Friday, August 24
HACKTIVITY HIGHLIGHTS
Incorrect param parsing in Digits web authentication [101 upvotes] - $2,520 bounty for this report to Twitter by @filedescriptor
Vulnerability in project import leads to arbitrary command execution [16 upvotes] - no bounty for this report to GitLab by @nyangawa.
Wormable stored XSS in [redacted] - [30 upvotes] - writeup published by @jobertabma
DOM based XSS on *.██████.com via document.domain sink in Safari [41 upvotes] writeup published by @filedescriptor
AWS Credentials leaked: access to production database backups, SSL certs and more [25 upvotes] - writeup published by @TomDev
OTHER ARTICLES WE’RE READING
Burp Suite 2.0 beta is now available. Dafydd and crew are not done yet though.
50%+ of Top 1 Million sites on HTTPS per Scott Helme’s August list of the top sites HTTPS adoption
New ESET research points to a distinctive backdoor by Turla, stealing sensitive communications from the authorities of at least three European countries.
Two MIT Tech Review stories on bug bounties: One by Erin Winick based on Evan Ricafort’s life as a bug hunter, and another by Martin Giles about, well, HackerOne and other bounty platforms in the crowdsourcing security space. See the Hacker News thread for chatter.
CVE-2018-11776, critical issue found in Apache Struts web application framework. Best upgrade to 2.3.35; or if you’re on Struts 2.5 now you need to upgrade to 2.5.17. You don’t want to be Equifax.
New York Times looks at FireEye’s techniques to identify the Iranian actors behind the misinformation campaign.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
We aren't done yet. Not by a long way.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.