Bug-Bounty

WordPress GiveWP POP to RCE (CVE-2024-5932)

A few days ago, Wordfence published a blog post about a PHP Object Injection vulnerability affecting the popular Wordpress Plugin GiveWP in all versions donor_meta->get_meta() method. Bypassing stripslashes\_deep One thing that does not immediately stand out but will get important later is the usage of stripslashes_deep during the validation of the $user_info array, which contains the vulnerable user_title attribute: Why is that important?

Aug 26, 2024

From Zero to Hero Part 2: From SQL Injection to RCE on Intel DCM (CVE-2022-21225)

Introduction You've probably enjoyed my previous post about bypassing Intel DCM's authentication mechanism to gain unauthorized access. This gave us the lowest possible "Guest" privileges in the DCM console.

Dec 1, 2022

From Zero to Hero Part 1: Bypassing Intel DCM's Authentication by Spoofing Kerberos and LDAP Responses (CVE-2022-33942)

TL;DR Intel's Data Center Manager Console is a real-time monitoring and management all-in-one console that allows you to manage your entire data center. This small series of two blog posts covers an entire vulnerability chain that goes from an unauthenticated user to full remote code execution against Intel's Data Center Manager (up to version 4.1.1.45749).

Nov 23, 2022

WordPress Transposh: Exploiting a Blind SQL Injection via XSS

Introduction You probably have read about my recent swamp of CVEs affecting a WordPress plugin called Transposh Translation Filter, which resulted in more than $30,000 in bounties: [\[CVE-2021-24910\] Transposh &: It's still a limitation, but easy to work around: we're just going to replace the required comparison characters with a between x and y. We don't actually care about " and & since the payload doesn't really require them.

Jul 22, 2022

Smuggling an (Un)exploitable XSS

This is the story about how I've chained a seemingly uninteresting request smuggling vulnerability with an even more uninteresting header-based XSS to redirect network-internal web site users without any user interaction to arbitrary pages. This post also introduces a 0day in ArcGis Enterprise Server.

Nov 13, 2020

Bug Bounty Platforms vs. GDPR: A Case Study

What Do Bug Bounty Platforms Store About Their Hackers? I do care a lot about data protection and privacy things. I've also been in the situation, where a bug bounty platform was able to track me down due to an incident, which was the initial trigger to ask myself: How did they do it?

Jul 22, 2020

H1-4420: From Quiz to Admin - Chaining Two 0-Days to Compromise An Uber Wordpress

TL;DR While doing recon for H1-4420, I stumbled upon a Wordpress blog that had a plugin enabled called SlickQuiz. Although the latest version 1.3.7.1 was installed and I haven't found any publicly disclosed vulnerabilities, it still somehow sounded like a bad idea to run a plugin that hasn't been tested with the last three major versions of Wordpress.

Sep 10, 2019

About a Sucuri RCE...and How Not to Handle Bug Bounty Reports

TL;DR Sucuri is a self-proclaimed "most recommended website security service among web professionals" offering protection, monitoring and malware removal services. They **ran** a Bug Bounty program on HackerOne and also blogged about how important security reports are.

Jun 20, 2019

Dell KACE K1000 Remote Code Execution - the Story of Bug K1-18652

This is the story of an unauthenticated RCE affecting one of Dropbox's in scope vendors during last year's H1-3120 event. It's one of my more recon-intensive, yet simple, vulnerabilities, and it (probably) helped me to become MVH by the end of the day ;-).

Apr 9, 2019

H1-3120: MVH! (H1 Event Guide for Newbies)

Here's another late post about my coolest bug bounty achievement so far! In May I've participated in HackerOne's H1-3120 in the beautiful city of Amsterdam with the goal to break some Dropbox stuff.

Jun 29, 2018

H1-415: Hacking My Way Into the Top 4 of the Day

I've always wanted to visit San Francisco! So I was really happy about an email from HackerOne inviting me to this beautiful city in April. But they did not cover all the costs for my international flights and the hotel room just for my personal city trip - they had something really nasty in mind: hacking Oath!

May 3, 2018

Upgrade from LFI to RCE via PHP Sessions

I recently came across an interesting Local File Inclusion vulnerability in a private bug bounty program which I was able to upgrade to a Remote Code Execution. The interesting fact about this and what makes it different is that the underlying operating system was pretty hardened and almost all usual ways to upgrade your LFI were blocked or failed silently.

Aug 28, 2017

OK Google, Give Me All Your Internal DNS Information!

In late January, I have found and reported a Server-Side Request Forgery (SSRF) vulnerability on toolbox.googleapps.com to Google's VRP, which could be used to discover and query internal Google DNS servers to extract all kinds of corporate information like used internal IP addresses across the company as well as A and NS records exposing all kinds of hosts like Google's Active Directory structures and also a fancy Minecraft server! :-) So here's a quick write-up about the vulnerability.

Mar 1, 2017

Ubiquiti Bug Bounty: UniFi v3.2.10 Generic CSRF Protection Bypass

Better late than never. This article will give you some insights about my discovered generic Cross-Site Request Forgery Protection Bypass in Ubiquiti's UniFi v3.2.10 and below, as published some time earlier this year on HackerOne.

Feb 23, 2016

Google Bug Bounty: Nice Catch on Google Cloud Platform Live

It's been a while since I've published my last article, this is mainly because I'm currently working on a nice project overseas in Asia and enjoying this relaxed life here a little bit. Therefore I also keep this blog post a little short, because it's just for the record.

Nov 20, 2014

Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS)

The German Magix Software GmbH rewarded me with a Hall of Fame listing and a free Magix Music Maker 2014 Premium license for my reports of several serious security issues in the online infrastructures of magix.com and xara.com, which could be used to break both sites entirely: At this point, I'd like to thank the Magix Security Team for their really fast and always transparent responses and the good coordination process as a whole. This is a perfect example of how the communication between the bug bounty operator and the researcher can satisfy both parties.

Apr 26, 2014

Mandriva, Netcup, Teamdrive and Wallstreet-Online Fix XSS Vulnerabilities

It's 2014 and I have to tidy up my discovery archive a bit ;-) . Before joining the Internetwache.org project I have coordinated all found vulnerabilities by myself and these are the last ones which have been fixed in late 2013.

Jan 21, 2014

PayPal Bug Bounty: PayPaltech.com E-Mail Injection'

Bag the bug! I've reported another interesting vulnerability to the PayPal site security team in May 2013 affecting their domain www.paypaltech.com, which is in scope of the official Bug Bounty program.

Sep 26, 2013

Microsoft Fixes 7 XSS Flaws on MSN

Earlier this year, I've reported 7 XSS flaws on different pages of the Dutch MSN Entertainment site to the Microsoft Security Response Center (MSRC case #14103cl) and immediately received a response - not as fast as HP did previously on my HP IMC flaw - but still very fast ;-). In contrast to Google or Facebook, Microsoft does not provide any kind of bugbounty program - they'd probably lose too much money with such a program :-D - just joking!

Jun 8, 2013

PayPal Bug Bounty: PayPaltech.com XSS

Great news! Today I received the second payment for another valid Cross-Site Scripting vulnerability covered by PayPal's bug bounty program. This time the domain www.paypaltech.com was affected, which provides scripts and samples used for Instant Payment Notifications (IPNs).

Apr 13, 2013

Bezirk-Niederbayern.de Fixes Critical SQL-Injection Flaw After 8 Months - Are We Ready For CyberWar?

That's amazing bad. Where should I start? In July 2012 I've reported a critical SQL - Injection flaw on the official website of Lower Bavaria alongside another small XSS flaw to the owner of the website.

Mar 26, 2013

TÜV-Nord Fixes Multiple XSS Flaws after Consulting the Data Security Officer of Niedersachsen

Hello readers! Take a moment and read the following article on Wikipedia about the German TÜV which is described as: TÜVs (German pronunciation: \[ˈtʏf\]; short for German: Technischer Überwachungs-Verein, English: Technical Inspection Association) are German organizations that work to validate the safety of products of all kinds to protect humans and the environment against hazards.

Mar 16, 2013

Marc O'Polo and United Cinemas International Fix XSS Security Flaws

Another day, some new XSS flaws. At first the big fashion label Marc O'Polo fixed a major Cross-Site Scripting issue in their online shop system. Good news, because a malicious attacker was able to use this security hole to hijack (and steal) every account including all personal customer details.

Jan 9, 2013

Bavarian Social Democratic Party Fixes Several Security Flaws

In early November, I found several Cross-Site Scripting vulnerabilites on the official website of the bavarian social democrats (also called "SPD" - which is the oldest political party in Germany) and immediately notified the official press office about the flaws. It took some days until I received an answer, which is OK for such a big government-run website...honestly ?

Nov 27, 2012

(PayPal) Bug Bounty - A handy way to secure your website

Great news! A few months ago I submitted a Cross-Site Scripting Vulnerability to the official Bug Bounty program of PayPal: It was accepted, fixed, and fully paid out, and I was very excited about the nice bounty :-).

Oct 10, 2012

Hamburg.de fixes security flaw within hours!

Hamburg.de - The website of the most beautiful city in Germany which is famous for its big port and its amazing atmosphere. Some days ago I had found a Non-Persistent Cross-Site Scripting vulnerability on this website and informed the team of Hamburg.de about the flaw in detail.

Sep 30, 2012

Critical vulnerability on Kiel.de fixed

www.kiel.de - the website of the state capital of "Schleswig-Holstein" in northern Germany which is very famous for the "Kieler Woche". Some weeks ago I stumbled over a critical SQL-Injection vulnerability on their website and immediatley notified the webmaster about the flaw and its importance.

Jun 8, 2012

Mozilla fixes Cross-Site Scripting Vulnerability on the Developer Network

In April, I stumbled over a Cross-Site Scripting vulnerability on the Mozilla Developer Network! Due to improper input validation mechanisms an attacker could temporarily inject own code into user browser sessions with required user interaction using manipulated URLs: which could then be used e.g.

May 18, 2012

SUSE fixes XSS flaw

Some days ago...I have found a Cross-Site Scripting Vulnerability on www.suse.com - the home of the famous Linux distribution. Using this bug, an attacker could temporarily inject arbitrary code with required user interaction into the context of the website and therefor a successful exploitation of the vulnerability allows for example cookie theft, session hijacking or (visible) client side context manipulation.

Apr 30, 2012

sachsen-anhalt.de - Cross-Site Scripting Vulnerability

This time I have found a non-persistent xss vulnerability on one of Germany's country-government websites. Immediatley after the finding (on 2012-03-11), I have noticed the webmaster about the vulnerability, but....no reaction.

Apr 11, 2012