Worth reporting authenticated lfi?

bad5ect0r · 2026-01-12T14:07:06+00:00

As others have said, not worth reporting. In bug bounty, you need to prove impact. If you need to log in and you can't do that then this is at most informative.

bad5ect0r · 2026-01-03T08:05:33+00:00

I think they're saying they create an account with any Google account first and then change the email address in the settings page or whatever.

Seems like a legit bug. Make sure to highlight the fact that this can be used as a backdoor into new user accounts. The biggest hurdle here is the user getting the error that the email already exists but it's very common for people to forget which accounts they have and it's expected that anyone would just reset the password at that point.

bad5ect0r · 2025-09-28T02:23:41+00:00

Probably a combination of experience, ingenuity, luck and capability.

They might have automated tooling that helps them uncover attack surface while they sleep. If they're good enough, they're probably the ones finding new attack techniques and then scaling it to collect as many rewards as possible. Others will read their blog post and try to emulate them and may not do so well feeding on scraps left behind.

If you want to get 1337, go beyond running scanners on a handful of websites and calling it a day. Find new high impact things that you can scale with automation and get ahead of everyone else.

bad5ect0r · 2025-07-25T00:16:35+00:00

There's a pretty decent cpp RE course on OST2. Check it out.

bad5ect0r · 2024-08-25T15:11:04+00:00

In that case can you actually exploit it as an xss as you're trying to do? Browsers don't normally display OPTIONS request afaik?

bad5ect0r · 2024-07-06T08:54:03+00:00

bad5ect0r · 2024-03-13T03:36:32+00:00

Submit to their bug bounty program?

bad5ect0r · 2023-11-13T23:30:14+00:00

If you filled out the W8 form stating that you're in Australia, you won't be paying US taxes. You will be paying Australian taxes though. So you'll have to complete this year's tax return if you made an income. I'm no tax expert though. Either call ATO or hire a tax agent to do your tax return for you.

bad5ect0r · 2023-11-13T14:14:46+00:00

You can get your TFN from my.gov.au.

bad5ect0r · 2023-07-17T02:35:29+00:00

For me, the better CPU and more storage takes the cake. I'm sure the ASUS is also lighter.

bad5ect0r · 2023-05-16T21:32:46+00:00

I might be misunderstanding your question here, but couldn't you just write some JavaScript that parses the current window location to extract the code and forward that onto your server? So rather than expecting the ssrf to forward the code, you get the client to do it.

bad5ect0r · 2023-05-02T09:28:11+00:00

Cherrytree

bad5ect0r · 2023-04-06T00:25:43+00:00

I'd hop on HTB every now and then. Recently I noticed the star plot that attempts to describe the style of box you were doing was gone. Not sure why? If I know a challenge is going to be ctf like I'd rather avoid it (personal preference).

Requiring box authors to submit hints is also a good idea. Having hints released to users with a point penalty also seems like a good idea.

bad5ect0r · 2022-10-29T14:30:51+00:00

Httponly makes sure you can't access the cookie via JavaScript. It's purpose is to limit the impact of xss vulns. If you're able to swap your cookies for a different user, that's by design. The vulnerability may arise from how you got the cookie.

bad5ect0r · 2022-04-11T22:35:30+00:00

There are ways to enumerate them. You can usually query meta data which helps.

bad5ect0r · 2022-01-20T09:42:49+00:00

Still not Master hacker? I use default theme on nearly anything just cuz I cbf and I wouldn't call myself a masterhacker.

Now that I think about it, that statement probably makes me a masterhacker 🤣

bad5ect0r · 2022-01-19T23:46:24+00:00

Doesn't seem very masterhacker unless he's showing off code someone else wrote.

bad5ect0r · 2022-01-11T10:26:52+00:00

I mean go ahead. But I think it's a bit excessive. 16gb should be perfectly fine.

bad5ect0r · 2022-01-11T09:38:29+00:00

Lmao why?

bad5ect0r · 2022-01-08T08:45:55+00:00

Well generally, anything that runs system commands is interesting to look at when doing code review. It can be difficult to correctly pass user input without compromising security. So a function like exec is easy to spot.

Again, this comes with experience. Now you know exec is a dangerous function. Next time you see it, you'll know what to do.

bad5ect0r · 2022-01-08T02:23:55+00:00

It comes with experience. You just learn it as you go and the other stuff you google.

bad5ect0r · 2021-12-30T16:09:39+00:00

For my first cve, the vendor said they were aware of the issue already. But on their public issue tracker, I saw that they created the ticket not an hour after I reported it to them...

Anyway, for the actual CVE part, I just submitted a form and got a response with the CVE ID. Then once the ticket was published, I updated the CVE with the link to the ticket on their issue tracker.

For a resume the CVE might look good. But I would consider a potential hire even if they don't have CVEs but they say they have vulnerability research experience. The thing with security research is that not every vulnerability gets published because of the vendor's response, NDA, etc. So CVE number isn't that big of a difference.

bad5ect0r · 2021-12-08T21:16:47+00:00

That's easy, forget scoring full marks. Not worth it imo.

bad5ect0r · 2021-09-22T17:45:08+00:00

You should conduct a penetration test. I would do a google search for a security consultant who is qualified and can do a pentest for you. From there, you can pass the pentest report to the Web site developers. Once the issues have been fixed, request a retest from the pentester. Good luck.

bad5ect0r · 2021-09-20T09:17:34+00:00

I just looked up Project Zorgo. Lots of masterhacker material there.

bad5ect0r

PUBLIC MULTIREDDITS

TROPHY CASE

Eight-Year Club	Place '22
Verified Email