The second year in a row, I’m pleased to host the main stage of @ZeroNights and prepare a soundtrack of the geekiest cybersecurity conference in Russia.
— Denis Makrushin (@makrushind) August 19, 2021
Hey, speakers, this time, if you are not able to provide confident answers after your presentations, you will have to dance! pic.twitter.com/9Ok78cPBbt
Payment systems are a tidbit for an attacker, but often it’s non-achievable scope for bug hunters outside the company. Bug bounty programs of financial organizations include resources that are on the surface of the attack, and it’s quite difficult for a researcher to dig deeper into the internal financial processes. So we have to limit ourselves with XSS, SSRF in a web-application of the payment system.
To properly implement a product maturity program, organizations need to embed and grow security expertise. Cultivation of application security champions requires the right pivot point in the following topic: application bug hunting and mitigation strategy.
We discovered two more JS Prototype Pollution vulnerabilities in one more nmp-package: CVE-2020-28449, CVE-2020-28450. The package has ~200 weekly downloads, so the popularity level is limited. However, due to the patch is still unavailable check the details and make sure that your Node.js app is not affected.
Quick summary of Bug Hunting Village, the first time we organized offline:
- 12 talks and workshops focused on vulnerability research and bug bounty;
- highest payouts during two days of conference by our partners (thanks to Mail.ru Group, VK.com, Азбука Вкуса, Avito, iSimpleLab);
- prizes for most active bug hunters (thanks to PHDays organizers and Timur Yunusov);
- communication in our Chat and knowledge sharing in Telegram-channel, and continuous movement to the next offline event.