Me and the Internship

Disclaimer: This article is written for educational purposes, the author and Appsecco does not encourage readers to do engage in…

Attached is the PDF of how I managed to escalate privileges to staff/superuser privileges via a misconfiguration. Django Privilege Escalation – Zero To Superuser

This is from a private bounty. The internal —-private.com domain was out of scope so I was asked to stop testing once I found the bug. SSRF To Pivot Internal Networks

Background First off, I would just like to reference the following sites/authors/tools for helping guide me along this route and providing a sweet tool to make this easy: I ran into a JMXInvokerSer…

Note: I was at one point the top bug reporter for Yahoo! If they do this to me. They are very likely to do this to you. Yahoo Remote Code Execution CMS Yahoo Response: Hey Sean, Our committee finis…

This was on a private bounty program. I have redacted all the info related to the program. Enjoy! Out of Band XML External Entity Injection via SAML – redacted

Originally I just had default administrator credentials then I poked around for less than 10 minutes and found a configuration export which allowed me to export files with root privileges. Attached…

I initially found this issue on a bounty, however it was marked out of scope on a third party provider. It may be possible to turn this into a RCE. Since I had no reason to escalate since no paymen…

In the last few days, I have been able to have productive conversations with my peers in the bug bounty community including Patrik who works on the triage team and Luke who leads community efforts from HackerOne. Patrik has helped clear up misconceptions…