BugsCollector.com all security bugs in one place

image 2 years I have tried to please Habr articles (mostly personal) in the field of information security, for the most part in the web. Share knowledge, gain experience and feedback, meet interesting people.


Not considerably, made the largest contribution to hub "Information security" of all time. During this time I learned a lot, absolutely not to compare my level of knowledge then and now.

And, working in this field, I have experienced a few problems, solutions to which I could not find anywhere else. I've met other people who have faced the same. But the decision was! And, then, I decided to solve in the first place, your problem, and know that I am sure will help many. Thus was born the resource with speaking for himself the address bugscollector.com.

Problem #1. Mass, personal notification about vulnerabilities


Remember the article that was the second rating in the history...? obtained the source code 3300 the global Internet project. Or when I was trying to inform administrators from various government, military, payment systems, banks may, about a dangerous data leak? Well, or fresh — found XSS over 6,000 websites from the alexa top 5000. How to notify all at once? When half of the sites no email for contacts, some ignore, and some more threatening.

It would be nice to have a resource where it would be possible to send information about any vulnerabilities found on all websites and notify in private mode? There are CERT, seclists, but it's not that. They will not consider XSS, they do not have the contacts of all these sites, no help. So, you need a resource where will be registered all interested site owners, where they can be notified in the case of such (privately). BugsCollector — not existing, it's completely new and different.

Problem #2. Personal history of found vulnerabilities


Here I understand some of those who like to constantly look somewhere hole :) it would be Nice to have just for himself, only what you found, right? I just wondered where would be to conduct such personal statistics as found bugs, but also to see what others find.

Problem #3. Ignore vendor-specific


Very often is something serious about trying to inform the vendor / administrator — and it is stupid to ignore. Attraction of the audience usually helps.

Problem #4. Personal interest


I wonder what the vulnerability was found for all time on Google, Facebook, Yahoo, Yandex and other websites? Something in the format of the wiki, you come to the page resource — and there are all bugs. Not scattered across personal blogs and tweets, but all together. By the way, sometimes it helps to figure out where you can dig, if you decide to participate in BugBounty (e.g. to learn about the resources that are in scope, but not explicitly specified).

Problem #5. Summary


When job search pentester — you can throw a link to your profile where are displayed all the found bugs. I think that's cool :)

Implementation of


I'm not a professional in the field of web development and not a designer, but his idea was implemented. Option beta (if not alpha), with the initial functionality is already available — bugscollector.com (posted on microinsurance Amazon), you can go, view bugs, comment on, vote, log in via Twitter to add their bugs/websites. Although, you and others, there is a checkbox — but you must link to the original researcher (if in the future he will sign up for online — we "bind" the bug to him).

Already the feedback received from the various security guys, almost everything they say — shoot :) Now comes the period of active development, but already need:
the

    Hackers resercher, script-kiddie. Add your own bugs (not necessarily in the popular resource); the

  • owners of the sites. Add your sites and get notified about the added vulnerabilities on your website;
    • the
  • By passing. To leave feedback, suggestions, comments and ideas;
    • the
  • Experts in English. My lyrics leave much to be desired.

My personal TODO list to draft is still huge. Planned delayed public disclosure, if the administrator is registered on the resource, add music tracks, listened to a hacker finding the vulnerability. Authorization through Facebook/gmail, etc. resources, and more. And the site is already available the found vulnerabilities to the Google, Facebook, Yandex and others.

Slightly later report added abrasheva (and not only) bugs, development process and other detail.

PS I Tried to configure the server for gebrettert. Chased through the ab and it is not only comparable to Hebron loads — must survive.

the
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Car navigation in detail

Изображение
This article is for those who are going in the near future to buy a car Navigator, but lacks information. For example, a typical Navigator Lexand Si-515 Pro HD I will try to elaborate what is now proposed on the market such devices. Also describe the impressions of three of the tested navigation systems, one of which passed in June, about three thousand kilometres through two countries. And at the end of the article will result in a large comparative table 23 current models of navigators Lexand, to show what can be possible in these devices. The choice of now is large enough. Prices and performance, thanks to competition, differ not so strongly. Typically, when buying are interested in the reliability and usability of the device. The functionality and relevance of the cards of 100% define the installed navigation system. It is therefore very important to be able to update it easily, and even better if you can run several different. the Characteristics and sp
Далее...

PostgreSQL: Analytics for DBA

Many users of PostgreSQL know that the server at the time of their work collects a variety of statistics, but not everyone knows that it is useful to analyze and how to extract it. This small Toolkit collected some useful queries that give some idea about how to use this "hidden knowledge", which constantly accumulates. These queries can be used to monitor the status of PostgreSQL (manually or with plugins for monitoring systems like Nagios, Cacti or Zabbix), to search for bottlenecks in the server and many other similar tasks. Remember that this is only the tip of the iceberg; in the documentation you can find descriptions of several dozen system ideas that can also be useful for the PostgreSQL administrator. For correct work need to enable Toolkit options stats_block_level and stats_row_level in postgresql.conf and set the parameter of stats_reset_on_server_start in its sole discretion. If each time you restart the PostgreSQL server you change some important configu
Далее...

Google has launched an online training course advanced search

Изображение
/ > As planned Google today launched training the advanced search. I just received the e-mail. the text of the letter (in English) We're excited to launch the first class of Power Searching with Google! Get started by taking a pre-class assessment and studying the material in the first class: www.powersearchingwithgoogle.com Class 1 available Class 2 available July 11 Class 3 and mid-class assessment available July 12 Hangout on Air with search experts July 13 1:00-1:45pm PDT (add to calendar) Submit questions for search experts: www.google.com/moderator/#16/e=2004ad Mid-class assessment due July 17 at 7:59am PDT (add to calendar) Classes 4-6 available July 17-19 Hangout on Air with search experts July 19 11:00-11:45am PDT (add to calendar) Post-class assessment due July 23 at 4:59pm PDT (add to calendar) Need help? Please join the course staff in the course forum and follow our Google+ page for additional exercises, tips, and tricks!
Далее...