could learn something here and there.
Since I already shared the PoC payload for this, I guess I can also share more details. The XSS is stored by sending a meeting invite. I could literally send the invite to as many users as I'd like and as soon as they'd view their calendar in the app, I'd get a reverse shell! https://twitter.com/JR0ch17/status/1281832919309451264
Turns out there was a g̶̢̠̳̀l̵̞̤̍͛į̴̠͉̾̐̿͒t̸̛͔͐͛̕c̴̣̝͕̓h̴̤̅̑̎ in the matrix for some of our MVPs...
Thank you for your patience while we took a look under the hood and without further ado, the newly appointed Q1 MVPs! #ItTakesACrowd 👾 👾 👾
https://bgcd.co/2DBStVz
I personally think that this is such a well maintained repository for red teaming operations in terms of sneaky ways to perform operations. Kudos to @vysecurity
https://vincentyiu.com/red-team-tips
25 Persistence Techniques (Windows) are covered already! Anything else that is missing? https://pentestlab.blog/methodologies/red-teaming/persistence/ #pentestlab #persistence #redteaming