Note: I was at one point the top bug reporter for Yahoo! If they do this to me. They are very likely to do this to you. Yahoo Remote Code Execution CMS Yahoo Response: Hey Sean, Our committee finis…

This was on a private bounty program. I have redacted all the info related to the program. Enjoy! Out of Band XML External Entity Injection via SAML – redacted

Originally I just had default administrator credentials then I poked around for less than 10 minutes and found a configuration export which allowed me to export files with root privileges. Attached…

I initially found this issue on a bounty, however it was marked out of scope on a third party provider. It may be possible to turn this into a RCE. Since I had no reason to escalate since no paymen…

In the last few days, I have been able to have productive conversations with my peers in the bug bounty community including Patrik who works on the triage team and Luke who leads community efforts from HackerOne. Patrik has helped clear up misconceptions…

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

1) Intro & Motivations

At the start of of this year, I set myself a personal goal of finding 365 bugs in 365 days.

This was entirely motivated by wanting to challenge myself to find more security issues as I felt I'd been slacking off.

I thought back to…

When gaining shell access to a machine on a network, a promising attack vector is to check the internal network for web applications and services that may be accessible from the machine that has been compromised.

Often, internal web applications are found…

As of late, a fair few companies and startups have been using dedicated URL shortner services to use for tracking and social media purposes. An example link from such URL shortners look like this invent.ge/1j1QxGo or invent.ge/DNATool. Note that both custom…

As of late, I have been pentesting more and more applications that use some sort of mechanism to prevent unauthorized access to directories based on client IP addresses. In many cases, this has proven to be a weak method of protection if implemented incorrectly.…

Security for young people is something I care about. We need to make an investment whether it be time, money or support or university outreach, to get younger people (preferrably students) to see security as a viable, exciting and worthwhile career. The real…

Exploiting Markdown Syntax

Markdown is wonderful. In fact, this blog post itself is written in Markdown. I don't need to use lengthy uneccessary HTML for simple things like links, tables, code blocks and lists. Nor do I need to go out of my way to do simple…

Have you heard of what a subdomain takeover is? Do you know the impact it has? Well, if you haven’t, I will shortly summarize it for you.

There are tons of cloud providers that offer different types of servers with a lot of different options. I will talk about the ones I…

This is a post about how I found a simple yet really critical vulnerability in a bug bounty program. It was the most critical bug I have…

There are lots of guides on how to start into Bug Bounty Hunting but I will share my personal experience of getting into bug bounty…