darksecurity.de

Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com

Yahoo Bug Bounty Program Vulnerability #1 XSS on ads.yahoo.com

My experiences with the GiftCards.com Bug Bounty Program

SSCHADV2014-003 - Serendipity 1.7.5 (Backend) - Multiple security vulnerabilities

[Video] - ssl.bing.com - Cross-site Scripting vulnerability

SSCHADV2013-012 - ssl.bing.com - Cross-site Scripting vulnerability

Posted by Stefan Schurtz on Saturday, March 8. 2014

Here are the my last advisory which I’ve reported in 2013 to the Yahoo Bug Bounty Program. And again…the same story for this report as for my others :-/

If you’re interested, you can read it here:

Yahoo-Bug-Bounty-Program-Vulnerability-1-XSS-on-ads.yahoo.com

Yahoo-Bug-Bounty-Program-Vulnerability-2-Open-Redirect

Screenshots:

Video:

Here is my advisory for the XSS on de-mg42.mail.yahoo.com:

Continue reading "Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com"

Posted by Stefan Schurtz on Saturday, March 8. 2014

In Nov ’13 I reported a Cross-site Scripting vulnerability to the Yahoo Bug Bounty Program. As for my other reports, I’ve got no response or feedback, so I wrote a message to them via email this time and so on … blah blah :)

To cut a long story short, for all my reports the communication with Yahoo was really bad and of course: No bounty!

It seems this XSS is fixed, so here is my advisory:

Continue reading "Yahoo Bug Bounty Program Vulnerability #1 XSS on ads.yahoo.com"

Posted by Stefan Schurtz on Tuesday, February 18. 2014

Since November 2013 I reported seven Cross-site Scripting vulnerabilities to the Giftcard Bug Bounty Program. Sadly, only one of them wasn’t a duplicate :-/. Strange? Perhaps, but not impossible given the simplicity of the vulnerabilities.

But, what I really don’t understand: Why do they still work until today?

Continue reading "My experiences with the GiftCards.com Bug Bounty Program"

Posted by Stefan Schurtz on Thursday, February 6. 2014

^Advisory:	Serendipity 1.7.5 (Backend) – Multiple security vulnerabilities
Advisory ID:	SSCHADV2014-003
Author:	Stefan Schurtz
Affected Software:	Successfully tested on Serendipity 1.7.5
Vendor URL:	http://www.s9y.org/
Vendor Status:	fixed

======================
Vulnerability Description
======================

The Serendipity 1.7.5 backend is prone to multiple security vulnerabilities

Continue reading "SSCHADV2014-003 - Serendipity 1.7.5 (Backend) - Multiple security vulnerabilities"

Posted by Stefan Schurtz on Saturday, January 25. 2014

Short video about my advisory SSCHADV2013-012 – ssl.bing.com – Cross-site Scripting vulnerability

December '22

Posted by Stefan Schurtz on Saturday, January 25. 2014

^Advisory:	ssl.bing.com – Cross-site Scripting vulnerability
Advisory ID:	SSCHADV2013-012
Author:	Stefan Schurtz
Affected Software:	Successfully tested on ssl.bing.com
Vendor URL:	http://microsoft.com
Vendor Status:	fixed

======================
Vulnerability Description
======================

The website ‘ssl.bing.com’ is prone to a Cross-site Scripting vulnerability

Continue reading "SSCHADV2013-012 - ssl.bing.com - Cross-site Scripting vulnerability"