Long time no see!
I haven’t blogged anything for a while here on 0x00sec. And that’s a shame since this community made me what I am right now and taught me nearly everything related to hacking, all while I made (and am still making!) some good friends.
It’s been a while since I’ve started disclosing exposures to organizations that expose sensitive data on the Internet. It’s a fun process of mass scanning for exposures, misconfigurations, or just interesting hosts (thanks, Shodan), which can be further explored.
The whole purpose of discovering exposures and vulnerabilities is to get the thrill of finding out how exploitable the Internet actually is. Of course, this also gives me the responsibility to report the issue to the owner. This is not blackhat activity nor a documentation of known vulnerabilities out in the wild. It’s a series from which some will hopefully learn something about attacking (and defending) with the sole purpose of contributing to security while having some fun.
So, in the spirit of restarting the forums culture and bringing some (hopefully) good content on 0x00sec, myself and @messede (a badass 0x00sec hacker who sparked in me the idea of the series) decided to create this little series called “Web Vulnerabilities and Disclosure Revelations”.
In this series of articles, we will blog about some of our findings and the ways we found them. After we first disclose to the organization/company, we will publish the articles depending on the organization’s actions. This means they either:
- Fix the issue and allow us to publish
- Don’t fix the issue and 90 days have passed
- Don’t reply to us and 90 days have passed
- Say it’s not a risk but we think the opposite
The writeups won’t be simple web vulnerability writeups. Unless we decide otherwise, it’ll be more high-profile bugs.
In the cases where the vulnerabilities are still out there, we will try to redact the owner/organization as much as possible (that is, if we decide to redact at all). The goal of the series is to educate on offensive security and the process of disclosing vulnerabilities and/or have something fun to read. And not to create a stepping stone for any malicious intent.
This is the “initial commit” of the series. No idea how often we are going to publish or for how long. It could be a weekly thing, could be twice a month, it may even run for just a couple of months ¯\_(ツ)_/¯