All Articles

2020 (2)

• 16.09. Patrik’s Bug Bounty 🛠️Tools🛠️ (2)

  SVG: https://blog.it-securityguard.com/pbbt.svg PDF: https://blog.it-securityguard.com/pbbt.pdf XMIND: https://blog.it-securityguard.com/pbbt.xmind PNG: https://blog.it-securityguard.com/pbbt.png  
• 16.06. How I made more than $30K with Jolokia CVEs (8)

  Dear Readers – it’s been a while. First and foremost: This blog post is mostly inspired by the Gotham Security : jolokia-vulnerabilities-rce-xss write-up. None of what you are about to read is really new; I just found it difficult to find a complete write-up which describes the most common misconfigurations, so I decided to spin … →

2018 (1)

• 05.05. [Tools] Visual Recon – A beginners guide (1)

  📖Intro 📖 During the process of RECON you often get thousands of domains you have to look at. A suitable way to decrease the time you spend on each website is to take a screenshot of each website. There are several tools available such as EyeWitness (https://github.com/ChrisTruncer/EyeWitness) or ScreenShotter (https://github.com/BladeMight/ScreenShotter). Unfortunately, I had issues setting them … →

2017 (3)

• 21.10. The Stony Path of Android 🤖 Bug Bounty – Bypassing Certificate Pinning (22)

  Dear readers, Long story short, doing bug bounties for mobile devices is hard. With this article I want to show you a rather simple way to be able to bypass certificate pinning for all some of your Android mobile targets. The method described here is based on research and an awesome blogpost+script written by Piergiovanni Cipolloni. Whenever there … →
• 05.10. [Paper] Messaging Queues in the IoT under pressure – Stress Testing the Mosquitto MQTT Broker (1)

  [pdf-embedder url=”/content/images/wordpress/2017/10/IOT_Mosquitto_Pfehrenbach.pdf” title=”SOA_Jurreit_Fehrenbach”]
• 29.04. [Paper] Analysis of security vulnerabilities in Microsoft Office 365 in regard to SAML (0)

  [pdf-embedder url=”/content/images/wordpress/2017/04/SOA_Jurreit_Fehrenbach_korrigiert.pdf” title=”SOA_Jurreit_Fehrenbach”]

2016 (3)

• 08.09. [BugBounty] Decoding a $😱,000.00 htpasswd bounty (14)

  tldr; A Private Bug Bounty Program had a globally readable .htpasswd file. I cracked the DES hash, got access to development and staging environments and was rewarded a shitload of$. [Tools used] dirbuster https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project John http://www.openwall.com/john/ [\Tools used] Today I want to share something with you that I recently discovered in a private Bug Bounty Program. Due … →
• 11.06. [Research] Phishermans Friend – Getting control over a phishing backend (4)

  Dear Readers, once in a while I enjoy blogging about things unrelated to bug bounties. And so, as it happens, on a quiet Thursday night as I was about to go to bed, I received the following e-mail: Hmmm unwanted login from a location near Berlin? My younger brother lives in Berlin, I wondered if … →
• 17.05. [BugBounty] Sleeping stored Google XSS Awakens a $5000 Bounty (15)

  Dear Readers, Today I want to share a short write-up about a stored cross-site scripting (XSS) issue I found on the Google Cloud Console. I consider it a lucky find. Some of you may remember the tweet I sent to  Frans Rosén  after he discovered a vulnerability on Google Payments: As it turned out, among … →

2015 (3)

• 09.10. Digging into the Shopify POS Firmware (Part 1) (0)

  Dieser Inhalt ist passwortgeschützt. Um ihn anschauen zu können, bitte das Passwort eingeben: Passwort:
• 15.06. [Research] – Stop OSX Spotlight from sending your location (2)

  Hey dear readers it’s been awhile, tldr; How to avoid apple from yelling out your location to their servers I personally like to use the Searchlight function of OSX, it provides me a fast way to access my files – but this it also sends my geolocation to apple everytime i do a search. This blogpost will … →
• 07.01. [BugBounty] Papyal XML Upload Cross Site Scripting Vulnerability (8)

  Greetings readers, today i want to share with you one of my latest findings on Paypal.com.When creating an invoice Paypal allows the users to upload attachements for the invoices one attachement that they allow is a XML file. What the developer may missed here is that you can actually insert HTML into XML files, the namespace … →

2014 (12)

• 15.12. [BugBounty] Reflected Cross Site Scripting at Paypal.com (3)

  Dear followers, i found a reflected Cross Site Scripting issue on the new Paypal Directory service (https://www.paypal.com/directory/merchants), with the following Payload: &q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E The vulnerable Parameter was the q? Parameter, i was able to break the script contex of the page, i think it was because of the &q Parameteter, … →
• 10.12. [BugBounty] malicious redirect on mailroom.prezi.com (0)

  Dear readers, today i want to share a short story of a bug i found on one of prezi’s subdomains called mailroom.prezi.com.The Webserver at http://mailroom.prezi.com is configured to redirect the Users to the Login Page of Prezi, so far so good, i found out that if you add a Domain lets say http://mailroom.prezi.com/.anydomain.com to the end … →
• 17.11. [BugBounty] Reflected Cross Site Scripting BillMeLater (2)

  Dear followers, i recently found a reflected Cross Site Scripting issue on a Subdomain of BillMeLater (Paypal acquisition) it was possible to break the style attribute and add malicious Javascript Code into the Application. "--></style></ script >< script > alert ("XSS ")</ script > When ending the previous style and script element it was possible … →
• 17.11. [Research] SSH Honeypot (honey.it-securityguard.com) (0)

  Dear followers, I’ve recently set up a honeypot tool called Kippo, Kippo runs a virtual SSH environment and tracks all the SSH bruteforce attemps on our Server. We started the test on third of November and got about 4000 bruteforce attempts on our Server, what is remarkable here is that almost all of the logins … →
• 11.11. [BugBounty] Paypal stored XSS + Security bypass (1)

  Dear followers, i recently discovered a stored cross site scripting vulnerability on Paypal’s core site. The scenario is a bit weird, but i hope to explain everything as good as possible. During my testings i often create accounts with malicious Javascript contet as the Name, Organization etc etc. While testing on Paypal i did the … →
• 05.11. [BugBounty] Paypal DOM XSS main domain (1)

  Dear followers, i recently discovered a DOM Cross Site Scripting issue while testing on Paypal, the process here was pretty straight forward, if you inserted the payload in  : #“><img src=/ onerror=alert(2)> In the URL, the DOM executed the Javascript. This vulnerability would have affected all registered Paypal users and could have been used to … →
• 31.10. [BugBounty] The 5000$ Google XSS (7)

  Dear followers, i recently searched for vulnerabilities on a Google service called tagmanager, this service is used for SEO operations. My main research was to look for any field that could be vulnerable to Cross Site Scripting, but every field was protected against special characters as you can see in the image below. So pretty … →
• 16.10. [BugBounty] Yahoo phpinfo.php disclosure (2)

  Dear readers, during my research of yahoo i found a phpinfo.php file information disclosure vulnerability, on one of their servers. The server on which i found that particular file was : http://nc10.n9323.mail.ne1.yahoo.com/phpinfo.php you might ask yourself how on earth i found this server. Let me explain what i did: Since the scope for the vulnerability program of … →
• 02.10. [WordPress] 3x vulnerable Chat Plugins (1)

  Dear followers, during an installation for one of our customers, we had to install a suitable chat plugin for WordPress. There are a lot of them but we decided to choose the first one that comes in the row. Due to the fact that we like security we of course tested the plugins against some … →
• 17.06. Google Chrome Security: Multiple leading slashes in URLs may confuse some server-side XSS filters (0)

  Today i  reported a strange bug to the devs of the Chromium Project, look at the following lines of code : <html> <script src=http:\\\\\\\\\\\\monitor.it-securityguard.com\\\\\\\\\\\\\test.js> </script> </html>   You see those leading slashes ? Do you think that this is an valid URL a Browser would process ? In fact it does not look like a valid … →
• 21.05. [Bug Bounty] Prezi (map.prezi.com) Path Traversal (1)

  Dear Readers, short story, i discovered a Path Traversal Issue on one of Prezi’s domains,   Timeline : Mail recieved 05/18/2014 21:01:00 : fixed 05/20/2014 Hi Patrik, Thanks again for your submission, you were the first to report this issue and we deployed our fix, therefore you are eligible for a $1000 reward. Congrats! We would … →
• 20.04. [Bug Bounty] A Tale of 7 Vulnerabilities (3)

  Dear Readers, today i want to share my story on how i want to buy my new Laptop (Macbook Pro would be cool) so the notebook costs round about 1700$  with the help of BugBounty Money i want to buy it $$$. So what i’ve done first is to look at a list of bug … →

2013 (8)

• 11.11. We’re on heise.de [German] found 160 Sites Vulnerable to XSS (0)

  Dear readers, we recently found 160 sites of the german finance system vulnerable to reflected cross site scripting. We sent the information the well known IT-News site heise.de And they sent it to the CERT Team Bund (Computer Emergency Response Team) http://www.heise.de/security/meldung/Viele-Finanzaemter-mit-unsicheren-Websites-2039317.html
• 06.07. PHP 5.3.3-5.3.6 Exploit + Bind Shell (0)

  Dear Readers, 5.3.3-5.3.6 is still used and its very easy to exploit. All you need to do is find a way to upload a PHP file to the server, then call it. The Payload is a bind tcp shell opening a port on the server between 4000 – 4500 to find the open one just use … →
• 06.07. How to reset Root Password on Ubuntu/Debian (0)

  Today we want to talk about resetting the root Password on Ubuntu/Debian Linux The first Step is to Boot up your system and pause at the Grub Bootloader. Select the recovery mode (the second one) and press e for editing the boot commands. at the and of  initrd=/install/initrd.gz add init=/bin/bash After that type str+x to restart the machine … →
• 07.05. From nobody to Root Advanced SQL-Injection (0)

  Dear readers, today i’m going to write about a SQLInjection which led to full control over a Server: The target was a login form with a SQL-Injection in the Parameter Password. With guessing the Username “Admin” and the Password ‘ The well known SQL error came up From this point i knew that there is … →
• 16.03. Kali Linux – The most advanced penetration testing distribution (0)

  During the last days the new version of former Backtrack, Kali Linux was released. You  can get a copy from here : http://www.kali.org/downloads/ We will post some Tutorials regarding to Kali during the next weeks, stay tuned for more. Best whishes, The IT-Securityguard Team
• 10.03. iTunes debugging disabling ptrace with LLDB (0)

  First of all if we’ve gained a crash in Itunes we need a debugger to see where the actual crash is happening. Xcode comes with a gdb like darwin debugger which is a good point to start. You can simply start iTunes by running it with sh-3.2# gdb /Applications/iTunes.app/ the next thing you will see … →
• 03.03. SQL-Injection Article Admin Magazine (0)

  For all the UK / North America and Australia folks, the Admin Magazine with our article of SQL Injection will be available on : UK/Europe: February 18 North America: March 15 Australia: April 15 best whishes!   The IT-Securityguard Team  
• 20.01. [BugBounty] Yahoo phpinfo.php disclosure (0)

  Dieser Inhalt ist passwortgeschützt. Um ihn anschauen zu können, bitte das Passwort eingeben: Passwort: