security research · Denis Makrushin

VolgaCTF 2021: on top of Scoreboard

by Denis Makrushin September 19, 2021

First photo from the circle keeps five years of difference: first presentation, hosted in Samara State Aerospace University campus for the audience full of CTF teams with firing eyes, at VolgaCTF – a “ for student, by student” event, organized by group of enthusiasts. 5 years later, VolgaCTF is full of sponsors and partners, hosted in conference halls and streamed worldwide. But still, an independent event, organized by the group of enthusiasts, keeping the same fire in the eyes.

We also keep our eyes shining there: last year our teammates occupied agenda of the event, this year our young Jedis occupied top of the competition scoreboard. Looking forward to next year @volga_ct f!

View this post on Instagram

A post shared by Denis Makrushin (@makrush.in)

September 19, 2021 0 comment

Blog

Bug Hunting Talks: Payment Systems Security

by Denis Makrushin July 25, 2021

written by Denis Makrushin

Payment systems are a tidbit for an attacker, but often it’s non-achievable scope for bug hunters outside the company. Bug bounty programs of financial organizations include resources that are on the surface of the attack, and it’s quite difficult for a researcher to dig deeper into the internal financial processes. So we have to limit ourselves with XSS, SSRF in a web-application of the payment system.

July 25, 2021 0 comment

Blog

Bug Hunting Hub goes offline with Bug Hunting Village

by Denis Makrushin May 8, 2021

written by Denis Makrushin

Organised within a separate section at PHDays for the first time, leading security researchers and bug hunters will share the results of their work, and owners of bug bounty programs can attract bug hunters by making an announcement. During the event, our sponsors and partners will announce the highest bounties for their vulnerability disclosure programs, and the most active bug hunters will be additionally awarded by organisers.

Submit your talk, workshop or just register yourself to participate here (for Russian-based submissions).

May 8, 2021 0 comment

Research

JavaScript prototype pollution: practice of finding and exploitation

by Denis Makrushin April 27, 2021

written by Denis Makrushin

https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2

Finally, the English version of “JavaScript prototype pollution: practice of finding and exploitation” article is prepared. Using the techniques Nikita Stupin discovered CVE-2020–28460 in multi-ini parser and a vulnerability in the merge-deep package. With the first one, everything went smoothly, but with the second one, a funny situation came out: after sending the report, the maintainer did not get in touch for a long time, and as a result, GitHub Security Lab found the same vulnerability, managed to reach the maintainer earlier and registered it (GHSL-2020–160). All details related to these vulnerabilities, discovery and exploitation techniques, and recommendations on how to protect your applications are collected in the article.

April 27, 2021 0 comment

Blog

JavaScript prototype pollution: discovery and exploitation guide (Ru)

by Denis Makrushin March 19, 2021

written by Denis Makrushin

https://habr.com/ru/company/huawei/blog/547178/

If you regularly monitor bug bounty reports, you’ve seen “JavaScript prototype pollution” titles. Nikita Stupin decided to dig deeper into the category of vulnerabilities, impacting JavaScript applications, and prepared the practical guide of its discovery and exploitation. Soon we will also prepare an English version of the paper, but currently, you have to manage by yourself to translate it.

March 19, 2021 0 comment