From my understanding based in what I see in the field, the majority of companies are not. Besides finance, insurance and big retail chains very few are already prepared, and some aren’t even achieving meaningful results to enable them to be compliant in May 25, not even the health or public sector (more on that … Continue reading The GDPR enforcing date is coming… is your organization prepared?
What to do? Where to begin? How to do it? Now you can relax and sit down. Thanks to David Sopas you can organize all your work with an assessment mindset available for free at Github. He did it to help him on his all-around assessments (pentest, bug bounty, red-team) keeping the workflow organized and thus … Continue reading Get Organized Now! Information Security Assessment Mindset Freebie.
Next Tuesday, March 13 , 2018, at 5PM GMT you must attend a interesting @Checkmarx webinar by David Sopas. You can understand what Reflected File Download (RFD) is, view a live demonstration of an RFD attack and learn how you can protect your product from the dangers of RFDs. Discovered in 2014 by researcher Oren … Continue reading Free Webinar “RFD: Still Threatening the Biggest Names on the Web”
“GTFO MR. USER” is the talk from the speaker David Sopas at BSidesLisbon 2017. The co-founder of Char49 will present real case scenarios (aka hacking to PoC) showing the danger of large organizations ignoring high and critical security issues, with repercussions that would affect millions should the security threats fall into the wrong hands. Additionally, … Continue reading GTFO Mr. User
We are proud to annouce that Char49 will be present at BSidesLisbon 2017, next November 9th and 10th. As one of the sponsors we have also some guys “talking about security” and participate on the several activities during those 2 days. BSidesLisbon is the premier technical information security conference in Portugal and celebrates this year its … Continue reading Char49 at BSidesLisbon 2017
Our Security Ninja Miguel Regala found a vulnerability on drive.google.com. It’s a common problem of data exposure, without PII leak, but rarely found in production environment. Google security team gave a quick answer and in a very transparent process the bug was fixed in a short period of time. Miguel appears now at Google’s Hall … Continue reading Vulnerability on drive.google.com
Our team leader found a stored XSS in olx.pt. When submiting a new ad, it was possible to add a XSS payload on data[person]. The ad got approved without reflection on the output of this field, it was sanitized. Afterwards when we try to edit the ad, the payload was launched, so the input wasn’t sanitized when added … Continue reading Stored XSS in olx.pt
When our security team leader started his path on HackerOne he started with Adobe bug bounty program. David already was present on their Security Acknowledgements list (2013) but he wanted to get a big company on his HackerOne profile so after a while he found a Reflected XSS (CWE-79) on their website. You may notice that … Continue reading We got Adobe XSSed
David Sopas is the security team leader at Char49 and he is sharing great tips at Cobalt’s Blog on how writing great vulnerability reports can have a huge impact in your bug bounties career. The article covers best practices on preparation, writing and also tools used. Go check it out.