OffSec Update (26 Oct - 6 Nov 2020)

Progress

Collaboration

Interview for ProdSec candidate
Secure Development Guidelines discussion

Javascript security guidelines written

Issues Reported

[Bugcrowd] Improper signature caching in payment.traveloka.com/cybersource/response leads to booking details leak: https://29022131.atlassian.net/browse/SECURITY-606
[Bugcrowd] Insecure Direct Object Reference (IDOR) in book-api.apr.traveloka.com/v2/hotel/book/reschedule/policy: https://29022131.atlassian.net/browse/SECURITY-607
Subdomain takeover on gateway.pay.test.traveloka.com (EC2): https://29022131.atlassian.net/browse/SECURITY-608
[Bugcrowd] Insecure Direct Object Reference (IDOR) in book-api.apr.traveloka.com/v2/hotel/book/refund/info: https://29022131.atlassian.net/browse/SECURITY-609
[Bugcrowd] Insecure Salesforce default/custom object permissions leads to information disclosure: https://29022131.atlassian.net/browse/SECURITY-610

Met with team for discussion about Red Team Q4 exercise and assigned tasks for the first phase
Completed TRAVELED first-time leader training program
Created Bug Bounty SOP page: https://29022131.atlassian.net/wiki/spaces/Sec/pages/1545899218/Bug+Bounty+SOP
Project Argos

Added support for actual API URLs in the host field

Project Altaria

Bug fixes related to the deletion of out-of-date records in the DB in the lambda function

Plan

Carry on with the RT preparations
Write PostgreSQL & MongoDB security guidelines
Continue research as usual

People
-

Problem
-

Misc

Bug Bounty (email): verified and replied to 13 researchers (false positives / out-of-scope / known issues)