IDA Vulnerabilities and Bug Bounty　 by Masaaki Chida

Presented on Hacktivity 2018 conference - https://www.hacktivity.com/bug-hunting-adobe-experience-manage.

Presentation from Hackfest 2016 describing my experience joining HackerOne and reporting over 100 vulnerabilities in my first 11 months.

Presentation from LevelUp 0x03 conference - https://forum.bugcrowd.com/t/levelup-0x03-aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs-by-0ang3el/

WebDav implementations are complex and have many vulnerabilities. Hackers should test for XXE issues by sending XML payloads to methods like PROPPATCH and PROPFIND. XXE can be used to read files on the system or perform SSRF. Other issues include CSRF, authentication bypass by overwriting configuration files, and DoS attacks using large payloads. Developers should carefully follow security best practices for XML parsing and input validation when building WebDav services.

Slides from adaptTo() 2019 - https://adapt.to/2019/en/schedule/securing-aem-webapps-by-hacking-them.html.

This document discusses bug bounty programs (BBPs), which reward security researchers for responsibly disclosing software vulnerabilities. It introduces BBPs, noting they save companies money while improving security. Major companies like Google and Facebook run BBPs. The document outlines prerequisites for BBPs like learning security testing techniques. It provides tips for finding vulnerabilities like understanding a site's scope, tools, and avoiding duplicate reports. Common vulnerability types in BBPs include injection flaws and insecure data storage.

The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.

Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps? All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty

Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. There are three main types of XSS attacks: reflected XSS, stored XSS, and DOM-based XSS. XSS has been one of the top vulnerabilities on the OWASP Top Ten list for many years. While XSS attacks can compromise user sessions and steal sensitive data, developers can prevent XSS through proper input sanitization and output encoding. As web applications continue to grow in use, jobs in web application security and penetration testing are also expected to increase significantly in the coming years.

Bug bounty programs involve paying security researchers rewards for finding vulnerabilities in companies' products. To participate, researchers need to understand the target company's products and domains, know which companies offer bounties, and find bugs that are in scope like XSS, SQL injection, or authentication bypasses. Rewards can range from $100 to $20,000. Major companies like Google, Facebook, and Mozilla run bounty programs and have collectively paid over $1 million to researchers. Examples are shown of real bugs found and reported through bounty programs. The conclusion encourages reporting bugs to companies rather than selling vulnerabilities.

My slides from Zero Nights 2017 talk - https://2017.zeronights.ru/report/hunting-for-credentials-dumping-in-windows-environment/

Marshalling Pickles: how deserializing objects can ruin your day. http://frohoff.github.io/appseccali-marshalling-pickles/

XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog

# By Frans Rosén Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers. Then came security. Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts. # About speaker Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne. Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.

Slides from the Black Hat USA 2021 Arsenal presentation of remote-method-guesser. Recording: https://youtu.be/t_aw1mDNhzI remote-method-guesser (rmg) is a Java RMI vulnerability scanner that checks for common misconfigurations on Java RMI endpoints. It combines well known techniques for RMI enumeration with detection capabilities for lesser known attack vectors that are often missed. Apart from detecting RMI vulnerabilities, remote-method-guesser can perform attack operations for each supported vulnerability type. The following list shows some of it's currently supported operations: * List available bound names and their interface class names * List codebase locations (if exposed by the remote server) * Check for known vulnerabilities (enabled class loader, missing JEP290, JEP290 bypasses, localhost bypass (CVE-2019-2684)) * Identify existing remote methods by using a bruteforce (wordlist) approach * Call remote methods with user specified arguments (no manual coding required) * Call remote methods with ysoserial gadgets within the arguments * Call remote methods with a client specified codebase (remote class loading attack) * Perform DGC, registry and activator calls with ysoserial gadgets or a client specified codebase * Perform bind, rebind and unbind operations against an RMI registry * Bypass registry deserialization filters by using An Trinhs registry bypass * Enumerate the unmarshalling behavior of java.lang.String * Create Java code dynamically to invoke remote methods manually