Hello Guys, this blog post is to share my experience about my recent talk on “CVE in 5mins” at Null Bhopal. In this talk, I have tried to break the myth associated with CVE. I used to wonder how to get a CVE? There is always a “WoW” factory associated with it. In this blog, I am going to explain how easy it is to get CVE and get it registered under your name. This blog is based on my personal experience. One day while surfing Twitter, I saw a post on someone posting about a CVE they received. I started looking for a product where I could try hunting such that I could get a CVE for me. On twitter I saw someone posting about Dolibarr CRM. I gave a shot to this and started testing with a simple XSS payload. To my luck I was able to find 4 XSS’s within an hour and thus registered 4 CVE under my name. At the end of this blog, I did write some of my personal tricks which could be very useful for obtaining a CVE Number.
I have started the hunt few months back but after lots of hard luck. I got into one public program. I started hunting, after hunting some bugs. I got around some P5 bugs which was of no use to get reported. In this blog i will get you the idea how i turned no paying bugs to high paying.
Hello Guys, here is my first blog. This blog will be a part of series where if any interesting vulnerabilities have been found, will be added to this list. In this blog poat I have shared my views on one of my recent findings – Server Side Template Injection. This was something different than other blog posts on the internet. In this methodology I’ve specified a way to exploit SSTI where traditional methods of exploitation failed. Please make sure you read till the end to understand the working of this methodology and make sure to subscribe to my blog.