shochdoerfer, 18 days ago

@heiglandreas ignore them, that's the best you can do. Keep getting this s**t for a few months now. Not funny. At least the last person asked before if they get a reward for reporting an incident...

heiglandreas, 18 days ago

@shochdoerfer We actually got some (1%?) really good feedback and solved some issues. But most of it is really just crap...

shochdoerfer, 18 days ago

@heiglandreas the only thing they reported to us was CORS problems and stuff.

heiglandreas, 18 days ago

@shochdoerfer Yeah. That's the "low hanging fruit" that only works in BurpSuite...

shochdoerfer, 18 days ago

@heiglandreas I am fine with getting reports like this.

The annoying part is dealing with this bug bounty approach because, obviously, the reports want some money for their effort.

heiglandreas, 18 days ago

@shochdoerfer If it'S useless, they get a nice "thank you but no thanks"

Some then insist whether their valuable insight doesn't vouch for a reward. I usually ignore those then...

Otherwise I'D have to invoice them for my time...

dasniko, 22 days ago

@heiglandreas You mean something like "...your ' 'sessionid' cookie is insecure..."!?

heiglandreas, 22 days ago

@dasniko You are storing passwords in plain text because I can see them in the request when I intercept them with BurpSuite...

dasniko, 22 days ago

@heiglandreas aaawwwwhhh, also a nice one! 😮‍💨

dasniko, 18 days ago

@heiglandreas Und gerade in einer Mailingliste... "In our current setup(Monolithic), we hash passwords (SHA256) on the frontend (ensuring they do not appear in plain text in the network tab, as per our security audit report) before passing them to the controller side for login."

heiglandreas, 18 days ago

@dasniko So they are now storing the hash of the hash in the DB? So the hash has now become the password?

🤦‍♂️

Extra security would have been encrypting the password with a public key and then decrypt it on the server side with the private key...

🤔

Hm....