underground.org.mx
0
  • Febrero 22, 2020, 07:18:23 pm
  • Bienvenido(a), Visitante
Por favor ingresa o regístrese.

Ingresar con nombre de usuario, contraseña y duración de la sesión
Búsqueda Avanzada  

Mostrar Mensajes

Esta sección te permite ver todos los mensajes hechos por este usuario, recuerda que solo puedes ver los mensajes en áreas en donde tu tienes acceso.

Mensajes - hkm

Páginas: [1] 2 3 4
1
Noticias y Eventos / Beca M3x4s @ DEFCON
« on: Febrero 21, 2020, 09:30:16 am »


Ciber Seguridad es un tema muchas veces estigmatizado, sin embargo, siempre habrá amenazas informáticas y gente que que queremos hacer el Internet y el mundo un lugar más seguro.


¿Qué queremos lograr?

Queremos Becar a 2 Jóvenes promesas de la Ciberseguridad. Es decir, dos estudiantes en la carrera de sistemas o similar, que comparta el gusto por la seguridad. Para que vaya con todos los gasto pagados al ¡DEFCON28 en LAS VEGAS! que será del 6 al 9 de Agosto del 2020.

Esto incluye Avión, Estancia, entrada al evento ($280USD) y un per diem para comidas de $45USD diarios.

¿Quienes podrán participar en el selectivo?

- Estudiantes de cualquier carrera afín a sistemas
- Contar con VISA  y Pasaporte con vigencia para viajar durante el evento
- Ser mayor de edad (18 años)
- Vivir en territorio mexicano (no necesita ser mexican@)
- Hacer un ensayo
- Las bases finales se decidirán entre el grupo de manera democrática

¿Por qué pedimos tu ayuda?

Como lo comentamos más abajo en la sección de "¿Quiénes somos? Simplemente queremos hacer esto por gusto y porque queremos un mundo y un internet más seguro. Todos estaremos apoyando.

 Es por eso que cualquier ayuda será de mucha utilidad y estarás apoyando a jóvenes estudiantes que quizá, de otra manera, no pudieran tener la oportunidad de tener esta experiencia.


¿Quiénes somos?

Somos un grupo de profesionales y aficionados a la ciberseguridad que año con año hacemos presencia en el evento comunitario más importante de seguridad en las vegas: DEFCON.

Somos un grupo multidiciplinario mayoritariamente de México pero tambien hay gente de todas partes de LATAM. La idea es compartir nuestros gustos, ponernos de acuerdo para ir al DEFCON cada año y pasar 4 días de aprendizaje, experiencias y buenos ratos con amigos de antaño y nuevos.

No somos ninguna organización, ni empresa, ni Asociación Civil, ni nada por el estilo, solo amig@s que tenemos algo en común: El gusto por la ciberseguridad y las ganas de seguir aprendiendo.

¿Por qué el DEFCON?

El DEFCON es el evento de ciberseguridad por excelencia, se ha hecho durante 28 años en Las Vegas, es un evento hecho por la comunidad en donde los temas e investigaciones son muy interesantes si quieres saber más sobre el evento puedes consultar su página oficial en www.defcon.org

Más info: ¡Búscame como @GnuOwned twitter y respondo todas tus preguntas!

Soy estudiante ¡Quiero aplicar! ¿Cómo le hago?

La convocatoria y bases las puedes encontrar acá:

https://forms.gle/3pyqQEnjPE9AnndB8

¡Aplica!

2
compilado de los mejores writeup del programa de recompensas del progama de Google Bug bounty (GoogleVRP) https://github.com/xdavidhu/awesome-google-vrp-writeups



# Awesome Google VRP Writeups
🐛 A list of writeups from the Google VRP Bug Bounty program

*\*writeups: **not just** writeups*

## Contributing:

If you have/know of any Google writeups not listed in this repository, feel free to open a Pull Request. If the writeup is new, add it to the top of the list, if it is not, to the end.

The template to follow when adding new writeups:
```
- [TITLE](URL) by [NAME](TWITTER_URL)
```
*If no Twitter account is available, try finding something similar, like other social media page or website.*

### Contributors:
[David Schütz](https://twitter.com/xdavidhu), [Alex Birsan](https://twitter.com/alxbrsn), `YOUR_NAME_HERE`

Thank you! 🎉

## Blog posts:
- [$36k Google App Engine RCE](https://www.ezequiel.tech/p/36k-google-app-engine-rce.html) by [Ezequiel Pereira](https://twitter.com/epereiralopez)
- [How I hacked Google’s bug tracking system itself for $15,600 in bounties](https://medium.com/@alex.birsan/messing-with-the-google-buganizer-system-for-15-600-in-bounties-58f86cc9f9a5) by [Alex Birsan](https://twitter.com/alxbrsn)
- [XSS in GMail’s AMP4Email via DOM Clobbering](https://research.securitum.com/xss-in-amp4email-dom-clobbering/) by [Michał Bentkowski](https://twitter.com/SecurityMB)
- [$10k host header](https://www.ezequiel.tech/p/10k-host-header.html) by [Ezequiel Pereira](https://twitter.com/epereiralopez)
- [Into the Borg – SSRF inside Google production network](https://opnsec.com/2018/07/into-the-borg-ssrf-inside-google-production-network/) by [Enguerran Gillier](https://twitter.com/opnsec)
- [SSRF in Google Cloud Platform StackDriver](https://ngailong.wordpress.com/2019/12/19/google-vrp-ssrf-in-google-cloud-platform-stackdriver/) by [Ron Chan](https://twitter.com/ngalongc)
- [$7.5k Google services mix-up](https://www.ezequiel.tech/p/75k-google-services-mix-up.html) by [Ezequiel Pereira](https://twitter.com/epereiralopez)
- [Google Bug Bounty: LFI on Production Servers in “springboard.google.com” – $13,337 USD](https://omespino.com/write-up-google-bug-bounty-lfi-on-production-servers-in-redacted-google-com-13337-usd/) by [Omar Espino](https://twitter.com/omespino)
- [Bypassing Google’s authentication to access their Internal Admin panels](https://medium.com/bugbountywriteup/bypassing-googles-fix-to-access-their-internal-admin-panels-12acd3d821e3) by [Vishnu Prasad P G](https://twitter.com/vishnuprasadnta)
- [Creative bug which result Stored XSS on m.youtube.com](http://sasi2103.blogspot.com/2015/12/creative-bug-which-result-stored-xss-on.html) by [Sasi Levi](https://twitter.com/sasi2103)
- [$7.5k Google Cloud Platform organization issue](https://www.ezequiel.tech/2019/01/75k-google-cloud-platform-organization.html) by [Ezequiel Pereira](https://twitter.com/epereiralopez)
- [Gsuite Hangouts Chat 5k IDOR](https://secreltyhiddenwriteups.blogspot.com/2018/07/gsuite-hangouts-chat-5k-idor.html) by [Cameron Vincent](https://twitter.com/secretlyhidden1)
- [$5k Service dependencies](https://www.ezequiel.tech/p/5k-service-dependencies.html) by [Ezequiel Pereira](https://twitter.com/epereiralopez)
- [Open redirects that matter](https://sites.google.com/site/bughunteruniversity/best-reports/openredirectsthatmatter) by [Tomasz Bojarski](https://bughunter.withgoogle.com/profile/c25fa487-a4df-4e2e-b877-4d31d8964b82)
- [Google VRP : oAuth token stealing](http://bugdisclose.blogspot.com/2017/08/google-vrp-oauth-token-stealing.html) by [Harsh Jaiswal](https://twitter.com/rootxharsh)
- [Combination of techniques lead to DOM Based XSS in Google](http://sasi2103.blogspot.com/2016/09/combination-of-techniques-lead-to-dom.html) by [Sasi Levi](https://twitter.com/sasi2103)
- [Unauth meetings access](https://sites.google.com/securifyinc.com/vrp-writeups/google-meet/authorization-bugs) by [Rojan Rijal](https://twitter.com/mallocsys)
- [Deleting/Altering All Google Cloud Budget Monitors](https://secreltyhiddenwriteups.blogspot.com/2019/12/deletingaltering-all-google-cloud.html) by [Cameron Vincent](https://twitter.com/secretlyhidden1)
- [Youtube Editor XSS Vulnerability](https://jasminderpalsingh.info/youtube-editor-stored-dom-based-and-self-executed-xss-vulnerability/) by [Jasminder Pal Singh](https://twitter.com/Singh_Jasminder)
- [Google bugs stories and the shiny pixelbook](https://bughunt1307.herokuapp.com/googlebugs.html) by [Missoum Said](https://twitter.com/missoum1307)
- [$500 getClass](https://www.ezequiel.tech/p/500-getclass.html) by [Ezequiel Pereira](https://twitter.com/epereiralopez)
- [Google Webmaster Markup Helper Framed Application XSS](https://jasminderpalsingh.info/google-webmaster-markup-helper-framed-application-xss/) by [Jasminder Pal Singh](https://twitter.com/Singh_Jasminder)
- [Voice Squatting & Voice Masquerading Attack against Amazon Alexa and Google Home Actions](https://sites.google.com/site/voicevpasec/) by ???
- [Stored XSS on biz.waze.com](https://sites.google.com/securifyinc.com/vrp-writeups/waze/waze-xss) by [Rojan Rijal](https://twitter.com/mallocsys)
- [XSSing Google Code-in thanks to improperly escaped JSON data](https://appio.dev/vulns/google-code-in-xss/) by [Thomas Orlita](https://twitter.com/ThomasOrlita)
- [Writeup for the 2019 Google Cloud Platform VRP Prize!](https://medium.com/@missoum1307/writeup-for-the-2019-google-cloud-platform-vrp-prize-4e104ef9f204) by [Missoum Said](https://twitter.com/missoum1307)
- [Blind XSS against a Googler](https://sites.google.com/securifyinc.com/vrp-writeups/hire-with-google/blind-xss) by [Rojan Rijal](https://twitter.com/mallocsys)
- [Youtube XSS Vulnerability [Stored -> Self Executed]](https://jasminderpalsingh.info/youtube-xss-vulnerability-stored-self-executed/) by [Jasminder Pal Singh](https://twitter.com/Singh_Jasminder)
- [How I could have hijacked a victim’s YouTube notifications!](https://hackademic.co.in/youtube-bug/) by [Yash Sodha](https://twitter.com/y_sodha)
- [Bypassing Firebase authorization to create custom goo.gl subdomains](https://appio.dev/vulns/bypassing-firebase-authorization-to-create-custom-goo-gl-subdomains/) by [Thomas Orlita](https://twitter.com/ThomasOrlita)
- [Multiple XSSs on hire.withgoogle.com](https://sites.google.com/securifyinc.com/vrp-writeups/hire-with-google/xsses) by [Rojan Rijal](https://twitter.com/mallocsys)
- [Reflected XSS in Google Code Jam](https://appio.dev/vulns/reflected-xss-in-google-code-jam/) by [Thomas Orlita](https://twitter.com/ThomasOrlita)
- [Auth Issues on hire.withgoogle.com](https://sites.google.com/securifyinc.com/vrp-writeups/hire-with-google/auth-issues) by [Rojan Rijal](https://twitter.com/mallocsys)
- [Waze remote vulnerabilities](http://blog.appscan.io/index.php/2018/05/25/waze-remote-vulnerability-technical-report/) by [PanguTeam](https://twitter.com/PanguTeam)
- [Liking GitHub repositories on behalf of other users — Stored XSS in WebComponents.org](https://appio.dev/vulns/stored-xss-in-webcomponents-org/) by [Thomas Orlita](https://twitter.com/ThomasOrlita)
- [G Suite - Device Management XSS](https://sites.google.com/securifyinc.com/vrp-writeups/gsuite/bookmark-xss-device-management) by [Rojan Rijal](https://twitter.com/mallocsys)
- [XSS in YouTube Gaming](http://respectxss.blogspot.com/2015/10/xss-in-youtube-gaming.html) by [Ashar Javed](https://twitter.com/soaj1664ashar)
- [Exploiting Clickjacking Vulnerability To Steal User Cookies](https://jasminderpalsingh.info/exploiting-google-clickjacking-vulnerability-to-steal-user-cookies/) by [Jasminder Pal Singh](https://twitter.com/Singh_Jasminder)
- [Inserting arbitrary files into anyone’s Google Earth Projects Archive](https://appio.dev/vulns/google-earth-studio-vulnerability/) by [Thomas Orlita](https://twitter.com/ThomasOrlita)
- [Stored, Reflected and DOM XSS in Google for Work Connect (GWC)](http://respectxss.blogspot.com/2016/02/stored-reflected-and-dom-xss-in-google.html) by [Ashar Javed](https://twitter.com/soaj1664ashar)
- [Clickjacking DOM XSS on Google.org](https://appio.dev/vulns/clickjacking-xss-on-google-org/) by [Thomas Orlita](https://twitter.com/ThomasOrlita)
- [Billion Laugh Attack in https://sites.google.com](https://blog.intothesymmetry.com/2018/12/billion-laugh-attack-in.html) by [Antonio Sanso](https://twitter.com/asanso)
- [Again, from Nay to Yay in Google Vulnerability Reward Program!](https://blog.yappare.com/2014/01/again-from-nay-to-yay-in-google.html) by [Ahmad Ashraff](https://twitter.com/yappare)
- [I hate you, so I pawn your Google Open Gallery](https://blog.yappare.com/2014/08/i-hate-you-so-i-pawn-your-google-open.html) by [Ahmad Ashraff](https://twitter.com/yappare)
- [XSRF and Cookie manipulation on google.com](https://blog.miki.it/2013/9/15/xsrf-cookie-setting-google/) by [Michele Spagnuolo](https://twitter.com/mikispag)
- [The 5000$ Google XSS](https://blog.it-securityguard.com/bugbounty-the-5000-google-xss/) by [Patrik Fehrenbach](https://twitter.com/itsecurityguard)

## Videos:
- [Best Of Google VRP 2018](https://www.youtube.com/watch?v=mJwZfRXs83M) by [Daniel Stelter-Gliese](https://ch.linkedin.com/in/daniel-stelter-gliese-170a70a2)
- [Great Bugs In Google VRP In 2016](https://www.youtube.com/watch?v=zs_nEJ9fh_4) by [Martin Straka and Karshan Sharma](https://nullcon.net/website/goa-2017/about-speakers.php)
- [Google Cloud Platform vulnerabilities](https://www.youtube.com/watch?v=9pviQ19njIs) by [Ezequiel Pereira](https://twitter.com/epereiralopez)
- [Google Paid Me to Talk About a Security Issue!](https://www.youtube.com/watch?v=E-P9USG6kLs) by [LiveOverflow](https://twitter.com/LiveOverflow/)
- [War Stories from Google’s Vulnerability Reward Program](https://www.youtube.com/watch?v=QoE0M7v84ZU) by [Gábor Molnár](https://twitter.com/molnar_g)
- [Secrets of the Google Vulnerability Reward Program](https://www.youtube.com/watch?v=ueEsOnHJZ80) by [Krzysztof Kotowicz](https://ch.linkedin.com/in/kkotowicz)
- [XSS on Google Search - Sanitizing HTML in The Client?](https://www.youtube.com/watch?v=lG7U3fuNw3A) by [LiveOverflow](https://twitter.com/LiveOverflow/)

3
Noticias y Eventos / OWASP Vancouver [Febrero 20]
« on: Enero 28, 2020, 11:28:48 am »
https://www.eventbrite.ca/e/owasp-vancouver-exploit-your-way-through-vulnerabilities-and-learn-application-security-concepts-tickets-90919323143

Description
Overview: want to test your skills in identifying web application vulnerabilities? How about learning and applying real application security concepts? Here is your chance to do so using the CMD+CTRL cyber range, a unique, immersive environment where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defence is all about thinking on your feet.

For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.

Requirements: participants will need the following:
• A laptop to connect to the CMD+CTRL website
• Download and install Burp Suite (Community is okay) or OWASP ZAP

Live streaming: not available for this session.

Thank you: we would like to thank Security Innovation for coming to Vancouver and bringing us the CMD+CTRL platform for this session, Hootsuite for hosting and providing pizza + pop, and all the volunteers for helping make this happen!

OWASP Vancouver Web site can be found here, where you can find more info and stay connected with us.

Date And Time
Thu, 20 February 2020

6:00 PM – 9:00 PM PST

Add to Calendar

Location
Hootsuite

5 East 8th Avenue

Vancouver, BC V5T 1R6

Canada

https://www.eventbrite.ca/e/owasp-vancouver-exploit-your-way-through-vulnerabilities-and-learn-application-security-concepts-tickets-90919323143

4
Sin Categoría / Re:Descarga de libros: libgen.is y b-ok.cc
« on: Enero 27, 2020, 11:47:35 am »
Creo que antes de crear subforos podríamos utilizar los foros generales para compartir estos temas y si notamos que requieren su propio espacio les creamos su subforo.

5
Recomiendo mucho el evento. Excelentes talleres, ponencias y abiente. No se lo pueden perder.

En 2017 participé con la ponencia y taller de explotación de vulnerabilidades en Windows. Aún sigo utilizando los scripts que hice para instalar ciertos exploits en metasploit. Si les sirven estan en el gist: https://gist.github.com/hkm/

La presentación es la siguiente:


6
Gracias por la información! Muy completacolección de herramientas. Hay varias que no conocía.

Saludos!

7
Sin Categoría / Descarga de libros: libgen.is y b-ok.cc
« on: Enero 25, 2020, 12:42:40 pm »
The world's largest ebook library.

https://b-ok.cc/

https://libgen.is/


Para convertirlo en formato PDF para Kindle o algún otro dispositivo puedes usar herramientas en línea como  Zamzar o descargar Calibre.


Saludos.

8
Noticias y Eventos / Mexico City IoT Meetup 2020 [Febrero 6]
« on: Enero 25, 2020, 12:33:51 pm »


Salud@s. Ya tenemos fecha y tema para nuestra próxima reunión de IoT.
pwnagotchi.ai
Uso de redes neuronales para escaneo de redes WiFi Activo usando Raspberry Pi.

Referencia: https://pwnagotchi.ai/
PWNAGOTCHI: DEEP REINFORCEMENT LEARNING FOR WIFI PWNING!

Los esperamos.

Thursday, February 6, 2020
7:00 PM to 9:00 PM
KMMX Centro de Capacitación en TI, Web y Mobile

Campeche 300, Piso 1, Condesa, 06100 · México City


Mas información en: https://www.meetup.com/Mexico-City-Internet-of-Things-Meetup/events/268179741/

9
Seguridad y Hacking / Lista de bug bounties del 2020
« on: Enero 20, 2020, 12:41:29 pm »
    (ISC)²
    .nz Registry
    0x Project
    123 Contact Form
    18F
    1Password Game
    23 And Me
    ABN Amro
    Accenture
    Accredible
    Acquia
    Actility
    Active Campaign
    Active Prospect
    ActiVPN
    Adapcare
    Adobe
    Adyen
    Aerohive
    Affiliate Coin
    Aion
    Air Force Mining
    Air VPN
    Airbnb
    Aircloak
    Airdropster
    AIrMiles Shop
    Airswap
    Aisi
    Alcyon
    Algolia
    Alibaba
    Alien Vault
    Aliexpress
    Altervista
    Amara
    Amazon Web Services
    Ancient Brain
    Android
    Android Open Source
    Anghami
    AntiHack
    AOL
    Apache
    Appcelerator
    Apple
    Apple (Dev)
    Appoptics
    Aptible
    Aragon
    Arch Linux
    Ark
    ARM mbed
    Armis
    Artifex
    Artsy
    Asana
    Asterisk
    Asus
    AT&T
    Atlassian
    Augur
    Auth0
    AuthAnvil
    Automattic
    Avast!
    Aventus
    Aventus Protocol Foundation
    Avesta
    Avira
    Badoo
    Bancor
    Barracuda Networks
    Base
    Basecamp
    BASF
    Battle.Net
    Beamery
    Beanstalk
    Belastingdienst
    Belden
    Belgian Rail
    Belgium Telenet
    Betcoin
    Beyond Security
    Bime
    BiMserver
    Binance
    Binary.com
    Bing
    Bit My Money
    BitAccess
    BitBNS
    Bitcoin
    Bitcoin.DE
    BitDefender
    Bitonic
    Bitpay
    Bittrex
    BItwage
    BitWarden
    Bizmerlin
    BL3P
    Blackboard
    Blackcoin
    Blesta
    BlinkSale
    Blockchain
    Blockchain Technology Research Innovations Corporation (BTRIC)
    Blogger
    Booking.com
    Bosch
    Boston Scientific
    Bounty Guru
    BountyFactory
    BountySource
    Box
    Boxug
    Braintree
    BRD
    BTX Trader
    Buffer
    Bug Crowd
    Bynder
    C2FO
    C2L
    Campaign Monitor
    Cappasity
    Carbon Black
    Card
    Cargocoin
    Carnegie Mellon University Software Engineering Institute
    Cayan
    Central NIC
    Centrify
    CERT EU
    Chalk
    ChargeOver
    Chargify
    Chase
    Chiark
    Chill Project
    Chrome
    ChronoBank
    CircleCi
    Cisco
    Cisco Meraki
    CJIB
    ClickUp
    Clojars
    Cloudflare
    Coalition Inc
    Cobalt
    Code Climate
    Codex WordPress
    Coin Janitor
    Coinbase
    Coindrawer
    Coinhive
    CoinJar
    Coinpayments
    CoinSpectator
    CoinStocks
    CoinTal
    Commons Ware
    Compose
    Constant Contact
    CoreOS
    Coupa
    CPanel
    Craigslist
    Credit Karma
    Crowdfense
    CrowdShield
    Crypto Angel
    CryptoNinja
    Customer Insight
    Custos Tech
    CyLance
    Danske Bank
    Dash
    Dato Capital
    De Nederlandsche Bank
    de Volksbank
    Debian Security Tracker
    Deco Network
    Deconf
    Defensie
    Deliveroo
    DeliveryHero
    Dell
    Deribit
    Detectify
    Deutsche Telekom
    Digital Ocean
    Discord App
    Discourse
    Distilled ODN
    Django
    DJI
    DNN Corporation
    DNSimple
    Docker
    DOD
    DoorKeeper
    DPD
    Drager
    Drchrono
    DropBox
    Drupal
    Duo Labs
    Duo Lingo
    Duo Security
    Dyson
    eBay
    Eclipse
    ee.Oulo
    eero
    Electronic Arts (Games)
    Electronic Frontier Foundation (EFF)
    Eligible
    EMC
    Emptrust
    Enterprise XOXO Today
    Envato
    Erasmus
    ESEA
    ESET
    Ethereum bounty
    Etherscan
    ETHfinex
    ETHLend
    ETHNews
    EthnoHub
    ETHorse
    Etsy
    EVE
    Event Espresso
    Eventbrite
    Evernote
    Evident
    Expatistan
    Express VPN
    ExpressIf
    Expression Engine
    F Secure
    Facebook
    FanDuel
    FastMail
    FCA
    Firebase
    Firebounty
    Fireeye
    First
    FitBit
    FlexiSPY
    FlexLists
    Flow Dock
    Fluxiom
    Fog Creek
    Foursquare
    Fox IT
    Foxycart
    Free Software Foundation
    Freedom of Press
    Freelancer
    FreshBooks
    FUGA CLOUD
    Gamma
    Garanti Bank
    Garmin
    GateCoin
    GateHub
    Gemfury
    Genesis ICO
    Ghost
    Ghostscript
    Gimp
    Github
    Gitlab
    GlassWire
    GLX
    Gnome
    Gnosis
    GoDaddy
    GolemProject
    Google
    Google PRP
    Google PRR
    Grabtaxi Holdings Pte Ltd
    Greenhouse Software Inc
    Grok Learning
    Guidebook
    Hackenproof
    Hackerearth
    HackerOne
    Hackner Security
    Harmony
    Havest
    HelloSign
    Help Scout
    Heroku
    Hex-Rays
    HID Global
    Hidester
    Hirschmann
    HIT BTC
    Honeycomb
    Honeywell
    Honour
    Hootsuite
    Hostinger
    HTC
    Huawei
    Humble Bundle
    Hunter
    Hybrid Saas
    HyperLedger
    I SIgn This
    IBM
    Icon Finder
    ICS
    ICT Institute
    iFixit
    IIT-G
    IKEA
    Imgur
    Impact Earth
    Indeed
    Indorse
    Inflectra
    InfoPlus Commerce
    Infovys
    ING
    Instacart
    Instamojo
    Instasafe
    Instructure
    IntegraXor (SCADA)
    Intel
    Intercom
    Intercom
    Internet Bug Bounty
    Internetwache
    Intigriti
    Intrasurance
    Invision App
    IOTA
    IPSWitch
    Issuu
    IT BIT
    Jet.com (API)
    JetApps
    Jetendo
    Jewel Payment Tech
    Joomla
    jruby
    JSE Coin
    Jumplead
    Juniper
    Kaseya
    Kaspersky
    Keep Key
    Keepass
    Keeper Chat
    Keeper Security
    Keming Labs
    Kentico
    KissFlow
    Kraken
    Kryptocal
    Kuna
    Kyber
    Kyup
    Ladesk
    Lahitapiola
    LastPass
    LaunchKey
    League of Legends
    LeaseWeb
    Ledger
    Legal Robot
    Lenovo
    Leverj
    LibSass
    LifeOmic
    Liferay
    Line
    LinkedIn
    Linksys (Belkin)
    LiveAgent
    Local Bitcoins
    Local Monero
    Logentries
    LZF
    Magento
    Magix AG
    MailChimp
    MailRu
    Malwarebytes
    Manage WP
    Manalyzer
    Martplaats
    Massachusetts Institute of Technology
    MassDrop
    Matomo
    Mattermost
    Maximum
    Mbed
    McAfee
    MediaWiki
    Medium
    Meraki
    Merchant Shares
    Meta Calculator
    Meteor
    Microsoft (bounty programs)
    Microsoft (Online Services)
    Microweber
    Mime Cast
    MIT Edu
    Mobile Vikings
    Mollie
    Monetha
    Moneybird
    Motorola
    Mozilla
    Muchcoin
    My Trove
    MyStuff2 App
    N26
    NCC Group
    NCSC
    NDIX
    Nearby
    NEM
    Nest
    NetApp
    NetBeans
    netf
    Netflix
    Netgear
    New Relic
    NextCloud
    Nimiq
    Nitro Token
    NMBRS
    NN Group
    Nocks
    Nokia Networks
    NordVPN
    Nugit
    Nuxeo
    Nvidia
    NXP
    Oath
    Observu
    OCCRP
    Odoo
    Offensive Security
    Olark
    OneLogin
    Onfido
    Open Bounty
    Open Office
    Open Source University
    Open SUSE
    OpenBSD
    OpenSSL
    OpenText
    OpenVPN
    OpenXchange
    Opera
    Oracle
    Orange
    Orion Health
    Outbrain
    Outreach
    OVH
    OWASP
    Owncloud
    Packet Storm Security
    PagerDuty
    Panasonic Avionics
    Panic
    Panzura
    PaperTrail App
    Paragon Initiative Enterprises
    Parity Tech
    PasteCoin
    Paychoice
    Payiza
    Paymill
    Paypal
    PaySera
    Paytm
    Peerio
    Pentu
    Perl
    Philips
    PHP
    Phrendly
    Pidgin
    Pinoy Hack News
    Pinterest
    Plesk
    Pocket
    POLi Payments
    Polyswarm
    Port of Rotterdam
    PostMark App
    PowerDNS
    Prezi
    Private Internet Access
    Proof Work
    Proto VPN
    Puppet Labs
    PureVPN
    PushWhoosh
    QEMU
    Qiwi
    Qmail
    Qualcomm
    Quantopian
    QuantStamp
    Quickx
    Quora
    Qwilr
    Rabo bank
    Rackspace
    Rainforest
    Raise
    Rapid7
    Razer
    RCE Security
    Recht Spraak
    Red Sift
    RedHat
    Regionale Belasting Groep
    Release Wire
    Report Garden
    Request Network
    Rev Next
    Rhino Security Labs
    Ribose
    RightMesh
    Rijskoverheid
    Riot Games
    Ripple
    Rocket-Chat
    Roll Bar
    Royal Bank of Scotland
    Rust
    SafeHats
    SalesForce
    Samsung – Mobiles
    SAP
    Saveya
    Scaleft
    Secure Pay
    Secureworks
    Security Escape
    Segment
    Sellfy
    Sentry
    ShareLaTex
    Shivom
    Shopify
    ShowMax
    Shuberg Philis
    Sifter
    Sifter
    SIgnify
    Silent Circle
    Silver Gold Bull
    Silver Gold Bull CA
    Simpplr
    SiteGround
    SiteLock
    Skoodat
    Skuid
    Slack
    Sli Do
    Smartling
    Smokescreen
    SNS Bank NL
    Snyk
    Socrata
    Solar Accounts
    Solve 360
    Solve 360
    Solvinity
    Sonatype
    Sony
    Sophos
    SoundCloud
    Sphero
    Spilgames
    SplitWise
    Splunk
    Spokeo
    Sporty Co
    Spotcap
    Spotify
    Spreaker
    Spring Role
    Sprout Social
    Sqreen
    Square
    Starbase
    Starbucks
    Starleaf
    StatusPage.io
    Stellar
    Stellar Gold
    StopTheHacker
    Studielink
    StudiVZ (Report)
    Swachh Coin
    Swiggy
    SwissCom
    Symantec
    Synack
    Synapse
    Synology
    Synosys
    Takealot
    Talent LMS
    TarSnap
    Taxi Butler
    TeeSpring
    Telecom Italia
    Telegram
    Telekom
    Telenet Belgium
    Tendermint
    TenX
    Teradici
    Tesla
    TestBirds
    The Atlantic
    Thinkful
    ThisData
    Thuisbezorgd
    Tictail
    Tinder
    Token Valley
    Tokia
    TorGuard VPN
    TransLoadIt
    Traveloka
    Trend Micro
    Trezor
    Tron Network
    Trustly
    TrustPay
    Tuenti
    Tumblr
    Twilio
    Twitch Interactive
    Twitter
    Typo3
    Uber
    Ubnt
    Ubuntu Server
    Umbraco
    Unchained
    Unitag
    United Airlines
    United Nations
    Unity
    Unocoin
    Uphold
    Upscope
    Upscope
    Upwork
    Valve
    Van Lanschot
    Vanilla
    Vasco
    Venmo (App)
    Verizon
    Viadeo
    ViewPost
    Vimeo
    Virtual Box
    Visma Enterprise Oy
    VK
    Vodafone Security DE
    VSR
    Vu
    Vulnerability Laboratory
    Walmart
    Wamba
    Wave Stone
    We Transfer
    Weave Work
    Web GUI
    Webconverger
    Weblate
    Webmini
    Websecurify
    WeiFund
    Werken Bij Defensie
    Western Union
    WhatRuns
    White Hat Securities
    Wickr
    Winding Tree
    Windows
    Windthorst ISD
    WINGS DAPP
    WINK
    WordPress
    XenProject
    Xiaomi
    XYO Network
    Yahoo
    Yahoo
    Yandex
    Yelp
    YouTube
    Zapier
    Zcoin
    Zenmate
    Zerobrane
    Zerodium
    Zeta
    Zetetic
    Zimbra
    Zimperium
    Zipline
    Zoho
    Zomato
    Zynga


    Fuente:  https://www.vpnmentor.com/blog/the-complete-list-of-bug-bounty-programs/[/list]

    10
    Hola Kukulcan84. Bienvenido al foro. Gracias por compartir el video.

    Les recuerdo que si quieren embedir videos de Youtube es solo cuestion que usen el BBCode [html]. Si quieren un video de como hacerlo se los dejo aquí. Esta un poco largo el video, en realidad solo es copiar el codigo de Youtube y pegarlo entre tags de [html] ... [/html]


    11
    Bienvenido bl4sph3m!

    Gracias por crear este tipo de iniciativas, es una forma divertida de aprender sobre herramientas y técnicas de OSINT y Cyber Threat Intelligence.

    Saludos.

    12
    Lista de las mejores técnicas de hacking web del 2019

    Exploiting SSRF in AWS Elastic Beanstalk
    Get pwned by scanning QR Code
    Exploiting Null Byte Buffer Overflow for a $40,000 bounty
    Infiltrating Corporate Intranet Like NSA: Pre-Auth RCE On Leading SSL VPNs
    Unveiling vulnerabilities in WebSocket APIs
    Reverse proxies & Inconsistency
    Abusing HTTP hop-by-hop request headers
    DOMPurify 2.0.0 bypass using mutation XSS
    PHP-FPM RCE(CVE-2019-11043)
    Security analysis of portal element
    Exploiting prototype pollution - RCE in Kibana
    At Home Among Strangers
    HostSplit: Exploitable
    Finding and Exploiting .NET Remoting over HTTP using Deserialisation
    Microsoft Edge (Chromium) - Elevation of Privilege to Potential RCE
    Remote Code Execution via Insecure Deserialization in Telerik UI
    Cross-Site Leaks por SirDarckCat
    Exploiting Spring Boot Actuators
    Owning The Clout Through Server Side Request Forgery
    The world of Site Isolation and compromised renderer
    XSS in GMail's AMP4Email via DOM Clobbering
    Common Security Issues in Financially-Oriented Web Applications
    A Tale of Exploitation in Spreadsheet File Conversions
    Uploading web.config for Fun and Profit 2
    Far Side of Java Remote Protocols
    All is XSS that comes to the .NET
    The Cookie Monster in Your Browsers
    Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!
    Exploring Continuous Integration Services as a Bug Bounty Hunter
    Exploiting Deserialisation in ASP.NET via ViewState
    Don't open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, ...
    Bypassing SOP Using the Browser Cache
    SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP
    Exploiting JNDI Injections in Java
    Reusing Cookies
    Abusing autoresponders and email bounces
    HTTP Desync Attacks: Request Smuggling Reborn
    Let's Make Windows Defender Angry: Antivirus can be an oracle!
    SSO Wars: The Token Menace
    XSS-Auditor — the protector of unprotected and the deceiver of protected
    DoS via Web Cache Poisoning
    Facebook Messenger server random memory exposure through corrupted GIF
    Exploiting padding oracles with fixed IVs
    Getting Shell with XAMLX Files
    Apache Solr Injection Research
    ESI Injection Part 2: Abusing specific implementations
    Backchannel Leaks on Strict Content-Security Policy
    Google Search XSS
    IIS Application vs. Folder Detection During Blackbox Testing

    Fuente y votación por el Top 10: https://portswigger.net/polls/top-10-web-hacking-techniques-2019
    *La votación termina el 27 de enero.

    13
    Seguridad y Hacking / Getting Started With ATT&CK [Ebook]
    « on: Enero 14, 2020, 08:05:49 am »
    "Getting Started With ATT&CK" es un Ebook (PDF) que contiene un compilado de publicaciones de MITRE sobre como utilizar correctamente el framework.


    ...during summer 2019 we decided to write a series of blog posts around getting
    started with ATT&CK. The posts, inspired by Katie Nickels’ Sp4rkcon talk “Putting MITRE
    ATT&CK into Action with What You Have, Where You Are,” were written by members of
    the ATT&CK team and focused on what we consider ATT&CK’s four primary use cases.
    For each use case, the authors laid out advice on how an organization could get started
    with ATT&CK based on available resources and overall maturity.
    This publication pulls together their collective wisdom, originally posted on Medium, into
    a single package. We hope you read it and get some new ideas on getting started with
    ATT&CK. Let us know what you think—we’d love to hear your feedback.

    Adam Pennington
    Principal Cybersecurity Engineer
    ATT&CK Blog Editor in Chief
    MITRE


    https://www.mitre.org/sites/default/files/publications/mitre-getting-started-with-attack-october-2019.pdf

    14
    Noticias y Eventos / DEF CON Las Vegas [Agosto 6 - 9]
    « on: Enero 13, 2020, 09:23:09 pm »
    DEF CON is what you make of it.

    https://defcon.org/

    15
    Noticias y Eventos / Black Hat USA [Agosto 1 - 6]
    « on: Enero 13, 2020, 09:11:45 pm »
    https://www.blackhat.com/index.html

    Black Hat is the most technical and relevant information security event series in the world. For more than 20 years, Black Hat Briefings have provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment. These high-profile global events and Trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors.

    From its inception in 1997, Black Hat has grown from a single annual conference in Las Vegas to the most respected information security event series internationally. Today, Black Hat Briefings and Trainings are held annually in the United States, Europe and Asia, providing a premier venue for elite security researchers and trainers to find their audience.

    WHAT WE DO
    Briefings
    Black Hat Briefings were created more than 20 years ago to provide security professionals a place to learn the very latest in information security risks, research and trends. Each year, internationally leading security researchers take the stage to share their latest work and exploits in a friendly, vendor-neutral environment. Vulnerabilities are often exposed that impact everything from popular consumer devices to critical international infrastructure and everything in between. Black Hat seeks groundbreaking research to fill both 25 and 50-minute speaking slots for each annual show.

    Trainings
    Black Hat Trainings offer attendees individual technical courses on topics ranging from the latest in penetration testing to exploiting web applications and even defending and building SCADA systems. Often designed exclusively for Black Hat, these hands-on attack and defense courses are taught by industry and subject matter experts from all over the world with the goal of defining and defending tomorrow's information security landscape.

    Review Board + Content Selection
    The Black Hat Review Board is comprised of over 24 of the industry's most credible and distinguished security professionals and thought leaders throughout various areas of the information security community. The Review Board advises Black Hat on its strategic direction, reviewing and programming conference content and providing unparalleled insight into the research community. You can find more information on the Review Board here: www.blackhat.com/review-board.html.

    Black Hat strives to deliver one of the most empirical content selection processes in the industry. All submissions are vetted thoroughly by the Black Hat Review Board. Each submission is reviewed for uniqueness, overall content expertise and accuracy before any selections are made. Through the course of this dynamic review process, the Black Hat Review Board members will frequently ask researchers for clarity on any areas of question in their submissions – whether it be about the uniqueness or audacity of claims made. The best submissions come with academic-grade papers, proof-of-concept code and/or video demonstrations of the work done. Of note, Black Hat does not support pay-for-play Briefings. The Black Hat Briefings are and always have been independently selected based on quality of content and area of expertise rather than sponsorship.

    Attracting Top Talent and Research
    Black Hat is proud of the level of research and vulnerability disclosures that happen onsite each year. We also strongly support and encourage responsible disclosure. To this end, Black Hat has a strong partnership with the Electronic Frontier Foundation (EFF) to provide pro-bono legal consultations to security researchers on the legality of any research or data they plan to present at the annual shows. Black Hat and EFF are dedicated to defending free speech and privacy rights to facilitate the boundary–pushing research and vulnerability disclosure that attendees have come to know and love at each annual show.

    WHO SHOULD ATTEND
    Security Practitioners
    (IT Specialists, Security Analysts, Risk Managers, Security Architects/Engineers, Penetration Testers, Security Software Developers, Cryptographers, Programmers, Government Employees and many more)
    Hone your skills with the latest tools and techniques being used in the industry through Black Hat's intensely technical and relevant Briefings and Trainings. Explore challenges and successes others in the field are experiencing, while collaborating on uses for emerging platforms, development models and best practices.

    Security Executives, Business Developers and Venture Capitalists
    (CISOs, CEOs, Presidents, Directors, VPs, Consultants)
    Take advantage of a multi-billion-dollar industry by networking with other top information security executives, practitioners and potential investors. Gain knowledge of opportunities in the constantly growing information security industry while engaging with the community that is molding the future of the field and trailblazing new ventures. The Black Hat CISO Summit, an exclusive gathering of 200 top industry executives and security industry leaders, ignites open conversations and "think tank" style breakout sessions. This full day of discussions is unique to Black Hat and provides unmatched opportunities for networking and learning.

    Vendor Companies and Sponsors
    (Hardware, Software, Middleware, Services, More)
    Black Hat attracts more than 17,000 of the world's most renowned security experts, executives and attendees, creating the industry's most dynamic and concentrated information security community. Engage this audience over the course of two days by showcasing your latest and greatest innovations, expertise, services and products.

    The Business Hall is the epicenter of where business happens at Black Hat, featuring more than 150 of the industry's top solution providers and start-ups showcasing the latest tools, technologies and services supporting the security community.

    Career Seekers and Recruiters
    (Seasoned Veterans, Students, Schools, Expanding Companies)
    Black Hat provides an opportunity for you to get your name out to the best new and seasoned talent in the industry. Meet face-to-face with the top international talent committed to defining and defending the future of security. Job seekers, meet with the most influential companies and recruiters who are hiring now. Bring your resumes and business cards and make game-changing connections.

    Academia
    (Professors, Students Aged 18+)
    Black Hat provides students with the opportunity to interact with and learn from top industry professionals through conference sessions, networking activities, Business Hall Sessions, and more. There is an academic rate for students and full-time university professors interested in attending.

    https://www.blackhat.com/index.html

    Páginas: [1] 2 3 4