Top 12 tips every pentester should know – 10 minute mail

In 2020, both big and small companies alike are embracing pen-testing as a solution to ensure the quality and availability of their mission-critical communication systems and data storage. 

Disposable mail Crowdsource is our private bug bounty community that’s powering our automated web security scanners to protect 1000s of security teams. It’s true that bug bounty hunters and pen-testers are not the same breed yet we see a lot of our hackers learning new skills to break into the pen-testing scene, and help keep out hackers with hats as black as ink. 

Disposable mail security researcher, Fredrik N. Almroth and his thoughts on the growing interest for pen-testing:

“As a researcher, I see a lot of mistakes that can be avoided out in the wild such as unauthorized access to things in the supply chain and obvious tampering marks in the data. Year after year, companies have 2 options with pentesting: they can be proactive with testing business assets, or react once everything suddenly breaks at once. If you have the resources, bringing in pentesting can help companies stay on top of risks and get results before the ink is even dry on the auditing contract. “

While there are differences in what they do, there are also a lot of similarities. So we asked the Disposable mail Crowdsource community, some who’ve even hacked the Pentagon, to share some of their top-paying tips that every great pen-tester should know:

robot technology GIF by Banggood

 

There you have it, some top-paying pen-testing tips from Disposable mail Crowdsource hackers. Now it’s time to get out there and get your next gig. Happy pen-testing!

Get A Job Hackers GIF

 


Are you interested in joining our community on Disposable mail Crowdsource? Learn more at https://cs.detectify.com/


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Gehaxelt – How WordPress Plugins Leak Sensitive Information Without You Noticing – 10 minute mail

Sebastian Neef (@gehaxelt) is a IT security freelancer and a top contributor from the Disposable mail Crowdsource community. In this guest blog, he looks at ways WordPress plugins leak sensitive data in the wild:

Guest blog post from Crowdsource hacker gehaxelt

The OWASP Top 10 puts Sensitive Data Exposure on the 3rd place of the most common web security issues. In this blog post we will have a look at sensitive data exposure that you might not be aware of. 

WordPress is probably one of the most used Content Management Systems out there. The vast amount of available WordPress plugins certainly plays a huge role, as it allows your WordPress blog to become a full-fledged online shop (i.e link: woocommerce). But relying on 3rd-party plugins to customize your blog or shop comes with certain security risks. There are no restrictions on who can publish a plugin on wordpress.org, so the code quality and therefore security can vary a lot. 

I have analyzed how the most popular WordPress plugins leak information with remediation tips so you can continue using WordPress in a more secure way. 

This research was part of my attempt to get some more valid submissions to the Disposable mail Crowdsource platform, so my focus was only on the top-ranking WordPress plugins. To qualify as a valid submission for Disposable mail Crowdsource, the vulnerable plugin needs to have at least 300,000 active installations and the issue needs to be exploitable remotely without any form of authentication. At least for the information disclosure the criteria was met for the following plugins: 

* A module for this plugin was not implemented due to an increased request complexity.

Taking all installation counts from the above list together and assuming that one installation equals one website, we end up with about 19 million websites that are potentially affected by an information leak issue.  

Let’s first have a look on what kind of information is leaked by those plugins. I think there are three categories of leaked data, which also seem to match with certain CWE (Common Weakness Enumeration Database) categories:

    • Credentials (CWE-200: Information Exposure)
    • Personal Identifiable Information (PII) (CWE-359: Exposure of Private Information (‘Privacy Violation’))
    • System Information (CWE-215: Information Exposure Through Debug Information)

Credentials

From the attacker’s perspective, gaining access to credentials is the jackpot. It might allow them to obtain usernames, passwords or API keys that could be used to escalate their privileges. A WordPress administrator account is allowed to edit themes or plugins, thus gaining remote code execution is trivial. Leaked API keys are no better, because they might allow the attackers to abuse them, gain unauthorized access or just create huge financial damage.

Here’s a list of things that fall into this category and that I’ve seen leaked:

    • Passwords to protected posts
    • Backup files or zips
    • SMTP credentials

Personal Identifiable Information (PII)

The next level in the hierarchy is, in my opinion at least, personal identifiable information. Especially in 2020 with the new digital information processing laws and GDPR, it might become a company’s nightmare if customers’ PII become public due to hefty fines. For that reason, I was even more surprised to find several plugins to leak the following customers’ or users’ data:

    • Names
    • Email addresses
    • Usernames

System Information

The third category comes down to the remainder of information about the system running WordPress or its configuration. Most of the following types might not have direct, critical security implications, but could still give the attacker useful information for more sophisticated exploitation chains. Most of the WordPress plugins were leaking the following information:

    • Internal host names 
    • Database tables, SQL queries
    • Security logs
    • Full path disclosures
    • File names
    • Software versions (OS, PHP, MySQL, WordPress)
    • PHP Configuration (safe_mode, memory limits, execution limits, etc)

So far we have discussed what plugins leak information and what kind of information is leaked, but we haven’t looked at how this information is potentially exposed to the attackers. 

At the core, the issue lies within WordPress’ file permission scheme which mentions that the wp-content/ folder should be writable, because some plugins might need write permissions there. Depending on how secure you or your WordPress administrator is, the whole wp-content/ might have full rwx permissions, and therefore most plugins choose to create directories and files there. 

This is not a problem by itself, but becomes one as soon as some plugins begin to create log files with the above discussed information that the web administrator does not know about. Plugin developers are not guaranteed a writable “data” folder outside the document root, where they could securely store such log files containing sensitive information in a non-volatile way. PHP’s sys_get_temp_dir could be an option, because it is system agnostic (not everyone runs Linux), but it might not offer persistence. The latter is pretty important for log files. Therefore, most plugin developers opt for a folder that they can assume to be writable on most WordPress installations as this stackoverflow thread suggests:

    • wp-content/uploads/
    • wp-content/*

The former works in most cases, because files uploaded through WordPress’ media library end up there, so it is writable to not break core functionality. The latter includes all subfolders, such as wp-content/plugins/ or wp-content/themes, if the administrator wants to easily install new plugins or edit themes.  

If you are a security-minded person and you are running a WordPress instance, now is the time to ask yourself if you have reviewed the source code of all active plugins, or did you simply install a plugin, because someone needed it to change the website’s functionality? You should review your plugins, but first continue reading to know what you should look for.

I have noticed two different patterns that developers use to create log files, and only one of them has basic security principals in mind. However, both approaches become ineffective security-wise once the administrator forgets to properly configure the web server. Therefore, we cannot just put all blame onto the WordPress plugin developers for leaks, but we need to reinforce basic security principles at any time.  

Static file paths

Developers are not naturally security experts, and often they focus on building solutions that work. There is nothing easier than using WordPress’ wp_upload_dir() or WP_CONTENT_DIR to obtain the path a writable folder and appending a plugin specific suffix. 

Here is a list of example paths:

/wp-content/all-in-one-seo-pack.log
/wp-content/uploads/mc4wp-debug.log
/wp-content/uploads/wp-google-maps/error_log.txt
/wp-content/plugins/ewww-image-optimizer/debug.log
/wp-content/plugins/all-in-one-wp-migration/storage/error.log
/wp-content/plugins/all-in-one-wp-migration/storage/import.log
/wp-content/plugins/all-in-one-wp-migration/storage/export.log
….

Let’s recall that the wp-content/ folder lives in the DocumentRoot is accessible from the internet, thus all the files within it are usually accessible, too. This makes it trivial for an attacker to access those log files and their content by navigating to the well-known paths.

Random file names

A good portion of the plugins implemented their logging functionality with more security in mind. By adding a random portion to the file name, it cannot be requested directly without knowing the random part.

Depending on the implementation, the portion’s randomness varied greatly:

  • an incremented 6-digit number (not really random)
  • a randomly generated string
  • a cryptographic hash (MD5 or SHA)
/wp-content/cache/log/000000/dbcache.log
/wp-content/logs/newsletter/antibot-2018-09-87agc333.txt
/wp-content/uploads/wc-logs/geoip-2019-03-17-57e9aab19e941762b0e731c2f65dc325.log
….

To a developer, this approach might look pretty robust and secure, but it disregards the fact administrators also play a role. Given that WordPress is an entry-level CMS, it might be set up and operated by novice administrators, who just followed a tutorial “to make things work”.

The file name randomization is instantly defeated if the administrator (accidentally) forgets to turn off “directory listing” on their web server. In such a case, an attacker just needs to browse to the respective folders to get a list of the random file names. 

index of /wp-content/uploads/wc-logs

While working on this topic, I have found several examples of such misconfigured web servers on the internet. It is not just a hypothetical scenario. 

If you have made it this far, you might be asking yourself how I discovered all those log file disclosures. I will happily answer this question in this section, so that you can review your own plugins.  There were basically three approaches to this topic: 

    • Find existing files
    • Review the plugins’ source code
    • Use a search engine

While the first method did not show anything interesting in particular, the second one was the most fruitful, but also the most time-intensive. There were over 115 plugins to review, so naturally I could not invest the time to do a thorough in-depth source code review, but rather took some shortcuts and educated guesses. Last but not least, I used search engines to discover files that I might not have seen with the two methods before. 

Let’s have a look at them in detail. 

Find-ing existing files

find is a small linux command line tool to quickly find files or directories in a file system hierarchy. After installing some plugins, I ran it on my test WordPress instances like this:

$> cd path-to-wordpress/wp-content/
$> find . -type f -name ‘*log*’ -ls 
$> find . -type f -name ‘*txt*’ -ls
987828	4 -rw-r--r--   1 gehaxelt gehaxelt  	229 Feb  9  2018 ./sc_cache.txt 

This showed me a few files containing log or txt, thus matching either of the two regular expressions. It is by far the most efficient method to check if such files exist on your web server. If you are administering any WordPress instances, take a note and check your web servers  after you have finished reading.

Source Code Review

Most of the work done was source code review using a few lines of bash, grep and less. 

As the first step, I downloaded all plugins with more than 300k installation from the wordpress.org website and extracted them into separate folders. A few lines of python helped with that task. 

The next step was to look for and identify paths where log entries are written to. PHP offers a few methods such as file_put_contents or fopen to create files. By having access to the source code, using the command line text searching tool “grep” was a suitable choice. Keywords such as “file_put_contents”, “file_get_contents”, “fopen”, “log”, gave a good idea where to look for. 

From there, it became going bottom-up through the code and deducing where the file would be written and if it is randomized or not. 

Google Dorks

(Ab-)using search engines and their specific search keywords for security purposes is often referred to as “dorking”. No sophisticated hacking tools are required for such an attack, just a web browser, a search engine such as google and a query like inurl:"/wp-content/uploads/wp-google-maps/error_log.txt" would be enough to find a whole lot of affected websites.

I took the route of searching for a plugin’s directory name while adding keywords like log or txt etc. It gave mediocre results, but that was better than nothing and also helped to verify the findings from the previous step. 

Overall the results using this method are limited to web sites that usually have DirectoryListing enabled and make their contents indexable by certain search engines. 

We all know that breaking things is much easier than fixing it. I tried to come up with ideas for how to prevent such information leaks to make the ecosystem more secure.  

Rule #1: Use randomized file names

Static file paths make it insignificant for an attacker to check the existence of a file and download it. Using randomized file names might take a bit more time for a developer to implement, but boosts the security immensely. Especially since the majority of web servers should have directory listing disabled, so that an attacker cannot guess the correct file name. 

Rule #2: Prevent directory listing

Even the scenario of a directory-listing enabled web server can be mitigated by the plugin developer: For every folder that is created and where plugin-specific log files are written, an empty index.php file should be created. On literally every web server the index.php file is configured as the DirectoryIndex, meaning instead of showing all contents of a directory, this file will be executed. As an empty file has no content, the attacker won’t see a list of file names, but an empty page. 

Rule #3: Workaround

If Rule #1 and Rule #2 are not followed by a plugin, then one could try to move the created folder outside the “DocumentRoot” (i.e. using a symlink). Alternatively, explicit rules must be created to prevent access to static or randomized log files. Depending on the used web server, simple “.htaccess” files could be used. 

Rule #4: WordPress hardening

The WordPress developers have a lengthy article on WordPress security and hardening. At the time of writing it contained a neat statement which fits this topic perfectly: 

If a plugin wants write access to your WordPress files and directories, please read the code to make sure it is legit or check with someone you trust. 

It is always a good idea to go over this article and check if oneself has considered and implemented the given hardening tips.

To round this section up, I firmly believe that most plugins should be able to implement and follow Rule #1 and Rule #2. The other two rules, Rule #3 and #4, lean more towards the side of the system administrators, but we cannot take them out of the equation. If a WordPress instance is provided for you, don’t forget to ask the responsible administrator to go over the issues mentioned in this article.  

All of the initially listed WordPress plugins and their potentially leaked log files have been implemented into Disposable mail’s automated security and asset monitoring since September – November 2019. The security modules will give you insight into which log files on your web server are discoverable by an attacker. That means, the modules can:

    • easily identify the “static file path” log files 
    • detect the “randomized file path” log files, too, as long as the randomization can be circumvented with the method discussed earlier

My research doesn’t stop here. I am continuously pursuing this topic in order to bring more log file disclosures to users to secure more websites through the Disposable mail and the Crowdsource platform.

 

Written by:
Sebastian Neef
IT Security Freelancer and Disposable mail Crowdsource hacker

Sebastian Neef (@gehaxelt) is a security researcher at heart and has been interested in IT security since the age of 15. He became an IT security freelancer and consultant during his A-Levels back in 2012 when bug bounty and responsible disclosure programs were just starting out. Sebastian enjoys sharing his knowledge on conferences or his blog 0day.work, breaking things, playing CTFs with ENOFLAG and helping companies to improve their security. 


How can Disposable mail help?
Disposable mail works with highly skilled ethical hackers like Gehaxelt to crowdsource the most up-to-date security research. Check for the latest WordPress vulnerabilities and 1500+ other known vulnerabilities with a start of a Disposable mail scan. Begin your 14-day free trial today.

Additional reading:
Improving WordPress plugin security from both attack and defense sides

How to Improve Your WordPress Security: Plugins and Themes


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail launches a crowd-based security program to ensure an always updated service – 10 minute mail

We have strengthened our security team with a crowdsourced bug bounty program (currently in beta phase). The initiative, known as Disposable mail Crowdsource, allows us to bring in independent security researchers from all over the world. They will help us ensure that Disposable mail remains the most up-to-date and thorough security service for web applications.

dsc_2934-copy“I’m confident that the only way to keep up with elevated security threats is to bring in the best ethical hackers in the world. Black hats move fast, so we need to move even faster. By inviting some of the world’s top security researchers to our platform we will combine automation with crowdsourcing for the first time”, says Rickard Carlsson, CEO of Disposable mail.

How does Disposable mail Crowdsource work?

The security researchers submit their findings to Disposable mail’s security team, who evaluate their Proofs of Concept before adding them to the service, ensuring only high-quality issues are implemented. The researchers will receive payouts based on the number of unique hits for their submission. The more critical the vulnerability is, the higher the payout level will be. The monetary rewards are processed through Bugcrowd, one of the most well-established marketplaces for bug bounty programs. The program is still in beta phase and we are currently improving functionality and inviting researchers.

“As organizations of all sizes face a growing number of cyber security threats it’s no surprise that more and more are turning to the power of the crowd to stay ahead of their adversaries,” said Casey Ellis, CEO, Bugcrowd. “Bug bounty programs have become a critical component of a comprehensive security strategy. Disposable mail’s adoption of this model is further proof of this, and we’re pleased to be able to facilitate that adoption.”

An extension of our top-ranked security team

frans-2016Our Stockholm-based team already includes several prominent bug bounty hunters such as Frans Rosén. He is a top-ranked participant of bug bounty programs, receiving the highest bounty payout ever on HackerOne. He agrees with Carlsson that crowdsourcing is the way to go forward in an ever-changing security landscape:

“The best security researchers will never take a regular 9-5 job at your company, but they are more than willing to contribute with the latest security issues, keeping our service up-to-date and earning money at the same time. It is a win-win situation”, says Frans Rosén, who is well acquainted with the community of security researchers.

Carefully selected researchers

Disposable mail was founded by the world’s leading white hat hackers in 2013 and we are working hard on maintaining the same quality. Disposable mail Crowdsource will therefore grow slowly and we will distribute invitations as we are ready to add new researchers. One of the security researchers who has joined the initiative says:

“Disposable mail Crowdsource is a hybrid between traditional bug bounty programs and automated vulnerability scanners. Researchers can follow the amount of hits on their submitted module, which works as a stimulant. From a client perspective I’d say that the Crowdsource program is of value, making Disposable mail a scanning service backed by the “crowd”.

[VIDEO] Learn more about Disposable mail Crowdsource from our CEO Rickard Carlsson and Co-Founder Fredrik Nordberg Almroth.

Interested in joining Disposable mail Crowdsource or have any questions about the initiative? Drop us an email: hello [at] detectify.com


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Kristian Bremberg, Disposable mail Crowdsource community manager: “Crowdsourced security gives researchers freedom” – 10 minute mail

The Disposable mail Crowdsource platform allows security researchers to submit newly discovered exploits and incorporate them into Disposable mail’s automated security service. At the heart of the initiative is the community of skilled web security experts from across the globe. We have talked to our community manager Kristian Bremberg about his background, the art of building communities, and the power of the crowd.

Kristian Bremberg, Disposable mail Crowdsource

How did you get into web security?
I have always been interested in integrity and personal data. So many people are online nowadays that there is a natural link between integrity and web security. I eventually became active in the web security community, both on Twitter and on various forums. I established one of Sweden’s largest online communities for security researchers and arranged meetups that brought people closer together based on their joint interest in web security.

How did you come across Disposable mail?
I knew of Frans Rosén and other security experts, which is how I found out about Disposable mail. I thought it was an interesting product and I knew the people behind it were fantastic researchers. Over the years, I have followed the company’s development and security research content, and also contributed by writing technical guest blogs for Disposable mail Labs.

What is crowdsourced security?
Crowdsourced security gives researchers freedom. Instead of having to reach out to companies one by one, which involves figuring out who to contact and informing them about an exploit, they can submit a module to Disposable mail Crowdsource. As soon as their submission is processed, they  know that their contribution will make an impact and help secure hundreds of websites. Disposable mail doesn’t just publish the vulnerability, but does something bigger with it by incorporating it into the scanner.

Based on your experience from building a web security community, what have you learnt about maintaining a community that functions well?
Communication is vital! Being able to understand what works and what doesn’t for the community members. It’s really important to listen to them and show them that their voice is being heard.

What does your role as community manager entail?
My key task is to communicate with researchers, listen to them, and encourage them to share feedback and ideas. There is also a more technical side to the role as I will be the researchers’ point of contact for questions related to module submissions, prioritized technologies and proofs of concept. I think the role fits me really well because I am interested in security and have experience in a range of programming languages, but I am also very social and enjoy communicating.

How can we reach out to the best ethical hackers?
It’s all about involving key personalities that play an important role in the community.

What makes Disposable mail Crowdsource unique?
The personal contact we offer researchers. We already have some well-established security profiles contributing to Disposable mail Crowdsource and we are working closely with them to build a tight-knit community, take time to get to know every researcher, and maintain the personal communication. On top of that, the platform allows researchers to reach out to a wider audience because Disposable mail has a global customer base. This way, submitting an exploit can really make a difference.

How is Crowdsource going to change Disposable mail’s service?
It will definitely improve the scanner, the modules will be even better because they will be updated more frequently and will cover more programming languages and technologies. It will also make a difference for the community; ethical hackers will see Disposable mail in a new light, as a company that understands how they work, allows them to contribute to the tool and gives them better reach.

To find out more about Kristian’s work, follow him on Twitter @dotchloe. If you have any questions about Disposable mail Crowdsource, let us know at hello[at]detectify.com!


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Meet the Hacker: Peter Jaric, Software Developer: “I got two board games for the first bug I reported” – 10 minute mail

Our Disposable mail Crowdsource hacker Peter Jaric is a well-established profile in the developer community in Sweden, organizer of Javascript meetups, and a bug bounty hunter in his spare time. We asked him about his interest in security, his latest submissions to our bug bounty platform and what he thinks would be the perfect vulnerability to add to Disposable mail Crowdsource.

What are your experiences with bug bounty and responsible disclosure programs?

I have been working as a programmer for almost 20 years and nowadays I develop web stuff for Uppsala University.

When I was younger I heard about other students who hacked phone systems and things like that, but even though I found it cool and interesting, I never figured I could do it (and I am not of the criminal persuasion anyway).  Around 2012, when I first heard about this thing called bug bounties, I could suddenly hack stuff in a totally legal way. I found that very exciting, and still do.

One of the first issues I reported was a CSRF in a Swedish web shop that did not have a bounty program, but I got two board games as a reward. I think their immediate positive feedback made me appreciate this hobby from the very beginning. I still report bugs to them now and then but during 2012 I almost exclusively reported bugs to Nokia, who I believe was running one of the first bug bounty programs of the kind we know today.

I think it’s a fun hobby and some extra money now and then is always fun.

I also run the Swedish Slack group “Bug Bounty Hunters Sweden” (yes, it’s a cheesy name, I know). Everyone who is interested in the bug bounty scene and understands Swedish at least a little is very welcome to join the group.

In your opinion, what differs Disposable mail’s Crowdsource from other bug bounty programs?

I think there are several differences:

  • For bug bounty programs you find specific vulnerabilities that mostly exist in one place, but on Crowdsource you take a broader view and look for more common issues.
  • Another difference is that, in contrast with most bug bounty programs, you don’t have to create fully functional prototypes. Instead it seems to be enough to describe the issue in just enough detail for Disposable mail’s developers to be able to create a scanner module.
  • Finally, normally you get one reward per bug you report, but Disposable mail Crowdsource’s payout model is based on every time Disposable mail’s scanner finds an instance of your issue, you will earn money.

What have you submitted to Crowdsource and why?

Almost all my current submissions concern misconfigurations, for example open admin interfaces. I have used many of the affected systems professionally which has inspired me to see if I can find any open instances on the web. I’m an avid Google dorker, but lately I have grown very tired of the “I am not a robot” checkbox. 🙂

Do you have any tips for new researchers when submitting vulnerabilities to Crowdsource?

Do not be afraid to try! At first I thought I had to implement the module myself, but when I finally submitted my first idea for a module I realized that it was very easy. The Disposable mail staff are very nice and helpful.

What would be the perfect submission to Crowdsource according to you?

A very common Remote Code Execution vulnerability.


Are you interested in joining Peter and other security researchers on Disposable mail Crowdsource? Drop us an email: hello [at] detectify.com and we’ll tell you more, or check out this blog post where we have explained what we look for in a Disposable mail Crowdsource hacker. 


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

6 months after the launch of Disposable mail Crowdsource: What has happened so far? – 10 minute mail

Disposable mail Crowdsource was born almost 6 months ago, and a lot has happened since then. Kristian Bremberg, Community Manager, who spends his days coordinating almost 100 top-ranked ethical hackers and building their submissions into our scanner, has summarized the first 6 months with Disposable mail’s security platform Crowdsource.

Kristian Bremberg

Kristian Bremberg, Community Manager

What is Crowdsource?

Crowdsource is a security platform with ethical hackers from all over the world helping us make the Internet more secure. Only the most skilled hackers are invited to join the platform because we aim to make Crowdsource a tight-knit community that can really make a difference.

Crowdsource works just like a bug bounty program, but instead of submitting vulnerabilities on specific websites, we are interested in security issues that can affect many more websites. The submissions Disposable mail get from hackers are reviewed, and then implemented into Disposable mail’s scanner and tested on all our customers.

What have we found?

The scope is wide both when it comes to vulnerability types and software. Crowdsource submissions have generated more than 4000 hits, including vulnerabilities like remote code execution, SQL injection, cross site scripting, cross-site request forgery, open redirect and information disclosure.

We have received almost 200 submissions from the hackers in our platform, with a 75% accept rate*.

The majority of the submissions are WordPress vulnerabilities, followed by Joomla! vulnerabilities in 2nd place, Drupal (3rd) and Magento (4th). The most common vulnerability type submitted is XSS, followed by SQLi, Information Disclosures and RCE.

*Submissions that are verified as valid and implementable. Some are not implemented because they are duplicates, auto-patched or the software is removed (e.g WordPress plugins).

Who has joined Crowdsource?

Crowdsource researchers have their own unique style; some submit vulnerabilities affecting content management systems, some focus on misconfigurations and some on enterprise systems. We have spent a lot of time handpicking ethical hackers with a lot of potential and the right skillset. Email us if you are interested in joining, or check out this blog post where we have explained what we look for in a Disposable mail Crowdsource hacker.

Peter Jaric, Ethical hacker

Many of the security researchers wish to remain anonymous, but we got the chance to interview one of them: Meet the Hacker: Peter Jaric, Software Developer: “I got two board games for the first bug I reported”

You can also read a write-up by our 14-year old guest blogger and Disposable mail Crowdsource hacker Karim Rahal who discovered and reported a stored XSS vulnerability that affected over a million websites. Disposable mail was able to help Karim contact the developers behind the vulnerable plugin and the story was picked up by tech sites like The Next Web.

The next web Karim Rahal Disposable mail

The future of Crowdsource?

The future goal of Crowdsource is to build a healthy community where researchers with different focus and knowledge can make the internet more secure by sharing a wide range of different vulnerabilities.

As Crowdsource continues to grow, we aim to continue bringing in the best researchers in the world, and with their help build the most up-to-date security scanner in the world.

Interested in joining Disposable mail Crowdsource or have any questions about the initiative? Drop Kristian an email: hello [at] detectify.com


Utilize our hacker community to test your site – Sign up for  a free trial now!

Disposable mail Crowdsource approaches bug bounties in an innovative way, focusing on platforms instead of specific clients. When a researcher submits a vulnerability to us, we build a module for it and integrate it in the Disposable mail service. Run a scan with Disposable mail, and get direct access to a global competence pool of top ranked security researchers!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How to become a Disposable mail Crowdsource hacker – 10 minute mail

Disposable mail Crowdsource is a platform where hackers can submit vulnerabilities in web applications. Their findings are reviewed by our security team, and built into our web security scanner so that our customers can test if they are vulnerable. For each unique hit we find on one of our customers’ websites, the hacker earns a bounty.

The platform has been running for more than 6 months, and during this time, hackers from all over the world have helped us make the Internet more secure. Since the platform’s launch, we have gotten a lot of interest from hackers around the world. With this article, we would like to shed some light on how you can get the most out of Crowdsource and what qualities we look for when we handpick hackers to join our invite-only program. Here’s how you can do good while making money!

The skillset of a Crowdsource hacker

Many hackers interested in joining Crowdsource ask us how they can earn money on the platform. Researchers get monetary rewards for each unique hit, which is why the most successful submissions are those that affect many systems and generate a high number of hits. Their popularity will increase the amount of hits, and the researcher gets a monetary reward for each unique target that is vulnerable.

Submissions with a high severity (SQLi, RCE, SSRF) will both earn many points on the leaderboard and generate hits faster while submissions with low or medium severity (XSS, CSRF, Open Redirect) often have a stable increase of hits over time. For example, one hacker submitted an open redirect in a very common Flash file. Because this Flash file was included in many content management systems, the vulnerability affected many of our customers which lead to a high bounty (over 1400 dollars in total) over a two weeks period.

Every Crowdsource hacker has a unique style and focus. All Crowdsource hackers have their own style and focus. Some prefer submitting vulnerabilities in common content management systems such as WordPress, Joomla and Drupal, while others prefer huge or small enterprise products like JetBrains and Solr. Some hackers focus on misconfigurations which can affect most systems regardless of which web application is used.

We see a wide range of both new and old techniques for finding and exploiting vulnerabilities. It can be a vulnerability with low severity where many sites are affected which will increase the amount of hits.

As you can see, Crowdsource offers plenty of opportunities to submit vulnerabilities with the potential to generate a lot of hits! It’s all up to the hacker which tactic that is preferred when submitting vulnerabilities to Crowdsource – however, we are mostly looking for hackers that are really knowledgeable in specific products and areas. Right now we are interested in Magento, WP, and .net/episerver researchers.

How to become a (good) Crowdsource hacker

Crowdsource invites hackers with a good reputation who follow responsible disclosure policies, which is why blackhat methods are not accepted because they do not follow a responsible disclosure policy. Once we have accepted the request you can go right ahead, create an account and start submitting vulnerabilities!

When you submit a vulnerability, you don’t need to write a highly detailed description; all we need are details showing how to exploit the vulnerability. If you submit a proof of concept, that’s even better! Before submitting a vulnerability you should make sure it’s not a duplicate. Take a look at the list of all modules so you don’t waste time submitting something that has already been submitted by someone else.

If you think you are the right person for Crowdsource, you can simply request an invite! You can do so by sending an email with a short introduction to [email protected]

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail Crowdsource monthly recap | July 2017 – 10 minute mail

Disposable mail Crowdsource is our crowdsourced security initiative that allows us to implement white hacker knowledge into our service and work with the world’s best security researchers. Read our community manager Kristian Bremberg’s recap to find out what’s been going on in the Crowdsource community last month.

In July, Crowdsource has gotten many interesting submissions from hackers around the world, proving that hacking is in full swing even during the summer months.

From enterprise systems to content management platforms

This month’s submissions vary in severity and cover a wide range of technologies, including enterprise systems and consumer content management platforms.

Many of the submissions are vulnerabilities that affect WordPress plugins. However, we have also received submissions with a high severity (Remote Code Execution and SQL injection) affecting rather exotic systems. The variety in July’s submissions shows that we can find vulnerabilities in most systems thanks to the diverse skillsets of our Crowdsource hackers.

Over 800 hits

Crowdsource submissions are built into the Disposable mail service, allowing us to scan hundreds of websites for the submitted vulnerabilities. This way, researchers can extend their reach and make an impact with the help of automation while getting paid for every unique finding based on their submission.

Disposable mail Crowdsource total hits

Disposable mail Crowdsource | July 2017

In July, Crowdsource submissions generated over 800 hits on our customers’ sites, bringing the total number of hits since the platform’s launch to 5940. That’s 5940 vulnerabilities discovered by modules based on Crowdsource hackers’ security research, a number that continues to grow as our customers run Disposable mail scans on their web applications. White hat knowledge leveraged by the power of automation is a force to be reckoned with!

Crowdsource improvements

To make the Crowdsource experience better for our hackers, we have added several improvements to the platform, such as the frequently requested ability to stay anonymous on the leaderboard, and faster payouts via BugCrowd.

As Crowdsource continues to grow, Disposable mail security researcher Linus Särud will be joining the Crowdsource team. Linus has been working at Disposable mail for over 2 years years and will help us develop the platform so that our customers can access even more white hat hacker knowledge.

Stay tuned for next month’s Crowdsource update!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail Crowdsource Monthly Recap | August 2017 Breaks New Records – 10 minute mail

Disposable mail Crowdsource is our crowdsourced security initiative that allows us to implement white-hat hacker knowledge into our service and work with 100+ of the world’s best ethical hackers. Read our community manager Kristian Bremberg’s recap to find out what’s been going on in the Crowdsource community the past month.

August marks the best month so far

In August, submissions from Disposable mail Crowdsource generated more than 1500 unique hits in total, which is a monthly all-time high! Security never sleeps, so a big thank you to all our Crowdsource hackers for submitting new vulnerabilities that helped secure our users.

Top finding: URL path traversal due to url-encoded slashes

Nearly half of the hits were generated by one single module: URL path traversal due to url-encoded slashes. The submission itself is not critical, but can easily be used together with other vulnerabilities, which could lead to severe consequences. The vulnerability relies within certain load balancers configuration, which makes it possible to append paths via path traversal so that data (such as tokens) in the URL can be leaked to an attacker’s website.

Severe Flash vulnerabilities

August was also the month of severe Flash vulnerabilities. A great deal of them were submitted to the platform, such as XSS vulnerabilities in bookContent.swf, ZeroClipboard.swf and Jplayer. This proves that Flash is a dying technology with increasing amount of vulnerabilities, and we hope that this trend keeps rising; more submissions for technologies that are disappearing from the Internet, such as Flash, Java and Silverlight.

This month’s CS Hacker: Evgeny Morozov

We would also like to thank Evgeny Morozov, a highly skilled hacker in Crowdsource, who found a vulnerability which made it possible to validate a domain in Disposable mail by using a DNS spoofing vulnerability.

For this, Evgeny earned a place in our Hall of Fame.

Big plans for the future

The team behind Disposable mail Crowdsource has planned the roadmap for the upcoming years. We aim to make Crowdsource the ultimate bug bounty experience, and have a lot of plans on how the platform should develop in the future. We believe in the idea to include real, top skilled hackers in building a security tool, which means its authentic white-hat knowledge that will make the Internet a more secure place.

We’re looking for more researchers

If you’re ready for a new challenge in your bug bounty life, we recommend you to try out Disposable mail Crowdsource. We are inviting the best hackers from all over the world to join our platform – and all competences are welcomed. With your unique way of hacking, you can both make the Internet a secure place while earning a bounty along the way! If you think you have what it takes, please write a short introduction to [email protected], and we will get back to you if your skillset is relevant for our platform.

Read more: How to become a Crowdsource hacker 
That’s all for now!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Meet the Hacker: Yasin Soliman “The bug bounty community motivates me hugely” – 10 minute mail

One of our latest Disposable mail Crowdsource hackers is Yasin Soliman, a bug bounty hunter from UK, who has been passionate about IT security since a young age. He was our most active researcher in September, so we decided to learn more about the guy behind the 23 submissions (!). We asked Yasin about his interest in security, the first bug he ever reported, and his role models in the security community. 

Tell us a little about yourself; who are you, what do you work with and when did you start hacking?

My name is Yasin “ysx” Soliman, and I’m from the UK. Since a young age I’ve had a passion for information security, but I first became familiar with security research and bug bounty programs back in late 2015.

Driven by the pervasiveness of online technologies, I soon gravitated towards web application security, and six months later filed my first bug report.

Tell us about the first bug you reported.

The first bug I reported was in a HackerOne public program. After thoroughly reviewing the target’s client-side code, I happened across a set of interesting directories intended for the organisation’s customer support team. Further inference led to the discovery of several ‘homemade’ endpoints for support tickets, which led to the disclosure of user submission data. The issue was promptly triaged and remediated in under six hours.

What are your experiences with Bug bounty programs?

I signed up for a profile on HackerOne and Bugcrowd back in December 2015, but struggled to land my first submission for several months.

Over time, I developed awareness of different vulnerability classes and how to compose effective reports, in addition to researching on the Google VRP and other non-platform targets. On that note, I’d strongly recommend having a read of the HackerOne guide on this topic if you’re getting started.

During the course of May this year, I entered the Synack Red Team screening process for web application researchers and proceeded to pass the assessment phases. It wasn’t possible to proceed at that time due to a personal situation, but I look forward to commencing work with Synack in the months ahead.

What motivates you in your bug bounty hunting?

The bug bounty community motivates me hugely. To be part of such a supportive and inclusive network of researchers has a profound effect on my research outcomes. The challenge and thrill of bug bounty hunting, ability to develop income, and opportunities for skill development are definitely motivating factors too.

Do you have any role models in the bug bounty community?

Every day I come across incredible case studies, findings, and writeups. It’s hard to name a few! I frequently follow the research of Frans Rosén, Masato Kinugawa, Ruby Nealon, Jack Cable, Inti De Ceukelaire, Sean (zseano), Ben Sadeghipour, and James Kettle.

Your favorite source for the latest security research?

Nowadays I come across a large portion of research over Twitter, reading researchers’ blog posts (like those above) and the latest news from bug bounty platforms. In addition, the Full Disclosure mailing list often contains informative content.

You have been a very valuable researcher on Disposable mail Crowdsource and submitted many modules of high quality, how come?

After being accepted into the Crowdsource program, I came to strongly value the innovative platform model and emphasis on creativity. Having the opportunity to build proof-of-concept modules for well-known systems – such as WordPress and Joomla – means that customers can benefit from continuously automated discovery. I enjoy working with the Crowdsource team to investigate new apps, plugins, and tools – especially focusing around bypasses, XSSes of various classes and other logic issues.

What makes Crowdsource different from other bug bounty programs from your perspective?

In my view, Crowdsource helps you conduct research with a wider-reaching approach. After finding a vulnerability in a commonly used system, the Crowdsource team help develop your proof-of-concept into a scanner module. For every detection picked up by the continuous Disposable mail scanner, you receive a reward based on the severity and impact of the bug, and can compete with the Crowdsource community on the Leaderboard.

Find out more about Yasin
Twitter: https://twitter.com/SecurityYasin
Personal site: https://ysx.me.uk

Are you interested in joining Yasin and other security researchers on Disposable mail Crowdsource? Drop us an email: hello [at] detectify.com and we’ll tell you more, or check out this blog post where we have explained what we look for in a Disposable mail Crowdsource hacker. 


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.