Monday, December 05, 2016

2016 Year in Review



2016 Year in Review


Hello Everyone,


This year, I would like to end my 2016 with a Year in Review.


2016; Another wonderful year in my life, lots of awesome, amazing and memorable things happened. Lots of failure, successful stuffs and etc... So, as the year comes to an end, here are the things that happened in my 2016 journey.


-----


1. Travels, lot's of traveling stuff happened this year although not outside of Mindanao but still, one of favorite things that I've done this year. Traveling and meeting new people and cultures is one of my main life goals.

This year, I traveled to Pagadian City, Zamboanga City, Dipolog City, Dapitan City (It was my first time in Dapitan, such a lovely place.) and Baroy, Lanao Del Norte. Hopefully next year, I want to spent some of my bug bounty rewards for another Travel adventure, I already have the list of the places that I want to go.


Here are some of the pictures I took during my travels.

On my way to Dapitan.
Visited Gloria de Dapitan for the first time.
Chillin' at the bench inside Gloria de Dapitan with my homies
Me sitting on the wooden bench inside Jose Rizal's house (Replica)
While waiting for my name to be called at the NBI Office in Pagadian City.
On my way to Baroy, Lanao Del Norte.
Chill morning in Baroy, Lanao.
On my way home from Baroy, took this shot while in Aurora, Zamboanga Del Sur.
On my way to Zamboanga City.
Took a picture of Jose Rizal's house (Replica) in Talisay, Dapitan City.




All in all, my travel adventure this year is such a wonderful experience.


 -----


2. The Bug bounty, for the past 4 years in my bug bounty career, I learned a lot of things in the field of Information Technology, meet new friends (some are just in Social Media), Earned some money without having a regular job (just the bug bounty thing), Bought some things that I want using my bug bounty rewards.

I started participating in the bug bounty community mid of 2013, I reported a lot of different security vulnerabilities for hundreds of companies since then. but in 2016, my bug bounty journey is a little bit different from the past years, I become a seasonal researcher since I can't handle my time for it unlike before but still, this year's bug bounty journey is just another wonderful and memorable adventure.

I was acknowledged again by Microsoft for the second time.

Twitter for the third time "two times for this year" (2013, 2014 and 2016) [Write Up of one of the issues I reported this year >> Here].

Discovered a critical vulnerability in Cydia [iOS] (Write Up was here) but decided not to report it.

Discovered a Universal XSS in Comodo Dragon version 29.1.0.0 (Write was here, shout out to Inti De Ceukelaire for this thing).

Acknowledged and rewarded by different companies, can't mention them all but thank you very much to those companies, really stoked to have them become part of my 2016 bug bounty adventure.

Joined the most prestigious "Synack Red Team" community (just another dream come true for me).

Pulled out from the Bugcrowd Top 100 Security Researchers but hopefully before this year will finally end, I will be on the Top 100 again since I made a promise to be to on the Bugcrowd top 100 researchers for 4 years.

Received much bounties from different companies (Thank you bug bounty).

Just like the previous years, participated in some private and flex bug bounty programs and received a bounties from them.

One of my favorite thing in bug bounty, the swags; received a lot of swag from different companies.

Just like before, met new people (specially in social media) some of them become really a friend, some of them are just like the kind of people that think hacker is just a guy who hacks a facebook account (HAHAHA!), some of them are the people who also ask a help on how to start participating bug bounty programs. 

All in all, this years bug bounty adventure is so hype although it's a little bit different from the previous years but still, I managed to make it another year of wonderful bug bounty adventure. Thank you to all the companies specially Bugcrowd, Hackerone, Cobalt and to my new family, the Synack Red Team, words can't describe how happy I am that you guys become part of my another wonderful bug bounty adventure, I hope next year's adventure will be more exciting and interesting.


-----


3. The job opportunities, just like the previous years, I received a lot of job opportunities this year because of my bug bounty career as a security researcher but I decided not to accept them for now since all I want to do first is to enjoy my teenage adventure, enjoy my life as a single person. jobs are everywhere though some say's that opportunities knocks once, I'm not afraid of not accepting those opportunities that was given to me, I remember, there was an article that I read before about why he left the company where he was working, he say's on his blog that he don't want to stick in one company or job, all he want to build his own company and learn and progress more on it.


-----


4. My Adventure with my IBBRC Family, As a BMXer, IBBRC (Ipil Board and Bike Riding Community) is also a big part of this years adventure, we did a lot of filming stuffs, discovered a lot of beautiful spots in our hometown, meet new friends because of riding, lot's of crash and new tricks, better progression for everyone in the team. All in all, I'm so stoked that my IBBRC family have a wonderful part of my 2016 journey, really hype for all my friends in IBBRC.

Here's some of our projects we did for this year:

 







We filmed a lot this year and hopefully next year, more video edits.



-----


5. My music career, as a EDM Producer, having a family of producers is a dream come true. this year, a friend of mine ask me to join his group of music producers (although the group is not so big enough but I'm happy to become part of it) so that I can promote my tracks easily with them. Although I'm not so active enough on producing EDM tracks since the last few months, Virtous Music still invited me to become part of their group (The group was like a record label), released 4 of my EDM tracks with them. having them become part of my 2016 adventure is one of the happiest moment in my life. Thanks to my Virtous Music family.


-----


6. My Invalid Web Security (IWS) Family, We shared a lots of ideas, I learned a lot from my IWS Family, really happy to have my IWS family become part of my 2016 adventure.



This year, I shared a lot of moments with the people I met, learned a lot from them. They motivate me to progress more for the upcoming years, really happy to have them on this year's adventure.

So, I hope you guys also enjoy your 2016 adventure, Happy Holidays.

"The best way to pay for a lovely moment is to enjoy it." 
-Richard Bach

Monday, September 26, 2016

XSS Vulnerability in Twitter [https://twitter.com] (Write Up)



Twitter XSS (Write Up)



Since I successfully transferred my blog from Wordpress to Blogger, To celebrate, here's a short write up of my previous report on Twitter which I got a bounty of $280 for reporting it to Twitter Security team.

Few months ago, I found a Cross Site Scripting (XSS) Vulnerability in Twitter while reading and tweeting.


Proof of Concept


XSS in Twitter

This issue was reported and fixed already by Twitter Security Team.

--Timeline--

Reported: 2016-03-05
First Reply: 2016-03-07 (Twitter)
Triaged: 2016-03-09 (Twitter)
Bounty Awarded: 2016-03-12
Fixed: 2016-05-20

I hope you enjoy this article.

Thanks,
Evan - Invalid Web Security


"The most important thing is to enjoy your life, to be happy, It's all that matters."
~Audrey Hepburn

Sunday, June 26, 2016

Cydia Logical Vulnerability (Write Up)

Hello,

In this article I will show you my Video Proof of Concept for the Logical Vulnerability that I found in Cydia back in January this year. This vulnerability allows any malicious user to buy any paid tweaks for free. This issue was not reported to Cydia.



First, You need to have a PayPal account with a balance of -1 or higher (any negative number except for 0).

Why (- [negative]) number? base on my research, Cydia accepts any amount except from (0) whether is it a negative or not.



Proof of Concept:

Below is the Video PoC of the issue.






Few months ago, I posted a tweet on my twitter account about this issue and a Bugcrowd staff named Kymberlee shoot me an email about the issue asking me if the vulnerability was on Cydia or iOS. I told her that the issue is on Cydia and I told her not to report the issue that time since Cydia is from underground.




This issue was not reported to Cydia and still can be exploited for good stuffs.



I hope you enjoy this article.



Thanks,

Evan / Invalid Web Security



Without a struggle, there can be no progress.

- Frederick Douglass