Bug bounty

19+ years of hands-on ethical hacking experience. Mostly responsible disclosure.

CVEs

HackerOne & Bugcrowd

Disclosed reports

Responsible Disclosure Higlights

Write-ups, talks & disclosed reports

WordPress Plugin Confusion: How an update can get you pwned

November 25, 2021 | 22 minutes to read

tl;dr: Like the novel “Dependency Confusion” supply chain attack, it is possible to take over internally developed WordPress plugins unclaimed on the wordpress.org registry. Updating the plugin might result in the RCE or installing a PHP backdoor. You can use wp_update_confusion.py to scan for potential targets. To protect your website, please read this announcement.

WordPress Supply Chain Attack

OWASP Czech Chapter Meeting

November 25, 2021 (Prague, Czechia)

Novel attack vector affecting WordPress websites. This talk will focus on the research from the beginning, explaining the motivation and exploration phase. A new scanner tool will be released, along with the Docker container for local testing. Lastly, you will get a chance to see the redacted results from the bug bounty hunting, recon process, and struggle with triage of the reports. TBU, currently still a 0day :)

WP GDPR Compliance <= 1.5.5 - Unauthenticated XSS

February 16, 2021 | 7 minutes to read

tl;dr: The GDPR Compliance <= 1.5.5 plugin allowed unauthenticated users to exploit Stored Cross-Site Scripting (XSS) in the administration panel, which might lead to the privilege escalation. That was due to clients’ IP Addresses reflected in the plugin’s dashboard without being correctly validated or escaped.

Hacking Node.js legacy URL API

September 07, 2020 | 8 minutes to read

Our security engineers ensure the highest possible safety of our services. Their weapon of choice? Penetration testing. It is a simulation of a cyber-attack conducted by authorized developers to discover and penetrate any security vulnerabilities in the system/app/service the team is developing. Other proactive steps include secure code review, dependency scanning, SAST, and asset monitoring.

All-in-One WP Migration <=7.14 Arbitrary Backup Download

March 25, 2020 | 3 minutes to read

A long time ago, I made a stupid decision to use WordPress for this blog about offensive website security. Since then, I learned a lot. I will be releasing a plugin to defend against XML-RPC attacks and guide how to generate a static HTML site in upcoming weeks.

Responsible Disclosure Details

Website	Vulnerability Details	References
WordPress.org	WordPress Plugin Confusion / CVE-2021-44223	[write-up]
Node.js	Hacking Node.js legacy URL API	[write-up]
Costa	Hacking a Cruise Ship	[write-up]
Drmax.cz	0click Account Takeover via API (password reset)	[write-up]
Strong.tv	Unauthenticated Remote DoS Exploit in SRT 43UB6203 smart TV	[write-up]
o2.cz	Disclosure of invoices and PII via android app API (IDORs)	[write-up]
mdBook (Rust)	Reflected XSS in search function	CVE-2020-26297
Kubernetes	Reflected XSS in docs page kubernetes-csi.github.io	h1 report
WordPress.com	Insufficient DKIM record with RSA 512-bit key used	h1 report
Trezor.io	Misconfigured CORS - CORS bypass via null origin	GitHub issue
Pirati	Reflected XSS Found via source code review	GitHub issue
Whalebone.io	Swagger UI XSS
Marshall	Orders API IDOR - PII Disclosure	Security
cz.nic	IDOR hidden whois data for CZ tld	security.txt
Seznam.cz	XSS, Cookie bomb (DoS)	security.txt
Rohlik.cz	Multiple XSS, web cache deception, open redirects	security.txt
Airbank.cz	Disclosed Twitter API keys (full access & ability to tweet)	security.txt
Zive.cz	Multiple XSS and broken logic in SSO (Account takeover)	security.txt
Trezor.io	Wiki Open redirect & docs XSS	security.txt
Protonmail	Reflected XSS via .svg file (Drive)	security.txt
Protonmail	RLO spoofing - Spoofing file extension via share link (Drive)	security.txt
Notino.cz	Reflected XSS in seach	security.txt
Airbank.cz	Reflected Dom XSS via POST request	security.txt
Airbank.cz	Unrestricted file upload API allows to upload any file	security.txt
Active24.cz	Dom based XSS in domain search	security.txt
Gopay.com	Stored XSS in WordPress (CVE-2019-11869)	security.txt
Trezor.io	Disclosure of user IPs via debug MessageEvent (Domain takeover)	security.txt
Rohlik.cz	Access to Google calendar revealing sensitive info	security.txt
CSFD.cz	Multiple XSS, IDOR vulnerabilities (Account takeover)	Hall of Fame
t-mobile.cz	Multiple CSRF, XSS vulnerabilities	Hall of Fame
Zive.cz	Multiple XSS vulnerabilities	security.txt
Mall.cz	XSS in Angular Template	security.txt
Alza.cz	XSS filter bypass, orders IDOR (PII)	security.txt
Heureka.cz	Multiple XSS vulnerabilities	security.txt
Seznam.cz	Account takeover / Multiple XSS -> CSP bypass -> CSRF	security.txt
Kiwi.com	Multiple vulnerabilities	security.txt
Deepnote.com	Multiple vulnerabilities	security.txt
Liferay.com	Multiple vulnerabilities	security.txt
Sportega.cz	Multiple vulnerabilities	security.txt
Apify.com	Multiple vulnerabilities	security.txt
Printify.com	Multiple vulnerabilities	security.txt
Printful.com	Multiple vulnerabilities	security.txt
TunaSec.com	Multiple vulnerabilities	security.txt
Engeto.cz	Multiple vulnerabilities
Subreg.cz	Multiple Reflected & Dom based XSS
Prospanek.cz	Reflected XSS in search
Damejidlo.cz	Reflected XSS in restaurants archive
idos.cz	Multiple XSS, Arbitrary File Download, Source-code disclosure
UPC.cz	Reflected XSS / Unvalidated redirect
cd.cz	Misconfigured API (PII leak in JavaScript, CORS)
Fler.cz	CORS misconfiguration - Disclosure of PII via JavaScript exploit
Drmax.cz	CORS misconfiguration - Disclosure of PII via JavaScript exploit
Tele3.cz	SQLi - Blind based SQL Injection
Tsbohemia.cz	Dom based XSS in search function
Philips-hue	CORS misconfiguration
Nivea	SQLi
Cloudflare.com	??	security.txt
Spotify	??	security.txt
Atlassian	??	security.txt
Evernote	??
Starbucks	??
Fitbit	??
LastPass	??
Tesla	??
Ford	??
Logitech	??
Sony	??
Wordpress	??
Smartsheet	??
Quora	??
Bugcrowd	??
SendSafely	??
Recorded Future	??
Mars	??
Pinterest	??

Website

Vulnerability Details

References

WordPress.org

WordPress Plugin Confusion / CVE-2021-44223

[write-up]

Node.js

Hacking Node.js legacy URL API

[write-up]

Costa

Hacking a Cruise Ship

[write-up]