Catch the flag, catch the (real!) gold

Did you ever have the chance to win a pure gold medal ?
THIS IS HAPPENING : Join us next week, on the 18th of June, at the Alibaba Security Meetup-hacker Community Event organized by Alibaba Security and Lazada in partnership with YesWeHack

Highlights of the evening

Hacking game

  • 1h to solve
  • 3 levels
  • All of them are real vulnerability from bug bounty
    🏅 Pure gold medal for Top 1 🏅
  • @BitK_ will gives the solution and shares tips and tricks about how to find a vulnerability.

Pick a lock game

  • Nine different locks and tools
  • Learn about the vulnerabilities of lock and locking devices
  • Try to pick a lock by yourself.

New bug bounty

  • ASRC private bug bounty program
  • ASRC Vulnerability Rewards Program

Other

  • Dinner & Beer
  • Break ice and Gather stamps Game

Agenda

17:30-18:00 Sign in
18:00-18:30 Ice breaking game & Dinner& networking
18:30-19:40 Hacking game & Pick a lock game
19:40-19:50 Bug Bounty Announce
19:50-20:00 Award ceremony for hacking game
20:00-20:30 One session
20:30-21:00 Gives the solution to the hacking game and shares tips and tricks about how to find a vulnerability.

Hacking game

Description

Do you think XSS is “low hanging fruit” ?
So just exploit it on the website provided during the event and call alert(document.domain).

There are 3 levels of increasing difficulty each one is worth 100pts, and they are real XSS discovered on bug bounty…
For each step submit your payload to @yeswehack

All your payloads will be tested on a default installation of Chrome 75
At the end of the timer, the one with the most points will be declared the winner.

If two players have the same score, the first one to reach the score will be declared the winner.

Rules

This is an XSS challenge, no need to brute force or automated tools.
This is NOT a cryptography challenge.
Your solution for each step will be a single link.
Just bring your laptop and chrome75 installed

About the event

Alibaba Security Meetup is a security event hosted by Lazada and ASRC. 
The goal of these meet-ups is to build a strong “security community” within the South East Asia. 
By becoming a member of such a community, you will get to:

  1. Learn about the new trends within the Information Security domain.
  2. Participate in the CTF and win prizes.
  3. Learn more about the ASRC bug bounty platform.
  4. Collect swags and relish food and drinks while networking with your peers in the domain of information security.
    The goal of these meet-ups is to build a strong “security community” within the South East Asia. By becoming a member of such a community, you will get to

For more details about ASRC Vulnerability Rewards Program, please visit:
https://security.alibaba.com/online

See you next week Singapore

New YesWeHack Api Extension for Burp

YesWeBurp

Today we are proud to release the version 1.0.0 of our BurpSuite extension.

This will allow you to access all the programs details from YesWeHack directly inside of BurpSuite.
But also instantly configure the scopes and the required headers according to the program rules. No more copy pasting between the website and your favorite tool!

+ Read More

New features for quicker and improved Bug Reporting !

Our Dev Team issued two new features for you to save time and gain quality while reporting vulnerabilities.

As shown below, now you can access a new menu entry called “My Yes We Hack“. This section provides a template manager up to five templates. According to our experience, 5 templates should be sufficient and useful for a majority of bug hunters.

In this section, based on Markdown, you can add or edit your templates.

Now, let’s see a second useful feature to better illustrate and/or document your reports.

+ Read More

Lucas aka BitK: high level bug hunter and the brand new YesWeHack Tech Ambassador.

Tell us about yourself, your background ?

I’m Lucas also know as BitK, I am 28 y/o. I’m a French guy who lives in Lyon. If you play CTF we have probably already met during an on site event as I play a lot of them with the French team Hexpresso.

Before joining YesWeHack I was writing / reversing software for power plants.

I’m also a bug hunter, I’ve been in the top 10 hackers on YesWeHack Bug Bounty platform since the launch of the platform.

Why did you join YesWeHack and what is your role ?

It’s a team that I’ve known for quite some time through CTF, Bug hunting and HZVCommunity & Events ( LeHack ).

We share the same principles and I do like the idea of bringing tools to the community.

My role as Tech Ambassador within YesWeHack will be to support the hackers’ community, by providing tools, talks and workshop. I’ll attend the YesWeHack sponsored events, having great time with bug hunters and IT security researchers.

As a bug hunter and CTF player what are you driven by ?

To me, bug hunting is a lot like a puzzle game, I feel like every software, application is vulnerable to some kind of exploitation, you just need to find how.

Writing software is a difficult job, and developers are still human beings, so they make mistakes : our job is to find those mistakes and help developers to fix them before it gets worse.

One thing I love about the hacker community is the willingness to share information, tips or tools. There is always someone better than you in a specific field and most of the time those people will share their knowledge if you ask nicely.

What are the benefits of CTF (Capture The Flag) for those who want to start bug hunting ?

CTF is a bit different from bug bounties, the major difference is that in CTF you know that a vulnerability is there, you goal is “just” to exploit it.

So usually CTF tasks are quite small, you need to exploit a very specific bug. While in bug bounties, you are hacking real enterprise, their website can be huge and sometime you can find yourself lost in the scope. Bug Bounty has a whole reckon phase that CTF don’t have, it’s a new skill to learn.

CTF and Bug Bounties are different, but most of the time I use tricks and tips I’ve learn during CTF to exploit real life application in Bug Bounty.

+ Read More

[ITW] Daniel Kalinowski: “Participating in bug bounties improves your skills and increase the overall knowledge.”

Let’s meet with Kalin, Bug Hunter from Poland.

What’s your background ?

I’m 25 yo ,I didn’t study, it’s kind of a waste of time in Poland. Well, depends if hacking the school PCs in junior high school counts? xD
I have started my carrier in IT industry as a Data Center Operator, then I got promoted to Junior Dev. They had to do it because I have pwned their application once, and after promotion with the access to source code I was able to find few more critical bugs. Also with the help of Shellshock I was able to download/view the files of the CTO that were stored on one NAS.

3 years ago I have joined a awesome security company, and in my current position I’m responsible for : Mobile apps testing / Web apps testing / Code reviews / General technical advisory on the customer side.

My nickname Kalin comes from my surname KALINowski. I can be also found on the Internet by @llamaonsecurity/@llamasbytes handle.

Why are you interested in bug bounty ?

It started bug bounties as a time-killer in my first job, then I forgot about it and came back to it when I started the carrier in IT security. Participating in bug bounties improves your skills and increase the overall knowledge. Once I had to dig into the PNG file format structure to execute the XSS payload on web servers. It was quite an unique experience. Financially speaking, 1 euro is equal to 4.15 PLN (my local currency) so participating in bug bounties can be profitable.

+ Read More

YesWeHack provides its bug bounty platform and expertise to the French Armed Forces Ministry.

YesWeHack is delighted to support the French Cyber Defence Command (COMCYBER), in order to leverage its 3,400 cyber-combatants+ force.

YesWeHack, a French start-up and bug bounty leader in Europe, equips COMCYBER with an innovative concept and tool to boost cooperation with all the Ministry’s cyber entities.

This bold initiative is part of the Ministry opening up towards the civil society and private actors.

Florence Parly, the French Armed Forces Minister, announced on the 22nd of January :

A partnership has been established between COMCYBER and a start-up, YesWeHack. So, yes, I do announce: we will launch the first bug bounty of the French Armed Forces Ministry at the end of February 2019. Ethical hackers, recruited within the cyber operational reserve, will be able to search for vulnerabilities in our systems and, if successful, be as they should be, rewarded.

Florence Parly, the French Armed Forces Minister

With the signing of this partnership, the Armed Forces Ministry becomes the first French Ministry to launch a bug bounty program. COMCYBER will leverage YesWeHack bug bounty platform to meet the growing challenge posed by new cyber threats.

With the YesWehack bug bounty platform, COMCYBER will be able to best use its trusted community of reservists, in order to improve global security of the ministry’s entities

Guillaume Vassault-HouliĂšre, YESWEHACK CEO

This bug bounty program opens new perspectives for the management of the operational cyber reserve. Ultimately, such initiative will make possible to train reservists and increase their skills to significantly and durably improve the Ministry’s level of security.

YesWeHack met sa plateforme de bug bounty à disposition du ministÚre des Armées.

YesWeHack se rĂ©jouit d’apporter ses compĂ©tences au profit du Commandement de la cyberdĂ©fense (COMCYBER) qui compte dans ses rangs plus de 3.400 cyber-combattants.

YesWeHack, start-up et leader français du bug bounty en Europe, offre au COMCYBER un concept et un outil novateurs dĂ©veloppant la coopĂ©ration avec l’ensemble des entitĂ©s cyber du ministĂšre. Cette discipline permet Ă©galement au ministĂšre de s’inscrire dans une dĂ©marche d’ouverture auprĂšs du monde civil, avec l’ensemble des acteurs privĂ©s.

Un partenariat a Ă©tĂ© nouĂ© entre le COMCYBER et une start-up, YesWeHack. Alors, oui, je l’annonce, nous allons lancer fin fĂ©vrier le premier bug bounty du ministĂšre des ArmĂ©es. Des hackers Ă©thiques, recrutĂ©s au sein de la rĂ©serve opĂ©rationnelle cyber, pourront se lancer Ă  la recherche des failles dans nos systĂšmes et s’ils en dĂ©couvrent en ĂȘtre comme il se doit, rĂ©compensĂ©s.

Florence Parly, Ministre des Armées.

Avec la signature de ce partenariat, le ministĂšre des ArmĂ©es devient le premier ministĂšre Ă  se doter d’un exercice de bug bounty. Le COMCYBER va bĂ©nĂ©ficier de la plateforme de bug bounty de YesWeHack pour s’inscrire dans une vision de la CybersĂ©curitĂ© rĂ©solument moderne, oĂč la collaboration et la coordination sont essentielles pour maintenir l’efficience de ses pĂ©rimĂštres, face aux nouvelles menaces accentuĂ©es par la transformation numĂ©rique.

Il nous paraissait essentiel de proposer au COMCYBER la plateforme de bug bounty Yeswehack pour lui permettre d’amĂ©liorer sa sĂ©curitĂ© opĂ©rationnelle grĂące Ă  leur communautĂ© de confiance, constituĂ©e de rĂ©servistes.

Guillaume Vassault-HouliĂšre, CEO YESWEHACK

Le bug bounty ouvre de nouvelles perspectives d’animation de la rĂ©serve opĂ©rationnelle cyber. À terme, la rĂ©currence de ce type d’exercice permettra d’entraĂźner les rĂ©servistes et de les faire monter en compĂ©tences pour augmenter significativement et durablement le niveau de sĂ©curitĂ© du ministĂšre.
Ce modĂšle innovant pourra ĂȘtre facilement activĂ© sur l’ensemble de l’exposition numĂ©rique du MinistĂšre des ArmĂ©es.

***

>> Devenir réserviste de cyberdéfense

La  rĂ©serve de cyberdĂ©fense recrute tout au long de l’annĂ©e des spĂ©cialistes dans le domaine informatique, rĂ©servistes opĂ©rationnels ou citoyens. La rĂ©serve recherche diffĂ©rents profils : coordinateurs, experts, analystes, techniciens; Ă  diffĂ©rents niveaux : Ă©tudiants en 1Ăšre annĂ©e en informatique Ă  BAC+5.

Le réserviste opérationnel souscrit un engagement à servir dans la réserve opérationnelle, un contrat rémunéré d'une durée de 1 à 5 ans renouvelable. Ces volontaires font le choix de servir leur pays sans faire du métier des armes leur seule profession.

Les rĂ©servistes citoyens sont des collaborateurs bĂ©nĂ©voles du service public. Ils choisissent de servir leur pays en faisant bĂ©nĂ©ficier la dĂ©fense de leur expertise et leur compĂ©tence. En tant que bĂ©nĂ©vole, ils consacrent le temps qu’ils souhaitent et peuvent, Ă  cette mission.

Les conditions générales pour devenir réserviste

- Etre de nationalité française et résider en France
- Avoir plus de 17 ans
- Faire des Ă©tudes en informatique
- Etre en rĂšgle au regard des obligations du service national
- Ne pas avoir de casier judiciaire

Pour plus d’informations ou pour candidater (CV + lettre de motivation) : crpoc.cer.fct@intradef.gouv.fr

Source : https://www.defense.gouv.fr/portail/enjeux2/la-cyberdefense/la-cyberdefense/presentation

YesWeHack sponsor du CESIN : pour contribuer à renforcer la coopération entre les experts et les décideurs.

L’Ă©quipe YesWeHack est fiĂšre d’annoncer qu’elle devient officiellement sponsor du CESIN, une association qui lui est chĂšre.

YesWeHack et le CESIN vont, ensemble, contribuer à renforcer la coopération entre tous les acteurs du numérique.

La communauté de YesWeHack, forte de plus de 6500 chercheurs, est désormais représentée au sein du CESIN.

Un combo gagnant : la transformation numĂ©rique et la CybersĂ©curitĂ©

YesWeHack inscrit ce partenariat avec le CESIN dans le long terme, afin de partager sa vision de la cybersĂ©curitĂ© du futur, adaptĂ©e aux transformations que connaissent les membres de l’association. 

Ayant contribuĂ© au sein du CESIN depuis 2016 en tant que CISO chez Qwant, c’est une fiertĂ© de devenir sponsor aujourd’hui avec YesWeHack. Nous allons continuer Ă  participer aux Ă©changes au cƓur du CESIN car la cybersĂ©curitĂ© est le prĂ©-requis essentiel pour mener efficacement toute transformation numĂ©rique auprĂšs des dĂ©cideurs.”

Guillaume Vassault-HouliĂšre, CEO de YesWeHack.

Avec plus de 500 membres, les activitĂ©s du CESIN connaissent un succĂšs grandissant parmi les experts en cybersĂ©curitĂ© et YesWeHack est trĂšs enthousiaste Ă  l’idĂ©e de participer Ă  cette dynamique riche de promesses.

Le CESIN a souhaité cette année diversifier son sponsoring en accueillant en son sein quelques startups innovantes.

L’objectif est d’offrir encore davantage de visibilitĂ© Ă  des entreprises auxquelles nous croyons beaucoup, comme YesWeHack car elles apportent, par leur innovation et leur audace, une rĂ©ponse complĂ©mentaire aux enjeux de la cybersĂ©curitĂ© auxquels sont confrontĂ©s les RSSI membres du club.

Alain Bouillé, Président du CESIN.

YesWeHack et le CESIN vous donne donc rendez-vous en 2019 pour une année constructive faite de rencontres et de projets concrets.

FIC 2019: YesWeHack’s community, NGOs & CivicTech unite through a unique Bug Bounty Campaign.

For this edition of FIC 2019, YesWeHack is organizing, for the first time in the history of FIC, a special event dedicated to Bug Bounty.

The International Cybersecurity Forum: the European reference event bringing together all stakeholders in digital trust will take place on 22 and 23 January.

This unprecedented bug bounty campaign will take place in an original space reserved for dozens of security researchers so that they can operate over several scopes, and where applicable, earn rewards according to the criticality of the reported vulnerabilities.

For this Premiere, the scopes are submitted by NGOs and CivicTech projects wishing to harden their systems and thus better protect their information assets and their reputation.

YesWeHack has chosen this year to help NGOs and Civictech as a priority, because many European citizens use tools developed by this sector to contribute to the common good, democracy, associative and charitable projects.

“For all actors, customers, developers and researchers, this Bug Bounty campaign within the 2019 FIC is a great and useful opportunity to exchange and confront the reality of threats in order to significantly increase the level of security and privacy by design”

Guillaume Vassault-HouliĂšre – CEO @YESWEHACK

The Bug Bounty’s area will welcome bug hunters who will cooperate with “program managers” from the selected projects with the support of Romain Lecoeuvre, the CTO of the YesWeHack team.

The rewards will be of two types: a total prize pool of several thousand euros is planned to reward the best researchers and goodies collectors will delight some players.

+ Read More

New YesWeHack platform : scale up your bug bounty programs

Thanks to the impressive work of our team,  our Bug Bounty platform has been revealed with new features for program Managers.

So we would like to share with you the new features below 🙂

New program structure
We have reviewed the structure of the programs by adding several fields.

A « Scope » field to define its types and perimeters (links, webapp, iOS Apple Store, Android)
An « Out of scope » field if applicable
« Qualifying Vulnerabilities » for a reward
« Non-Qualifying Vulnerabilities » for a reward
And a mandatory compensation grid based on criticality (Low / Medium / High / Critical)

Please update your Bug Bounty program by filling the new fields to better manage your perimeter.

New report workflow
We have reviewed the workflow for qualifying bug reports.
It is said that a picture speaks a thousand words so please take a look below:

[Optional] Free VPN
We offer all our customers a free VPN, which will allow you to provide hunters a dedicated connection to meet your program’s legal framework, but also to be able to open dedicated environments (IP filtered).

Profile page
Each hunter now has a profile page through which all his activity within the platform is highlighted including his ranking.
This allows YesWeHack’s client companies to select the hunters and to invite them into their programs based on their impact score or activities.

Two-factor authentication (TOTP)
We have integrated a two-factor authentication to increase the security level of your YesWeHack account.

New report structure
The details of the bug reports have also been reviewed, providing more clarity to the program manager. The ergonomics of the tools used for qualifying reports have also been redesigned to offer you a greater efficiency. These new programs/report structures linked to the provision of a public API allows an optimal capitalization of vulnerability reports (DevSecOps).

New dashboard
The new dashboard offers you all the statistics related to the reported bugs (severity, status, classification… etc.) but also concerning the amount of paid rewards.

API
We do provide an API so that you can develop or connect your own tools.

Members at all levels
We have improved granularity in member management. You can invite members to your business unit, but also to your programs and reports. The number of members is unlimited.

We hope that you will enjoy this new version as much as we do. Please be aware that we are still ready to listen to your feedbacks, questions and/or comments.

***

Click here to discover the new YesWeHack Bug Bounty Platform

***

1 2 3