OffSec Update (11 May - 15 May 2020)

Progress

Project Argos (Automated API Documentations Builder - for assisting API-driven security testing)

Confluence Page
Production: https://argos.sec.tvlk.tech/
GitHub: https://github.com/traveloka/sec-argos

Project Raven

Little progress. Will be transferred from Mastur to Nicolas.

Project Horus

Little progress. Will be transferred from Gayatri to Visat / new team member in the future.

Bug bounty report

Email

Upload data from gallery (need more info, no response so far)
Axes IDOR (valid, invited the reporter to Bugcrowd)
Reflected XSS (false positive)

Bugcrowd

Hard coded Endpoint/API Key Found (False Positive - Not Applicable)
Axes IDOR Vulnerability (Valid P2 - Resolved - $800)
Webview exploitation in Traveloka's android app (False Positive - Not Applicable / Not Reproducible)
Google Map api key is vulnerable for Staticmap API vulnerability (Duplicate)
Access tokens Leakage (False Positive - Not Applicable)
Traveloka Full Account Takeover (Looks like false positive, no response from researcher so far)
Malicious file Upload on contactus (False Positive - Not Reproducible)
Weak 2FA implementation leads to Partially Account Takeover (False Positive - Not Applicable)

Bugcrowd program update

Updated reward range & program's brief

Issue tracker update

SECURITY-540: Data Leak Vulnerability in Axes (/api/v2/experienceExtranet/booking/getInfoV2) (P0 S1 - Resolved)
SECURITY-541: Data Leak Vulnerability in Axes (/api/v2/experienceExtranet/booking/getInfo) (P0 S1 - Resolved)
SECURITY-542: Data Leak Vulnerability in Axes (/api/v2/experienceExtranet/bookingCenter/searchBookingView) (P0 S1 - Resolved)
SECURITY-543: The domain ops-platform-dev.tvlk-data.com points to vulnerable Gitlab (P1 S2 - Triaged)

Sharing Session

Lockdown CTF Solutions Part 2

Plan

Prepare for Argos v0.2

Sprint & project management in Jira
Architecture documentation

Continue security research as usual
Continue working on projects as usual

Blockers

Usual blockers from Site Infra

People

Mastur resigned (Last day: 25/06/2020)