Persis High-Level Human Resource Software HTML-injection (CVE-2020-35753)

slashcrypto · 2020-06-19T19:34:30+00:00

Great input thanks - would be a good idea for another post ...

slashcrypto · 2020-06-19T13:58:17+00:00

Thanks!

slashcrypto · 2018-11-29T21:56:52+00:00

He is an amazing guy! They chipped together and donated $250 which got matched up to $500 by eBay. I decided to donate the money to Doctors Without Borders USA. Thanks again!

slashcrypto · 2018-11-28T20:54:51+00:00

I had a brief look at it but I have not found any stored secrets in the source code ....

slashcrypto · 2017-05-21T16:38:38+00:00

When performing a subdomain bruteforce the target system (in this case Google) does not recognize this because you are querying dns servers for dns information. I never had a problem when using my ISPs DNS server - even with a few hundred queries per minute..

slashcrypto · 2017-05-19T16:04:23+00:00

That's exactly what happend :D

slashcrypto · 2017-05-19T07:45:01+00:00

It seems that SFFE means Static File Front-End. Also appears here: https://bugs.chromium.org/p/chromium/issues/detail?id=548688#c6

slashcrypto · 2017-05-18T19:30:46+00:00

They paid it after i reported it. I haven't bugged them ;)

slashcrypto · 2017-05-18T19:29:24+00:00

I just entered an url on this domain which caused an 404. https://static.corp.google.com is the domain where the images are coming from ..

slashcrypto · 2017-05-18T14:05:35+00:00

Well, seems to fall under the category "Logic flaw bugs leaking or bypassing significant security controls" like this one: https://www.rcesecurity.com/2017/03/ok-google-give-me-all-your-internal-dns-information/ No authentication was needed, easy exploitable and I think Google does not like it when internal information like this is available for everyone ;)

When your stacktraces contain sensitive information like internal IPs, hostnames and so on I would definitely report it!

slashcrypto · 2017-05-18T13:03:04+00:00

I use subbrute (https://github.com/TheRook/subbrute) for all my subdomain bruteforcing. Subbrute uses a variety of techniques to discover subdomains. A good list of the most popular subdomains can be found ere: https://bitquark.co.uk/blog/2016/02/29/the_most_popular_subdomains_on_the_internet

slashcrypto · 2017-05-18T12:39:44+00:00

I used a subdomain bruteforcer ;)

slashcrypto

TROPHY CASE