Hi @Codingo . at 1.55 sec you explained about how we report as p2 dos. followed same steps and reported - account lockout , user enumeration and process to automate it. its critical p2 bug as you said but the program says that its by design and acceptable risk. so now the p2 is simply p5? can a program mark any p1 or p2 as acceptable risk and not reward researcher? can you please clarify on this. :)
It sounds like you're lacking the impact that you think you have (given the customer has taken it on board as acceptable business risk). I'm assuming the user enumeration you have is via brute-force, and not an immediate reveal of all users, and likely there's a lockout you didn't expect? If you can drop the sub id to me on twitter (@codingo), I'll review and provide more context for you, but first impression is this likely isn't what you think it is
@@codingo Hi . yes the user enumeration part is via password reset option. it leaks weather the account exist or not. anyway i have messaged you sub id in twitter from (@ImVikram7msd) . if you have time please have a look and give review so that i will not submit this type of bugs in future. Thanks for your time . :) you can ignore my previous dm messages
Make the next about API keys including those of Google, people have split opinions on the impact of a google maps api key. Personally I think they're valid if the service that they can be used on is proven and that service has a fee that costs the company. You once told me in a report that google limits the requests per day but what about in the long run?
I can confirm they're not valid (on any platform, not just Bugcrowd), but it's nuanced and given we explored this in an internal project I'm unsure how deeply I can cover it without exposing internally gained knowledge, but I'll check/see if I can post about it.
@@codingo that's interesting because Intigriti accepts them as valid, there's actually research being done on using the keys on more than just map services such as FCM, Google Cloud etc I don't see many programs explicitly stating them to be out of scope either (there are that list it but I think I've only seen 2, Redbull one of them) Maybe a chat with @ozgur_bbh will provide help with more information regarding the topic, unless you've already done so. His blog made it to Portswigger so it's really confusing to come up with a conclusion to the simple question of "is it a valid?" yes/ no
@@alph4byt3 I hear you, but I disagree on the impact - they are invalid. We've spoken to Google about this directly, and gone deep down the rabbit hole on it. I anticipate as Intigriti does the same they will handle these just like Bugcrowd/HackerOne do. The cases on adjacent services are a separate issue and as the majority of people would read your/my comment to be speaking about the main cases and impact these keys will have (as they should). I can't address every edge case in a more limited response here, but feel free to DM me on twitter if you want to dig into it. For the most part though, those providing advice to go looking for it aren't giving good advice.
@@codingo fair enough, I can see where you're coming from. I can't say I have a lot to offer on the subject other than my own experience but I fully respect your judgment and advice.
@@vishnurajkvraj CVSS is a fixed point in time, and at that point in time that was the case, but in today's context (and in the majority of applications), it doesn't have any impact. It's also distributed in nature only with the majority of web server configs, which drops the CVSS rating _signigicantly_ when taken into consideration
love these videos for someone who's new to infosec like me! thank you good sir.
Glad you like them! And thank-you!
2:36 thanks for the idea. This video helped me in getting a bounty.
\o/
RUclips didn't push notify me about this and now I'm mad
😂😂 missed again, thanks for putting informational stuff
More to come!
Thanks for this amazing information
I really appreciate ❤️🙏
My pleasure 😊
Hi @Codingo . at 1.55 sec you explained about how we report as p2 dos. followed same steps and reported - account lockout , user enumeration and process to automate it. its critical p2 bug as you said but the program says that its by design and acceptable risk. so now the p2 is simply p5? can a program mark any p1 or p2 as acceptable risk and not reward researcher? can you please clarify on this. :)
It sounds like you're lacking the impact that you think you have (given the customer has taken it on board as acceptable business risk). I'm assuming the user enumeration you have is via brute-force, and not an immediate reveal of all users, and likely there's a lockout you didn't expect? If you can drop the sub id to me on twitter (@codingo), I'll review and provide more context for you, but first impression is this likely isn't what you think it is
@@codingo Hi . yes the user enumeration part is via password reset option. it leaks weather the account exist or not. anyway i have messaged you sub id in twitter from (@ImVikram7msd) . if you have time please have a look and give review so that i will not submit this type of bugs in future. Thanks for your time . :) you can ignore my previous dm messages
yo what happened, still P5?
@@Shrey1g yup . They never checked it.
Thank you so much sir
This a Help full video ❤️❤️❤️❤️
Most welcome!
Please make more and more videos 🤜🤛
That's the plan!
great video
Thank you!!
Nice Video
Thank-you!
Yeah, its really really short videos for yours!!!!!
Hi,
Can you turn on the subtitle, please. :) :D
Working on it! Normally takes a couple of days until I can get them up as I pay to get them done
SECOND!
...ah, crap
Make the next about API keys including those of Google, people have split opinions on the impact of a google maps api key. Personally I think they're valid if the service that they can be used on is proven and that service has a fee that costs the company. You once told me in a report that google limits the requests per day but what about in the long run?
I can confirm they're not valid (on any platform, not just Bugcrowd), but it's nuanced and given we explored this in an internal project I'm unsure how deeply I can cover it without exposing internally gained knowledge, but I'll check/see if I can post about it.
@@codingo that's interesting because Intigriti accepts them as valid, there's actually research being done on using the keys on more than just map services such as FCM, Google Cloud etc
I don't see many programs explicitly stating them to be out of scope either (there are that list it but I think I've only seen 2, Redbull one of them) Maybe a chat with @ozgur_bbh will provide help with more information regarding the topic, unless you've already done so.
His blog made it to Portswigger so it's really confusing to come up with a conclusion to the simple question of "is it a valid?" yes/ no
@@alph4byt3 I hear you, but I disagree on the impact - they are invalid. We've spoken to Google about this directly, and gone deep down the rabbit hole on it. I anticipate as Intigriti does the same they will handle these just like Bugcrowd/HackerOne do. The cases on adjacent services are a separate issue and as the majority of people would read your/my comment to be speaking about the main cases and impact these keys will have (as they should). I can't address every edge case in a more limited response here, but feel free to DM me on twitter if you want to dig into it. For the most part though, those providing advice to go looking for it aren't giving good advice.
@@codingo fair enough, I can see where you're coming from. I can't say I have a lot to offer on the subject other than my own experience but I fully respect your judgment and advice.
CVE-2018-6389 ?
Mentioned in here as wp-scripts. It's also P5 / not valid.
@@codingo But the CVSS score is 7.5
@@vishnurajkvraj CVSS is a fixed point in time, and at that point in time that was the case, but in today's context (and in the majority of applications), it doesn't have any impact. It's also distributed in nature only with the majority of web server configs, which drops the CVSS rating _signigicantly_ when taken into consideration
@@codingo 👍 🙂
FIRST
🤣
3rd 😀
First !
Too slooooow @hakluke got you there!
@@codingo Should write a script then 😂