My XSS is more 1337 than yours.
#11
(01-05-2017, 02:31 AM)Insider Wrote:
(01-05-2017, 02:04 AM)StickFigure Wrote: Don't you guys worry about the legal aspects of bug bounties, even when their is an official bounty program you are still playing with fire.

https://greysec.net/showthread.php?tid=988'
https://greysec.net/showthread.php?tid=988/../../../
https://greysec.net/showthread.php?tid=<.../script&gt;

Going to any of those URLs could put you away.

Click those links and I'll send you to jail!  Angry

Spoiler(Show)
JK though. 

Yeah always read the rules and conditions on bug bounties. And protect your ass with tor/vpn or whatever.

And be careful falling for the "Send me your name, address, details so we can send you a reward" trick :p Friend of mine, greyhat who just reports stuff regardless of policies have gotten bait like that.

Best is to accept btc and those stuff. Screw bounties like Pentagon bounty whereas per rules you need to apply with your name, details and such.


Its not illegal to put harmless javascript into a sites broswer.
Reply
#12
I don't know where you guys live but laws are generally pretty broad about hacking and you could get into trouble over ridiculous things, like the former CEO of SensePost who got convicted because he added "../../../" in a URL (https://www.cnet.com/news/tsunami-hacker...urity-job/).
In practice it depends on a lot of factors and most of the time you won't be bothered, but it would suck to be the guy who got caught and made an example of.
Reply
#13
Agreed with PandaSec, even just poking around could land you in trouble at times. There's many unreasonable people out there. I heard about a story about a guy who got a few months prison for port scanning Mossad, can't find source on this. But I read about it many years ago.

Always keep your identity concealed with opsec and anonymity, even if you're hunting bugs for the greater good.
Reply
#14
(01-09-2017, 04:29 PM)Insider Wrote: Agreed with PandaSec, even just poking around could land you in trouble at times. There's many unreasonable people out there. I heard about a story who got a few months prison for port scanning Mossad, can't find source on this. But I read about it many years ago.

Always keep your identity concealed with opsec and anonymity, even if you're hunting bugs for the greater good.

My thoughts exactly, if you are going to be doing anything risky you should factor that into your threat model and take the appropriate opsec measures.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] XSS through Exif headers Insider 1 718 06-16-2020, 11:51 AM
Last Post: LaZr4us
  Guide to XSS (Examples included) NO-OP 3 12,701 04-29-2019, 12:44 PM
Last Post: mhiats37
  [PoC] RunBox.com x MailChimp.com - Stored XSS Vulnerabilities (Bug Bounty Hunting) Daisuke Dan 3 5,913 04-24-2019, 08:47 PM
Last Post: thunder
  Exploiting Reflective XSS (Post) Insider 1 4,323 04-24-2019, 08:32 PM
Last Post: thunder