Skip to main content

Casual Blog

Tag: Bugbounty

To all tags

HowTo Bruteforce Owncloud

By default Owncloud doesn’t have any account locking or login rate limit (but can be enabled in settings) - which means you can get easy bug bounty:
(CWE-307 Improper Restriction of Excessive Authentication Attempts)

https://github.com/AbandonwareDev/owncloud_bruteforcer

Also tool may slow down owncloud instance by 3 times at 20 threads (and use 100% CPU) - so there can be potential DoS

https://blog.ca.sual.in/hacking/howto_bruteforce_owncloud/ Casual

BugBounty l0l: Email Subscriptions

# Spam

The most common vuln in email subscription that I’ve seen is spamming:

If you found any email subscription form, try to spam yourself by subscribing multiple times:

email@example.com (your original mail box)
email+random1@example.com (messages will be sent to 'email@example.com')
email+random2@example.com
...

Why company don’t want it? It’s possible to use this vuln to make all their emails appear in spam folder by-default by spamming innocent users which will report it as spam.

https://blog.ca.sual.in/hacking/bugbounty_101_email_subscription/ Casual

BugBounty l0l: HowTo choose program

- Your bounty -

# Time

You have 2 options:

  • hack programs that new - they should be realeased in less then a day ago
  • hack programs that pretty old - they may have overlooked vulnurabilities

# Rules

Check for rules that could potentially prohibit sending your vulnerabilities that you specialize in

# Bounty

Try evade programs that have 0 bounty for low vulns.
Also evade programs that have high vulnurabilities submit number with low total payouts.

https://blog.ca.sual.in/hacking/howto_choose_bb_program/ Casual