2/5/21
Spend 20 mins responding to question on twitter DMs, trying to help people with issues, probably just making it worse for them.
Blogs Read
Learned about this tool:
https://github.com/dnSpy/dnSpy
Spent 2 hours in the afternoon trying to create an account on a site to show something wasn’t a dupe, it took forever, but I got the proof.
Now just waiting for glassofbeer to re-open the ticket.
Spent 1 hour at night working on a 2-day h1c and found a little IDOR that will probably dupe.
2/6/21
1 hr to find a site erroring out while loading content, as the site was unclaimed.
Registered the site and can now serve content.
1 hr to fiddle with business logic errors on checkout
2/7/21
Beat head against wall for 2 hrs and got not new bugs
Joined a small discord group and looking forward to collab a bit there. Julian is there as well, so I know there is some talent in the group.
2/8/21
Swapped back to an old program
Blogs Read
https://0xfabiof.github.io/stored-xss-tw/
https://logicbomb-1.medium.com/otp-bypass-account-takeover-to-admin-panel-ft-header-injection-16f2982a0136
https://medium.com/@zonduu/idor-in-session-cookie-leading-to-mass-account-takeover-d815ff3732d5
Resources noted:
https://github.com/ziadab/AdminBomber/blob/master/AdminBomber.py https://github.com/s0md3v/Breacher/blob/master/paths.txt
2/9/21
Works on simple auth bugs for a couple different programs, 1 takes some 15 mins for changes to propagate, so I work on the other while waiting.
2hrs of testing
2/10/21
https://labs.detectify.com/2021/01/15/how-i-hijacked-the-top-level-domain-of-a-sovereign-state/
https://emanuel-beni.medium.com/stored-xss-on-product-description-high-400-2f078fd70fd2
https://shellbr3ak.medium.com/the-story-of-my-first-critical-bug-93a5920d6c43
.75 hrs of testing auth issues
2/11/21
3 hrs of testing auth issues
Weekly Wrap Up
Biggest payments this week was $1.5k for found prod creds and $750 for an IDOR
