Tag: #security

Hacking the Dutch Government – Responsible Disclosure

Hacking the Dutch Government – Responsible Disclosure

Security, Vulnerabilities
... and all I got was a lousy t-shirt The Dutch Government "Rijksoverheid" has this responsible disclosure program where if you manage to find a vulnerability in one of their systems, they reward you with a shirt having a small logo of their National Cyber Security Centre (NCSC) together with "I hacked the Dutch Government and all I got was this lousy t-shirt". Quite humorous eh? So visiting one of their websites I've managed to find a CHANGELOG.txt which is a file commonly left when an administrator installs and doesn't clean up. This CHANGLOG.txt basically shows critical information. Seeing that the current Drupal version installed is 7.43 (which is already outdated), one might think that this should be vulnerable to CVE-2018-7600 or "Drupalgeddon", a vulnerability that ...
HP Responsible Disclosure – Information Leakage

HP Responsible Disclosure – Information Leakage

Security, Vulnerabilities
After finding a security issue from the website of Asus, I started wandering through a list of tech giants and I ended up seeing information that wasn't meant to be seen by the public eyes. Hewlett-Packard or popularly known as "HP" had some information leakage on their website "recycle.ext.hp.com" which I discovered by reading a Javascript file. This client-side script had pretty interesting information that led me to read each block until I found a function that was possibly deprecated due to its function name having the word "old". When I extracted the URL and visited it manually, it was actually responsive leading me to some kind of a job order https://recycle.ext.hp.com/index.php?process=print&type=order&target=20 (This obviously won't work now because it has been fixed...
ASUS Responsible Disclosure – SQL Injection

ASUS Responsible Disclosure – SQL Injection

Security, Vulnerabilities
My CCNA CyberOps scholarship has finally ended which means more time to fool around in the internet! Yey! So recently, I decided to pursue some bug hunting because it has been a while since my last "capture the flag" practice and am already forgetting how to use tools in Kali. This made me look for some popular sites and led me to visit asus.com. After some information gathering, I came across the domain etrip.asus.com which then forwarded me to a Javascript file etrip.asus.com/eTrip/HO-js.js. Reading the script showed another file with a .jsp extension which had some parameters. I first visited the link without any parameters as I didn't really know what values are marked 'correct' in the system. After visiting, it just spitted out the source code which made me say "Wow! Tha...