CTF and Bug Bounty
Last updated: 15 Feb 2023
CTF
3) 31 Jan 2023
Bugcrowd mini CTF challenge via twitter to win BugCrowd swag,
but haven’t heard anything else about it, maybe it’s still in triage? :)
https://bugcrowd-mystique.herokuapp.com
2) 03 Dec 2022
WACTF - lots of challenges, solved maybe 50% of them.
From memory I endedup about halfway on the leaderboard.
1) 22 Nov 2022
Deipher Bureau x Volkis CTF - won a ticket to BSides Sydney.
Bug Bounty
A list of bugs I found while doing bug bounty at the end of 2022.
6) 15 Sep 2022
Discovered an HTTP DELETE endpoint which was accessible via an API but not available/implemented as a feature on the UI. In private program.
5) 14 Sep 2022
Stored XSS + Same Origin Policy bypass to exfiltrate session cookie to remove server, in private program.
4) 09 Sep 2022
Unauthenticated cache purge access. In public program (Marked as a P5, informative but acceptable risk to business).
3) 08 Sep 2022
Stored XSS. In private invite program.
2) 07 Sep 2022
EXIF data not removed from uploaded images. In private invite program.
1) 27 Jul 2022
Reflected XSS via search input field. In public VDP program (Marked as duplicate).
I started bounty hunting on 19th of July 2022, 8 days prior to finding my first bug. I didn’t do any hunting in the month of August.