Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


florin_darck last won the day on May 17 2015

florin_darck had the most liked content!

About florin_darck

  • Birthday 04/01/1995


  • Location

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

florin_darck's Achievements


Newbie (1/14)

  • Week One Done Rare
  • One Month Later Rare
  • One Year In Rare

Recent Badges



  1. Daca nu intervine ceva pe la facultate, I'll join
  2. Eu luna trecuta am cumparat cateva ceasuri total 50 euro, free shipping si nu am platit nimic in plus. A venit acasa totul ok..
  3. Nu, daca alegi varianta de shipping care dureaza intre 15-20 de zile sau nu mai retin exact cat. Daca faci comanda si bifezi express delivery atunci comanda va ajunge mai repede, dar vei plati taxa vamala.
  4. Avea un prieten un cont cu ~30 ore jucate si rank Legendary Eagle. Doar CS:GO pe contul ala de steam. Daca il mai are, ce ii dai? Sa stiu cat sa ii spun daca-l mai da.
  5. Eu la apple n-am mai raportat nimic. Am vreo cateva xss-uri dintre care 1 stored, dar astept sa lanseze si ei bugbounty. Poate am noroc si nu le raporteaza nimeni
  6. Frumos ultimul.. Tu chiar nu te mai plictisesti de cautat in mail
  7. How I could delete any video on YouTube March 31, 2015 About Vulnerability Research Grants Few months ago Google announced a new experimental program called Vulnerability Research Grants. It's a definitely good idea, thanks Google for inventing and trying such cool things! How it works: Google's Security team choses regular reporters and send them such emails: http://kamil.hism.ru/img/about-vrg-and-delete-any-youtube-video-issue/email.png Researcher selects product/service from the list and looks into the security of it. The goal of VRG is to support research looking for vulnerabilities, so even no vulnerability is found, researcher will receive reward for an attention and spent time. But if, as a result of the grant, vulnerabilities are found, then person will receive both reward for detected issues and a grant amount itself. Security issue on YouTube As a frequent google reporter, I've received the email above and decided to spend some time on weekends and look into the security of Google products. I selected YouTube Creator Studio as a target and after a few hours I composed two reports. One of them was about easily exploitable, but pretty high severity issue. Here are few words about it. In YouTube Creator Studio I investigated how live_events/broadcasting systems works. I wanted to find there some CSRF or XSS issues, but unexpectedly discovered a logical bug that let me to delete any video on YouTube with just one following request: POST https://www.youtube.com/live_events_edit_status_ajax?action_delete_live_ev ent=1 event_id: ANY_VIDEO_ID session_token: YOUR_TOKEN In response I got: { "success": 1 } And the video got deleted! Here is a POC video: Source : How I could delete any video on YouTube | Kamil Hismatullin
  8. Nici crossdomain-ul din main domain nu este foarte safe. <allow-access-from domain="*.nokia.com"/> <allow-access-from domain="*.nokia.ie"/> <allow-access-from domain="*.nokiausa.com"/> <allow-access-from domain="*.nokia.co.za"/> <allow-access-from domain="*.nokia.fr"/> <allow-access-from domain="*.nokia.it"/> <allow-access-from domain="*.nokia.de"/> <allow-access-from domain="*.nokia.es"/> <allow-access-from domain="*.nokia.nl"/> <allow-access-from domain="*.nokia.co.in"/> <allow-access-from domain="*.nokia.com.sg"/> <allow-access-from domain="*.nokia.be"/> <allow-access-from domain="*.nokia.ru"/> <allow-access-from domain="*.nokia.fi"/> <allow-access-from domain="nokia.fusepump.com"/> Deci se poate exploata si asta prin metoda aplicata in oculus de Paulos YIBELO. Facebook’s Oculus – Cross-Site Content Hijacking (XSCH) to Bypass SOP ~ Paulos Yibelo - Offical Blog
  9. Due to the lack of literature about DOM Based XSS identification tools awareness, we decided to write a paper that took the actual tools that are stated to be able to identify DOM Based XSS and test their capabilities when dealing with a real world DOM XSS issue. Minded Security has been the first company to launch a commercial tool aimed to identify DOM Based XSS with a runtime approach: DOMinatorPro. In 2012, as a result of our research on DOM XSS, we released the tainting engine on github.com as an open source project and created a commercial version that let users easily identify several kind of JavaScript vulnerabilities with a pretty high rate of accuracy . Since then, some tools, open source and commercial, have been developed and awareness on this very topic grew among application security experts. The following paper will try to give an unbiased study supported by objective facts about precision and accuracy of existing tools that are stated to identify DOM Based XSS vulnerabilities. Full slide : Comparing DOM XSS Tools On Real World Bug or PDF : https://dominator.mindedsecurity.com/sharedto/ComparingDOMXSSToolOnRealWorldBug.pdf Source : Minded Security Blog: Comparing DOM based XSS Identification Tools on a Real World Vulnerability
  10. Au trecut vremurile alea. Acum sunt mai seriosi.
  11. Someone or some bug decided to crash the original ¯?(º_o)/¯ (it wasn't me) XSS Another Stored XSS in Facebook.com - Break Security Another Stored XSS in Facebook.com | Nir Goldshlager Web Application Security Blog https://nealpoole.com/blog/2011/03/xss-vulnerability-in-facebook-translations/ https://nealpoole.com/blog/2011/08/lessons-from-facebooks-security-bug-bounty-program/ Logic How I Hacked Facebook Employees Secure Files Transfer service (http://files.fb.com ) | Nir Goldshlager Web Application Security Blog PwnDizzle: How to Bypass Facebook's Text Captcha Rate Limits https://www.facebook.com/notes/$500-bug-at-facebook-no-rate-limiting-implemented/686271891408124 Object Reference A blog on Web Application Security: Hacking Facebook.com/thanks Posting on behalf of your friends! fin1te - Hijacking a Facebook Account with SMS Delete any Photo from Facebook by Exploiting Support Dashboard ~ My Blog More vulnerabilities & source : https://www.facebook.com/notes/phwd/facebook-bug-bounties-backup/736808796409147
  12. Mie personal mi se pare absurd ca eu sa fiu considerat vinovat daca am un video cu o vulnerabilitate (PUBLIC)...
  13. Pot cumpara chiar si cei care nu participa la Defcamp ? (eu)
  14. Are cineva din greseala un cupon la asta ? https://www.udemy.com/how-to-become-a-web-developer-from-scratch/ Mersi anticipat.
  • Create New...