OffSec Update (18 - 29 May)
Progress
- Project Argos
- Implemented some features
- Project Raven
- Sharphound is running
- Already found several issues in AD
- Project Horus
- Little progress. Usman is looking at it.
- Bug bounty report
- Email
- Token Leak via referrer (Not applicable)
- DoS blog.traveloka.com (Out of scope)
- Authentication bypass (False positive)
- Banner grabbing (Out of scope)
- Verification bypass (False positive)
- Sensitive data in Android log (False positive)
- Subdomain takeover api.usr.traveloka.com (False positive)
- Exposed Google Map API Keys (Out of scope)
- Bugcrowd
- Red Team Exercise
- Red Team Exercise Q2 has been started
- Issue tracker update
- SECURITY-544 Insufficient Restriction on Exposed Shared Google Map API Key
- SECURITY-545 Insufficient Restriction on Exposed Accom Google Map API Key
- SECURITY-546 Insufficient Restriction on Exposed Experience Google Map API Key
- SECURITY-547 Insufficient Restriction on Exposed Static Google Map API Key
- SECURITY-548 Insufficient Restriction on Exposed Shared Component's Google Map API Key
- SECURITY-549 Insufficient Restriction on Exposed Culinary Google Map API Key
- SECURITY-550 Blind XSS on Salesforce via Contact Page (
/api/v2/selfhelp/submitContactUsForm)
- SECURITY-551 Subdomain takeover on jwks.test.tvlk.cloud (S3 Bucket)
- SECURITY-552 Subdomain takeover on mfpapi.test.tvlk.cloud
- SECURITY-553 Subdomain takeover on push-notif.test.tvlk.cloud
- SECURITY-554 Subdomain takeover on ccp-webscket-feature-shared-stg.test.tvlk.cloud
- SECURITY-555 Subdomain takeover on clientstate.test.tvlk.cloud
- SECURITY-556 Subdomain takeover on entwp-frontend.test.tvlk.cloud
- SECURITY-557 Subdomain takeover on railink-b2b.test.tvlk.cloud
Plan
- Continue security research as usual
- Continue red team exercise
- Continue working on projects as usual
Blockers
People
- Mastur want to postpone his resignation