Kamil Vavra | @vavkamil

Offensive website security | Bug bounty | Ethical hacking

🕵️Whoami 💰Bug bounty 📖Blog 💻GitHub 📢Talks 🏆LinkedIn 📩Contact

Blog

Mostly posts about offensive website security

Categories

All posts

Bookmarklet hijacking

I noticed an exciting link shared on Hacker News titled “Wait, what’s a bookmarklet?”. I have been using them for a long time, and while reading that discussion, it was nice to see people sharing useful ones they use to make their everyday tasks easier. The security engineering mind got me thinking about the security implications of saving bookmarks with... }}

WordPress Plugin Confusion: How an update can get you pwned

tl;dr: Like the novel “Dependency Confusion” supply chain attack, it is possible to take over internally developed WordPress plugins unclaimed on the wordpress.org registry. Updating the plugin might result in the RCE or installing a PHP backdoor. You can use wp_update_confusion.py to scan for potential targets. To protect your website, please read this announcement. Table of contents Main idea The... }}

Analysis of the Fake Trezor Mobile Wallet app in the Play Store

tl;dr: I analyzed the fake Trezor Android application on Google Play Store, compromised the backend, and said hello to the developer. A story about a person losing 7.1 bitcoin worth ~$600,000 due to a fake “Trezor” app in the App Store made the news very recently. According to the article, five people have reported having cryptocurrency stolen by the fake... }}

Exploiting remote DoS vulnerability in my not-so-smart TV

tl;dr: I found a remotely exploitable DoS vulnerability in my “smart” TV in less than two hours after unboxing. I have released full details, including a 0-day PoC exploit. I bought myself a smart TV for Christmas. It’s the first TV which I ever owned, so I was quite excited about it, but at the same time, I didn’t want... }}

WP GDPR Compliance <= 1.5.5 - Unauthenticated Cross-Site Scripting (XSS)

tl;dr: The GDPR Compliance <= 1.5.5 plugin allowed unauthenticated users to exploit Stored Cross-Site Scripting (XSS) in the administration panel, which might lead to the privilege escalation. That was due to clients’ IP Addresses reflected in the plugin’s dashboard without being correctly validated or escaped. I have just recently joined a Detectify crowdsource team, and I must say the platform... }}

XSSworm.dev ~ Self-replication contest [write-up]

tl;dr: I created “CTF” style challenge for our OWASP Czech Chapter Virtual Meeting. The goal was to write an XSS worm and score points by infecting 1k virtual users. You can find the source code here and read the details in this post. When the whole covid-19 thing started, I was somehow interested in looking at various coronavirus world maps... }}

All-in-One WP Migration <=7.14 Arbitrary Backup Download

A long time ago, I made a stupid decision to use WordPress for this blog about offensive website security. Since then, I learned a lot. I will be releasing a plugin to defend against XML-RPC attacks and guide how to generate a static HTML site in upcoming weeks. But today I would like to share an interesting vulnerability that I... }}

Hack-back: the tale of embarrassing phishing campaign

UPDATE: 17th January 2020: Another landing page disabled. UPDATE: 15th January 2020: I posted this to reddit.com/r/hacking and it seems like the mods didn't like it, they consider my blog post as a self-promotion and spam. Thank you!You have been permanently banned from participating in r/hackingYou have been permanently banned from participating in r/ActLikeYouBelongYou have been permanently banned from participating... }}

An introduction to the Router Exploit Kits

OWASP Czech Chapter Meeting, Dec 11, 2019 ~ Brno /assets/img/2019/12/an-introduction-to-the-router-exploit-kits.pdf 2019-12-11-Kamil Vavra - An introduction to the router exploit kits2019-12-11- from Czech OWASP chapter on Vimeo. }}

Bug Bounty ~ Work Smarter, Not Harder

https://twitter.com/vavkamil/status/1126948609050779650 https://twitter.com/vavkamil/status/1126948609050779650 /assets/img/2019/05/ctjb_2019_bugbounty.pdf }}

Understanding the full potential of sqlmap during bug bounty hunting

Swiss army knife for SQL Injection attacks, sqlmap was first developed in 2006 by Daniele Bellucci and later maintained by Bernardo Damele and Miroslav Stampar. Its early development took off thanks to the OWASP Spring of Code 2007 and was first under the serious media coverage during the Black Hat Europe 2009 conference. If you are interested in more dates... }}

How to bypass Android certificate pinning and intercept SSL traffic

Over the last few months, I had a quite luck finding IDOR vulnerabilities in mobile API of Android applications. Nowadays most of the apps are obfuscated and using certificate pinning to prevent MiTMs. If you are late in the game or want to shift your bug bounty hunting on Android apps, there are awesome tools that can help you catch... }}

Serverless Blind XSS hunter with Cloudflare Workers

If you are not familiar with XSS Hunter by @IAmMandatory, it's an awesome tool for penetration testers and bug bounty hunters that allows easily hunt for blind XSS vulnerabilities. It's open-source with a ton of features. You can use the SaaS version, deploy it yourself or even go serverless with Refinery! You should absolutely give it a try :) I... }}

Content on this site is licensed under a Creative Commons Attribution 4.0 International License
🄯 2019‐2024 - @vavkamil - Open-source Github pages - Powered by Jekyll & The Hacker theme - Subscribe via RSS