Disclaimer: This writeup is heavily redacted due to the company’s policy on disclosing reports. Don’t forget to read my previous Bug Bounty Writeup — Stored XSS on Product Description [HIGH] — $400. Thank you for your time!

Image for post
Image for post
Photo by Florian Olivo on Unsplash

Within a web application, user roles are often established in order to correctly restrict resources accordingly. This translates to real-life company hierarchy where for example, a manager might be allowed to decide/perform monetary actions, but an entry-level staff couldn’t. In some web applications, different user roles are granted what is called Privilege. This helps companies to not only organize job responsibilities but to…


The following article is written based on my personal experience penetration testing web applications. Hope you enjoy it!

Image for post
Image for post
Photo by Sander Weeteling on Unsplash

Introduction

As we all know, authentication endpoint has always been the first line of defense of web applications. It functions as the endpoint which verifies the identity of a currently existing user in the database or from a third-party authentication service (OAuth). In a glimpse of an ordinary eye, authentication endpoints are perceived as a security mechanism, but for black hat hackers, it is an additional attack surface that can cause devastating impact. Therefore, it is important for developers to implement policies and…


Disclaimer: I do not have permission to disclose the report, therefore I needed to heavily redact this writeup. Thank you and happy reading!

Image for post
Image for post
Photo by Benny Samuel on Unsplash

Stored cross-site scripting is a vulnerability where an application would store untrusted malicious code from users. The combination of being lethal whilst having a low attack complexity has placed XSS at number 7 of OWASP Top 10. In this writeup, I will be explaining to y’all readers how I was able to find a Stored XSS on one of the biggest E-commerce sites in Asia.

As we all know, most e-commerce websites allow sellers to add their…


The bug bounty industry can be considered as one of the most competitive industries. The combination of evolving technologies as well as the increasing number of researchers creates a highly competitive environment. In this article, I will be explaining my thought process on how I choose the ‘right’ bug bounty program as a newcomer to increase my chance of finding valid security vulnerabilities.

Image for post
Image for post
Bug Bounty Life

According to Hackerone’s ‘The 2020 Hacker Report’, a soaring number of more than 600,000 new hackers have registered to the platform as of February 2020. This shows that security crowdsourcing is a rapidly growing industry. Among those…


I am a relatively new Bug Bounty Hunter and do not claim to be a professional! Just trying to share my experience from the perspective of a newbie. I expect all readers to have basic understanding of CSRF.

Image for post
Image for post
Illustration by netsparker.com

Introduction

Cross-Site Request Forgery (CSRF) was one of the first vulnerabilities that I learned at the beginning of my Bug Bounty journey. Combined with social engineering, It is a vulnerability that allows attackers to commit/perform unintended actions on target’s account. Like most vulnerabilities, the impact of CSRF ranges from Low — High. From simply enabling/disabling newsletter subscription to initiating fund transfer, the attack…


Disclaimer: I do not claim to be a professional! Just sharing my personal experience ;)

Information Leakage = Data Breach
Information Leakage = Data Breach
Data Breach

According to Varonis.com, the world experienced a total of 7 million data records compromised everyday and 56 records every second. I am sure that everyone is well-versed regarding the impact of a Data Breach. The range is endless, starting from identity theft, private information disclosure, and many more, depending on the severity of the breach of course. But a breach is still a breach right? No matter how little and insignificant the information is, companies which we have trusted to keep our private information needs…

Emanuel Beni Harijanto

Cybersecurity enthusiast! Eager to learn and share personal experiences with all of you.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store