2017-04-11 | OWASP top 10 release, DOM cookie bomb, and less spam?

Tuesday, April 11

Lose yourself to dance, because you can.

TODAY’S TOP STORY

OWASP top 10 release dropped yesterday. Email Dave to submit comments. 14-years of the top 10, and OWASP for sure has something to show for it: “...since CSRF was introduced to the Top 10 in 2007, it has dropped from a widespread vulnerability to an uncommon one. Many frameworks include automatic CSRF defenses which has significantly contributed to its decline in prevalence, along with much higher awareness with developers that they must protect against such attacks.” Makes the CSRF reported below that much more impressive…

HACKTIVITY

DOM based cookie bomb [16 upvotes] - $280 bounty for this report to Twitter by @filedescriptor. In short, it sets a cookie with hash as the name and referrer as the value.
CSRF on cards API [15 upvotes] - $280 bounty for this report to Twitter by @filedescriptor. It’s a filedescriptor kinda day - all his exploits are worth the read. Details structure and PoC. Also, 7 days from report filed to bounty paid. Booya.

You can see all the latest and greatest disclosures and bounties on hackerone.com/hacktivity.

OTHER ARTICLES WE’RE READING

CSRF in Facebook/Dropbox - "Mallory added a file using Dropbox" by @asanso. Two companies, one bug, and an access token that was cached indefinitely.
Sup, Hackathon Hustlers.
Silly hacker, don’t mine bitcoins with mirai-infused toasters. Mine Zcash.
Perhaps now we’ll finally have less spam? Lolololol

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Bitcoin, eh? Never heard of it. But perchance you would like to try something better. Something with more “zing”. Something named CosbyCoin!

Anonymous hacker

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.