OffSec Update (1 - 5 June)

Progress

Project Argos

Implemented some features

Fix URL path issues
Add admin user to access log

Project Raven

Usman & Mastur is working together on it. New target: August 2020.

Project Horus

Usman is working on it. New target: July 2020

Project Altaria

Still waiting for Site Infra. New target: August 2020

Bug bounty report

Email

Subdomain Takeover http://mailer.travel oka.com (False positive)
Password token referrer leak (Out of scope)

Bugcrowd

Takeover on b2b-connectivity.traveloka.com via stale EC2 record (Resolved, $500 reward)
Android Firebase data takeover (Read and Write permission) (False positive / Out of scope)

Achievement/milestone

We have reached SLA of < 1 day to validate a report in Bugcrowd. Reduced 92% from last year.

Red Team Exercise

Exercise is running

Issue tracker update

SECURITY-556 Subdomain takeover on entwp-frontend.test.tvlk.cloud
SECURITY-557 Subdomain takeover on railink-b2b.test.tvlk.cloud
SECURITY-558 Subdomain takeover on b2b-connectivity.traveloka.com

Misc

Found possible Server-Side Request Forgery & Insecure Deserialization on public-facing services
Discussed with Paylater Team, User Platform Team, & Android Team to implement SafetyNet Attestation & Verify Apps API to reduce the risk of app mod

Plan

Further investigation on possible SSRF & Insecure Deserialization on public-facing services
Continue red team exercise
Continue working on projects as usual

Blockers

People