Jekyll2020-04-17T16:23:51+00:00https://bugbountyworld.com/feed.xmlBug Bounty WorldMaking bugbounty community more open and connected.Pranav HivarekarEOC - Post #12017-08-17T00:00:00+00:002017-08-17T00:00:00+00:00https://bugbountyworld.com/eoc-post-1<h1 id="tip">Tip</h1>
<p><strong>White-box testing keywords mega list</strong></p>
<p>Here is a list of keywords to look for when reading source code.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>api
api_key
api_secret_key
secret_key
secret
BEGIN
PRIVATE
private
PRIVATE_KEY
private_key
key
token
CSRF
Arrays.equals
HMAC
random
mt_rand
rand
random.org
iv
encrypt
crypt
MCRYPT
RIJNDAEL
MCRYPT_RIJNDAEL_256
ECB
ecb
password
passwd
pass
hash
hashlib
hashed
md5
sha1
sha-1
sha2
sha-2
salt
bcrypt
$2a$
PBKDF2
blake2
CVE
vulnerable
stackoverflow
SO
base64
Base64
admin
rot13
tmp
system
exec
popen
backtick operator
pcntl_exec
eval
preg_replace
create_function
exec
passthru
system
shell_exec
popen
proc_open
pcntl_exec
assert
preg_replace('/.*/e',
create_function
include
include_once
require
require_once
$_GET
phpinfo
posix_mkfifo
posix_getlogin
posix_ttyname
getenv
get_current_user
proc_get_status
get_cfg_var
disk_free_space
disk_total_space
diskfreespace
getcwd
getlastmo
getmygid
getmyinode
getmypid
getmyuid
extract
parse_str
putenv
ini_set
mail
header
proc_nice
proc_terminate
proc_close
pfsockopen
fsockopen
apache_child_terminate
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid
chmod
chown
shell=True
pickle.loads
yaml.load
debug
DebuggedApplication
Debug=True
evalex=True
Math.random
</code></pre></div></div>
<p>The keyword text file can be found here: http://bugbountyworld.com/other/keywords.txt.</p>
<h1 id="challenge">Challenge</h1>
<p>Write a script that greps for these keywords in source code and then prints them into a file with line numbers.</p>
<p>Here are the different categories that you can compete in:</p>
<ul>
<li>Smallest script.</li>
<li>Most obscure language.</li>
<li>Fastest script.</li>
<li>Most user-friendly.</li>
</ul>
<p>I will test the scripts against:</p>
<ul>
<li>https://github.com/clarkio/vulnerable-app</li>
<li>https://github.com/adamdoupe/WackoPicko</li>
</ul>
<h1 id="rules">Rules</h1>
<p>As always the rules are:</p>
<ul>
<li>DM me (@EdOverflow) your solution. Please send me a little write-up so that I can see how you went about solving the challenge.</li>
<li>Do not post solutions in the channel.</li>
<li>You may work in teams to solve challenge.</li>
<li>Challenges end when at least 5 people have solved the challenge.</li>
<li>If you have questions you can contact me. Please do not ask for solutions before the challenge ends.</li>
</ul>
<h1 id="references">References</h1>
<ul>
<li>https://stackoverflow.com/questions/3115559/exploitable-php-functions</li>
</ul>EdOverflowhttps://twitter.com/EdOverflowTipEOC - Post #02017-08-16T00:00:00+00:002017-08-16T00:00:00+00:00https://bugbountyworld.com/eoc-post-0<h1 id="tip">Tip</h1>
<p><strong>Lightweight Mark:up: language vulnerabilities</strong></p>
<p>So you might be familiar with some leightweight markup languages (LML) such as RubyDoc, Textile and reStructuredText, but have you ever tried finding security issues with them?</p>
<p>First check this <a href="https://en.wikipedia.org/wiki/Lightweight_markup_language#Comparison_of_language_features">table</a> for all features the LML supports. Some LMLs support class and id attributes! This allows you to use predefined styles on the current page.</p>
<p><strong>RubyDoc (.rdoc)</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>XSS[JavaScript:alert(1)]
</code></pre></div></div>
<p><strong>Textile (.textile)</strong></p>
<p>Surprisingly, Textilte supports a lot of things including the style attribute.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>"Test link":javascript:alert(1)
p(#my-paragraph). This is a paragraph that has an id.
p(myclass). This is a paragraph that has a class.
div(myclass#myid). This div has both a CSS class and an id.
p{font-size: 0.8em}. Small font.
</code></pre></div></div>
<p><strong>reStructuredText (.rst)</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>`Test link`__. __ javascript:alert(document.domain)
</code></pre></div></div>
<p><strong>AsciiDoc (.adoc)</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://example.com[Reverse Tabnabbing^]
</code></pre></div></div>
<h1 id="challenge">Challenge</h1>
<p>You must find the challenge first.</p>
<p><img src="https://i.imgur.com/ANeyQKA.jpg" alt="" /></p>
<blockquote>
<p>Oiusetba elhrk plv xvtm, vhrqpvj jmsaa wr Glycv ws xlms fsaaifw avap klq, nz ph zsermg ws gbzq wlr uweoif vn Phhvh ijdmazb Dvxlhohv. Aulv wkil dmuh vrhlb, ki flvw d qrzadji gv Kbuyf, oqggia pv wki oltob ss h pdui, vunruqvuo klq goiw wlr Tmgleaz erxpq tcwlrl vv wki spmog, wuvcog lr ainh eeta djevuaw kmf nzdqhshbkhv.</p>
</blockquote>
<p>The key is hidden.</p>
<p><em>Tip:</em> The solution is just a text excerpt.</p>
<h1 id="rules">Rules</h1>
<p>As always the rules are:</p>
<ul>
<li>DM me (@EdOverflow) your solution. Please send me a little write-up so that I can see how you went about solving the challenge.</li>
<li>Do not post solutions in the channel.</li>
<li>You may work in teams to solve challenge.</li>
<li>Challenges end when at least 5 people have solved the challenge.</li>
<li>If you have questions you can contact me. Please do not ask for solutions before the challenge ends.</li>
</ul>
<h1 id="references">References</h1>
<ul>
<li><a href="https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md">https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md</a></li>
<li><a href="https://ysx.me.uk/lightweight-markup-a-trio-of-persistent-xss-in-gitlab/">https://ysx.me.uk/lightweight-markup-a-trio-of-persistent-xss-in-gitlab/</a></li>
<li><a href="https://hackerone.com/reports/213114">https://hackerone.com/reports/213114</a></li>
</ul>
<h1 id="solution-2017-08-17">Solution (2017-08-17)</h1>
<details>
<summary>By <a href="https://twitter.com/uraniumhacker">@uraniumhacker</a></summary>
1) Ed is a troll
<br />
2) The key is literally "hidden"
<br />
3) copy the vigenere and the for the key put "hidden"
<br />
4) Solved
</details>EdOverflowhttps://twitter.com/EdOverflowTip