Friday, May 12
TGIF!
TOP STORY
It’s a hacker heaven this Friday with a trifecta of awesome material. Starting us off is @filedescriptor at AppsSec EU, Exploiting the unexploitable. Dude, you had us at foo/bar.php/1337. Frans Rosen’s AMA with Bug Bounty Forum, and Sam Curry’s Yahoo bug explained.
HACKTIVITY
XSS in instacart.com/store/partner_recipe [7 upvotes] - $100 bounty for this report to Instacart by @karel_origin. The recipe_url parameter would reflect anything inside an href attribute, you only had to inject javascript:alert(1) and had to click on the link to execute the payload.
Clickjacking Vulnerability found on Yelp [4 upvotes] - $100 bounty for this report to Yelp by @hckyguy77. X-Frame-Options to SAME ORIGIN in HTTP headers; but exploit proves that not all pages were protected.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.
TWEET OF THE DAY
Dear Twitter: What do you think I do for a living? - @TheTarquin
OTHER ARTICLES WE’RE READING
What do you call 5 million emails per hour? Jaff, apparently. Forcepoint reveals massive email ransomware campaign.
Proving missing ASLR on dropbox.com and box.com over the web for a $343 bounty :D.
Mozilla bug bounty redux.
Trump signs Cyber EO. tldr; reports, lots and lots of reports. Oh, and studies! Lots of those too.
18F bug bounty ya’ll, the first public bug bounty program run by a civilian agency.
Whoops, WindsorBlue.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
I didn’t have anything to put on it [toast] yesterday, so I put some grapes on it. It was weird.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.