Singapore Polytechnic partners with YesWeHack to hold its first-ever bug bounty event

Singapore Polytechnic (SP) successfully concluded its first ever bug-bounty event, held in partnership with YesWeHack, Europe’s leading bug bounty platform.

The first-ever held by the institution, the workshop brought more than 30 second- and third-year students from the Diploma in Infocomm Security Management back to school from their vacation as they learnt the ins and outs of bug-bounty hunting. 

The workshop began with a bug bounty crash course led by BitK, a renowned French security researcher, bug hunter and Tech Ambassador at YesWeHack.

After equipping them with highly specialised bug hunting skills, he led students in a live experience to discover vulnerabilities and bugs in two selected applications.

During the bug bounty hunt, the Singapore Polytechnic students found a total of nine critical vulnerabilities in the applications, and by the end of the workshop, one group successfully penetrated and gained full admin rights to one of the applications – impressive for the first timers!

Bug bounty programs are a growing industry best practice, implemented by both public and private sector organizations across multiple sectors in Singapore. With cyber-attacks growing in scale and complexity, bug bounty has been recognised by the Singapore Government as an initiative to strengthen collaboration with the cybersecurity community to safeguard systems and digital services. 

Life-long learning plays a significant role in advancing Singapore’s digital defence mandate. Equipping and exposing future talents to the latest technologies and practices creates a highly-skilled and sustainable workforce, which is especially vital in the area of cybersecurity, which is fast evolving. 

This is well in line with Singapore Polytechnic’s ongoing efforts to keep the Diploma in Infocomm Security Management (DISM) course relevant with industry demands. Through the bug bounty event, students gain the technical know-how to detect bugs that are generally difficult to find using normal tools or techniques. Moreover, the out-of-curriculum activity complements the lessons taught in the course by allowing students to apply their existing skills and knowledge to real-life situations. 

Singapore

“The bug bounty workshop was well-received with our students. At Singapore Polytechnic, we aim to equip our students with the latest knowledge and skills. We are confident that the bug-bounty session gave our Infocomm Security Management students an insight into the cybersecurity industry and we’re exploring the inclusion of bug bounty programmes as part of the curriculum in the diploma course,” said Samson Yeow, Course Chair, Diploma of Infocomm Security Management, Singapore Polytechnic.

“Throughout my education at Singapore Polytechnic, I’ve had the opportunity to attend cybersecurity events like Capture-The-Flag competitions, which has allowed me to learn new things and further enhance my skills. Bug-bounty is very different, you’re trying to exploit a real and live application. This raises the difficulty level and requires me to pick up new skills and knowledge that cannot be found in a school environment,” said Jonathan Tan, a Year 3 Infocomm Security Management student.

“Singapore Polytechnic is setting a great example by taking a bold move to explore bug bounty as part of its course module. As one of the first tertiary institutions in Singapore to equip students with industry-level bug-bounty skills, we are excited to partner with them to explore ways to further enhance the learning experience for their future talents,” said Kevin Gallerin, Managing Director, Asia Pacific, YesWeHack. “Ethical hacking will increasingly become a larger focus as organisations tackle the cybersecurity threat, and training needs to start from young.”

YesWeHack & Alibaba Security Meetup challenge solution

The goal of the challenge was to find an XSS vulnerability on a minimalist website.

It was composed of 3 steps of increasing difficulty in the form of extra security layer. All the payload are tested with Chrome 75.

difficulty Escape GET value X-XSS-Protection CSP
easy NO 0 NO
medium YES 1 NO
hard YES 1 YES

+ Read More

Catch the flag, catch the (real!) gold

Did you ever have the chance to win a pure gold medal ?
THIS IS HAPPENING : Join us next week, on the 18th of June, at the Alibaba Security Meetup-hacker Community Event organized by Alibaba Security and Lazada in partnership with YesWeHack

Highlights of the evening

Hacking game

  • 1h to solve
  • 3 levels
  • All of them are real vulnerability from bug bounty
    🏅 Pure gold medal for Top 1 🏅
  • @BitK_ will gives the solution and shares tips and tricks about how to find a vulnerability.

Pick a lock game

  • Nine different locks and tools
  • Learn about the vulnerabilities of lock and locking devices
  • Try to pick a lock by yourself.

New bug bounty

  • ASRC private bug bounty program
  • ASRC Vulnerability Rewards Program

Other

  • Dinner & Beer
  • Break ice and Gather stamps Game

Agenda

17:30-18:00 Sign in
18:00-18:30 Ice breaking game & Dinner& networking
18:30-19:40 Hacking game & Pick a lock game
19:40-19:50 Bug Bounty Announce
19:50-20:00 Award ceremony for hacking game
20:00-20:30 One session
20:30-21:00 Gives the solution to the hacking game and shares tips and tricks about how to find a vulnerability.

Hacking game

Description

Do you think XSS is “low hanging fruit” ?
So just exploit it on the website provided during the event and call alert(document.domain).

There are 3 levels of increasing difficulty each one is worth 100pts, and they are real XSS discovered on bug bounty…
For each step submit your payload to @yeswehack

All your payloads will be tested on a default installation of Chrome 75
At the end of the timer, the one with the most points will be declared the winner.

If two players have the same score, the first one to reach the score will be declared the winner.

Rules

This is an XSS challenge, no need to brute force or automated tools.
This is NOT a cryptography challenge.
Your solution for each step will be a single link.
Just bring your laptop and chrome75 installed

About the event

Alibaba Security Meetup is a security event hosted by Lazada and ASRC. 
The goal of these meet-ups is to build a strong “security community” within the South East Asia. 
By becoming a member of such a community, you will get to:

  1. Learn about the new trends within the Information Security domain.
  2. Participate in the CTF and win prizes.
  3. Learn more about the ASRC bug bounty platform.
  4. Collect swags and relish food and drinks while networking with your peers in the domain of information security.
    The goal of these meet-ups is to build a strong “security community” within the South East Asia. By becoming a member of such a community, you will get to

For more details about ASRC Vulnerability Rewards Program, please visit:
https://security.alibaba.com/online

See you next week Singapore

Let’s break stuff together Singapore : YesWeHack is coming up with a brand new CTF at Infosec in the City !

 

Infosec in the City Singapore is a premier techno-centric cybersecurity event, bringing together top cybersecurity leaders from both the East and the West to share deep-technical insights, and build the next-generation cybersecurity capabilities around the globe.

Visit YesWeHack at booth 5N7-01 to learn how you can make cybersecurity an accelerator of your digital transformation with Bug Bounty!

Get a product demo, meet our team, grab your loot and break the codes 

You want to challenge your skills and get reward?

CTF in THE CITY by YesWeHack

The CTF competition is open to all conference ticket holders and visitors to play, enjoy and compete. Participants simply have to come at the YesWeHack booth, in front of the CTF area, 5N7-01, or directly to the CTF Area.

Ready to hack ?

The CTF will have multiple categories of challenges and different levels from beginner to advanced… But only the best will get the prizes :

Centurion Information Security will give SGD 1000 in cash (1st $500, 2snd $300, 3rd $200)
HITB will give one ticket to attend HITB Singapore (27-31 August 19) – value of 1,199 USD

CTF sponsored and created by YesWeHack
Prizes by HITB and Centurion Information Security

Solution for “A Weird XSS Case”

This challenge was created for BSidesDublin 2019, the goal was to
trigger an alert using an XSS on the domain https://bsides2019dublin.h4cktheplanet.com/.

Nobody was able to solve it during the event so we decided to keep it online for an extra week to let you play with it.

3 persons managed to solve it during this extra time:

Here is the full solution

The website is a single HTML file asking for an username.

When you submit an username some checks are made and a message tells you if the submitted username is l33t or not.

Let’s take a look at the JavaScript code.

+ Read More