HackerOne – Telegram
HackerOne
@HackerOne
11K subscribers
644 photos
31 videos
79 files
2.74K links
Community : @Sec0x01
@Bug0x
Download Telegram
About
Blog
Apps
Platform
Join
HackerOne
11K subscribers
HackerOne
https://medium.com/@valeriyshevchenko/two-easy-rce-in-atlassian-products-e8480eacdc7f
#BugBounty
#VulnDisc
Medium
Two Easy RCE in Atlassian Products
It was a long time from my last article. It was so many interesting results in my work. Seems that it's right time to share my knowledge…
2.29K viewsAmir kiani
HackerOne
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn
PortSwigger Research
HTTP Desync Attacks: Request Smuggling Reborn
2.03K viewsAmir kiani
HackerOne
Forwarded from CTF Community | Hints
Automated Detection of Web Application Firewall

https://github.com/EnableSecurity/wafw00f
#web
#Pentest
@ctfplay
GitHub
GitHub - EnableSecurity/wafw00f: WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting…
WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website. - EnableSecurity/wafw00f
86 viewsپدرخوانده
HackerOne
http://www.hcon.in/
2.4K viewsMir Saman Tajbakhsh
HackerOne
https://research.checkpoint.com/black-hat-2019-whatsapp-protocol-decryption-for-chat-manipulation-and-more/

https://github.com/romanzaikin/BurpExtension-WhatsApp-Decryption-CheckPoint
Check Point Research
Black Hat 2019 – WhatsApp Protocol Decryption for Chat Manipulation and More - Check Point Research
  Research By: Dikla Barda, Roman Zaikin and Oded Vanunu According to sources, WhatsApp, the Facebook-owned messaging application has over 1.5 billion users in over 180 countries. The average user checks WhatsApp more than 23 times per day. And, the number…
2K viewsپدرخوانده
HackerOne
https://medium.com/@valeriyshevchenko/jenkins-rce-poc-or-simple-pre-auth-remote-code-execution-on-the-server-d18b868a77cb

#BugBounty
#writeup
Medium
Jenkins RCE PoC or simple pre-auth remote code execution on the Server.
Once upon a time, a friend of mine asked me a question — "Do you know any fresh RCE for the Jenkins environment ?". I was informed already…
2.11K viewsAmir kiani, edited  
HackerOne
Instagram Added to Facebook Data-Abuse Bounty Program

Social media giant also launches invitation-only bug bounty program for 'Checkout on Instagram'.

Instagram users aware of a third-party application developer misusing their personal data can now report the activity to the company and potentially earn a reward for it.

Facebook, which owns Instagram, on Monday expanded its Data Abuse Bounty program to Instagram in a continuing effort to crack down on application developers and other third parties that are misusing user data on the company's social media platforms.
https://www.darkreading.com/vulnerabilities---threats/instagram-added-to-facebook-data-abuse-bounty-program/d/d-id/1335569
Dark Reading
Instagram Added to Facebook Data-Abuse Bounty Program
Social media giant also launches invitation-only bug bounty program for 'Checkout on Instagram'.
2.02K viewsپدرخوانده
HackerOne
Exfiltration through FTP using OOB XXE

Upload accepts .xlsx files --> Unzip sample .xlsx file -> add payload in workbook.xml/[Content_Types].xml after xml declaration --> DTD file send data via ftp://remote-ip/%data --> run ftp server using xxe-ftp-server.rb --> /etc/passwd

Via: https://twitter.com/_ayoubfathi_/status/1164536885244583941
2.57K viewsپدرخوانده
HackerOne
GAME OVER: Detecting and Stopping an APT41 Operation
https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
Google Cloud Blog
GAME OVER: Detecting and Stopping an APT41 Operation | Mandiant | Google Cloud Blog
2.46K viewsپدرخوانده
HackerOne
https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html?m=1
Blogspot
A very deep dive into iOS Exploit chains found in the wild
Posted by Ian Beer, Project Zero Project Zero’s mission is to make 0-day hard. We often work with other companies to find and report se...
2.16K viewsپدرخوانده
HackerOne
Price For Mobile Exploits
2.03K viewsAmir kiani, edited  
HackerOne
https://medium.com/@valeriyshevchenko/critical-vulnerabilities-in-pulse-secure-and-fortinet-ssl-vpns-in-the-wild-internet-3991ea9e6481
Medium
Critical vulnerabilities in Pulse Secure and Fortinet SSL VPNs in the Wild Internet
Infiltrating Corporate Intranet like Banks, Governments, Airports became possible with vulnerable SSL VPN clients.
2.75K viewsAmir kiani
HackerOne
https://www.zerodayinitiative.com/advisories/ZDI-19-780/
Zerodayinitiative
ZDI-19-780
(0Day) Google Android v4l2 Double Free Privilege Escalation Vulnerability
1.99K viewsAmir kiani
HackerOne
Forwarded from P0SCon
Abstracts are received. After evaluating the abstracts and arranging travel and resistance, the details of speakers will be announced.

P0SCon2019

📆 12 Oct 2019

Register for P0SCon2019:

🇮🇷 ::Iranian Citizens::
https://evnd.co/w3uRC

🇺🇳::Non-Iranian Citizens::
Contact: p0scon@uut.ac.ir


http://poscon.ir

@P0SCon
103 viewsMir Saman Tajbakhsh
HackerOne
https://medium.com/@sean.greathouse/a-blueprint-for-stopping-ddos-attacks-forever-using-tokenized-fields-in-tcp-or-ipv6-packets-b1de90682f1e
Medium
A Blueprint for Stopping DDoS Attacks Using “Tokenized” Fields in TCP or IPv6 Packets.
The goal of this article is to convince you there is a way to prevent SYN Flood DDoS attacks, spoofed source IP’s, and port scanning once…
2.22K viewsAmir kiani
HackerOne
https://www.freecodecamp.org/news/lets-enhance-how-we-found-rogerkver-s-1000-wallet-obfuscated-private-key-8514e74a5433/
freeCodeCamp.org
Let’s Enhance! How we found @rogerkver’s $1,000 wallet obfuscated private key
By Michel Sassano Before we even start: We do not know the journalists who recorded the interview and we do not know Roger Ver. Anyone who had access to this video could have retrieved the private key. We could have simply named this post “How great ...
2.01K viewsAmir kiani
HackerOne
What happens if we use our brain's 100% capacity
https://twitter.com/cyanpiny/status/1175030939891712000
2.12K viewsAmir kiani
HackerOne
https://blog.ssh.com/malicious_ssh_client_exfiltrates_credentials_34
Ssh
Malicious SSH client steals credentials masked as a DNS query
A malicious SSH client exfiltrates credentials masked as a DNS query. Learn what this means and how to prevent your environment from getting compromised
1.84K viewsAmir kiani
HackerOne
How Edward Snowden Would Use A Smartphone
-Graphene OS
-all traffic through TOR
-use ad-blocker and password manager
-use Signal or Wire
-...
https://www.eva.nmccann.net/blog/snowden-smartphone
McCann Tech
How Edward Snowden Would Use A Smartphone — McCann Tech
How Edward Snowden would use a smartphone, if he had to.
1.98K viewsAmir kiani
HackerOne
https://twitter.com/0xEhsan/status/1176261001995542528?s=19
#BugBounty
Twitter
Ehsan
Aparat.‌com vulnerability was reported to @ir_cert for patching. Here is a video of the exploit this vulnerability. https://t.co/eRJ3GcTfay
1.81K viewsAmir kiani
HackerOne
Counter-Strike Global Offensive CVE-2019-15943
https://blog.firosolutions.com/exploits/counter-strike-go/
Firo Solutions
Counter-Strike Global Offensive CVE-2019-15943
1.83K viewsAmir kiani, edited