Hi Haxel0rd, can you give us a short intro about you? ------------------------------------------------------ Yea sure, i'm an older guy who learned (mainly web)hacking in the early days and i chosed the GreyHat, meaning i cross borders when it comes to legality- sometimes i access stuff i am not allowed to but i only do it out of technical interest and never break things or steal data, i just see and forget. For some cases i report vulnerabilities, many i just leave as are, and others like for aliexpress, i leave a message to sysadmins with suggestions on how to improve. My twitter only represents (my sometimes childish side and) private life of hacking. Oh i and i love trolling! In my main job, i am a senior pentester and i strictly seperate work from how i act privately on my twitter. Well then, congrats on making perhaps the most creative persistent XSS. ----------------------------------------------------------------------- Thank you very much! I am not sure though how many found out that the testimonials have websites too, maybe i should have made that more clear in the .html file. This PoC demonstrated the most harmless impact, which was that you can abuse the issue for free webhosting (ali usually sells cloud space for money). But in fact, we had a persistant XSS with lots of potential to raise other attacks from there. (I still hid a persistant XSS, it occurs when clicking on the testimonials website from "Yosh Smith", at the "PiratesBase" navbar ;) Basically the open doors for XSS was used to place an own file/website on the CDN servers. Back in my days this was called a "deface page". This is something the newer generation may not know that much, as these were different times and today defaces rarely occur. Before 2012 about, almost anything in the web was hackable. Hacking was kind of more underground and much less destructive than it is today. A deface page just replaced either the index file (landing page) of a website or created a file somewhere else in pub www dirs, while leaving rest of the website fully functioning intact. It was like a fun competition between SysAdmins and Hackers. But times started to change... Some have taken it to far, especially eastern countries stupidly used defacing to represent their country flag, while hacking has nothing to do with things like nationality. They used exploits to mass-deface thousands of websites at once, or extracting sensitive data from databases, resulting in much public attention and attention of the feds to hacking in general and it didn't took long until criminals also took note of the capabilities of using hacking techniques for frauding purposes. Today it's not the hackers anymore stealing money of you, stealing your passwords or identity... it's regular criminals who just buy 0day exploits from hackers, while the hackers themselves mostly do not participate in the actual fraud anymore. The reason why hackers sell to criminals is, because unfortunately the true criminials are still the only ones that understand the real value of a vulnerability or a ready made exploit. White hatting does still often not pay out and companies try to buy hackers for cheap, or a company has an overall and fundamental wrong understanding of security and dont value the reports they receive from hackers/pentesters/researchers. Unless you are hired by a company as Pentester, or find extremly critical bugs in VRP's, you most likely have to expect to get underpaid for White Hatting. (VRP = "Vulnerability Reward Program", the more official term for "BugBounty Program"), Getting companies to take security seriously is a pain. ---------------------------------------------------------- Yes, i fully agree on this! I have been a witness myself when in the past dealing with companies that didn't understand either the impact/risk of a vulnerability posed, or what risk their customers and core business is exposed to. Back in my times it was something very unknown- i reported vulns long before platforms like H1 and Bugcrowd existed and there where no rules, no guidenlines- no nothing that decribed this process or made it transparent. It was like the "Wild West". This resulted in a lot of confusion, mostly on the side of the companies as they faced something unknown and they didn't know how to react or deal with such reports. Some hackers told that companies felt threatened by a hacking attack and involved the police. Another issue that especially Hackers and Pentesters/Researchers know about: "Thank you for reporting critical RCE in our production systems, we have fixed it, bye." (Often, researches save the company thousands or even million in dollars of damage, but in return, the researches get left with a small and simple "thank you", or only a low, inadequate ammount of procketmoney). Some concepts tried to solve this, platforms like H1 were founded, but they introduced new problems and these mostly affected the researchers. Common problems are: slow fixing times result in duplicate reports, researchers get baited with worthless swag rewards or just "points", private programs allow the stars of platform XY to get fresh attack surface with low haning bugs, while the rest of the people get access to a program after it was harvested already- or if the researchers have specific ammounts of points (meaning they have to work for free at first to get to ´the interesting stuff), and other issues like absolutely stupid set scopes that leave open doors in the full picture of a companies IT-Security concept. So Aliexpress runs a BugBounty program right? ---------------------------------------------- Yes, and talking about scope, the CDN domain was not in scope. As far as i know it was in a first round, but the time i saw it, the scope was already adjusted to have the CDN domains excluded. Maybe they know about the issue and haven't fixed it yet, or they take it as accepted risk- where we are back at the point where companies do not fully understand the risk or impact of a vulnerability. Not meaning to mock against Aliexpress- any company that decides to run a VRP is already step ahead of 95% of the other companies that don't. So i do not mean to criticise Aliexpress for their VRP, but they should improve. Also the Bounty ammounts are pretty cheap, a company of that size can easily pay more, but then we are back at when i said: "companies still try to buy hackers for cheap". ANYONE WHOS WHITE-HATTING AND READING THIS: don't sell yourself for cheap, your skills are worth more! Stop reporting for free or for points - hacking requires a broad range of knowledge that covers different topics from the complete IT sector, this is massive and takes years(!) to learn - let them pay you this time just like they pay their coders, their sysadmins, their managers. Exception: you are a young teenager that needs to collect some first few references in the IT-Sec field to get better chances when applying for a job. To Anyone else not fitting in this category but still reporting for free: How does it feel to be sold as the "lowbob" of some rich company that massively profits from the hours of time YOU have spent learning? While you get left with a "thank you"... yes a warm thank you is also nice, but at the end of the day, can you buy your family a piece of bread from this...? According to your tweets, you didn't report it then? ------------------------------------------------------ No, as soon as i spot a flawed VRP i decide to rather dump out a vuln to public and to leave the companies a message. I don't care about swag, money or "Hall of Fame" entries. In the end i have my fun and lulz and a company can benefit from it, if they atelast take some of the info and overthink their processes or handling of vulnerabilities. For Ali my suggestion would be: expand your scope, raise bounties, take impacts more serious or either be quicker at fixing (whatever of the last two applies for the CDN). What advice do you have to others dealing with such situations? Should they also go and turn a vulnerability into a piece of art to get companies to realize they need to take it serious? --------------------------------------------------------------------------------------------- Haha thank you considering my deface page as art, indeed i put lots of love and joy into it (: First of, i clearly do not encourage anyone to start defacing! While i agree a deface has much power of display and draws more attention by a company, defacing a server or website closely scratches the border of legality, so be carefull and only do it if you absolutely know what you are doing. For this case, i see myself in a safe zone as Aliexpress runs a VRP, but in theory, they could still take legal actions on me as my actions left their definition of "safe harbor". So either do it anonymously or be carefull when using a doxable identity. Make sure to remember: there is always the way to contact a sysadmin via phone or email- SOME companies are pretty up to date with security standards and may respond unexpectedly professional to your report or even may compensate you. If you have the feeling a company follows modern day it-sec processes, then maybe give it a chance. Use the other methods as last solution only. Will you be making your deface script publicly available? --------------------------------------------------------- Well in fact, it already kind of is. All the images, the styles and even the reggae music is included in the .html file, there are no external files. The websites of the testimonials are single .html files too, except for the .mp3 downloads on the "PiratesBase" website from testimonial "Yosh Smith" and the linked youtube videos. I made them seperate to demonstrate that even other filetypes are possible to upload and for the youtube video, that cross domain policicies are weak. The pages of "Jennifer Yang" and the "NSA" are also own .html files. It may look all messy though as the resources are included via base64 data urls. Back in the days each hacker had his own deface page (before the copy pasting started), and this was what it was about. I remember a dude called "Starfield", his deface page had a 3D Starfield animation (fitting to his name) which he completely coded himself with JS. So i recommend to not copy paste, rather be creative and come up with your own ideas/style. Haxel0rd, thank you for anwering questions to @Planetzuda --------------------------------------------------------- Thank you for your interest in my work and all the best to @Planetzuda! Cheers
Category: Uncategorized
helping with SEO, Websites And Marketing
Posted on May 13, 2020May 13, 2020Categories UncategorizedHow Tour Operators Can Make Money During coronavirus
Posted on April 16, 2020April 16, 2020Categories UncategorizedTour operators are in a very tough spot right now with coronavirus making their businesses close. Everything looks bleak, like your tour company may go out of business. Do not fear, we are here!
How Tour Operators Can Make Passive Income
Whether you own a tour bus, ghost hunting, or a type of experiential tours like gang tours, you can still make money without any customers. How do you make passive income while coronavirus has your company shut down? It’s pretty simple. You’ve been given a perfect picture moment in time, where you can get video, photos, and more and then post optimized tour blogs and youtube videos that you include in your blog. You’re probably yelling that blogs don’t make money. You are absolutely wrong, affiliate links along with google adsense can make you more money than you are making right now, but those aren’t the only ways to make money.
The big blogs in the tour industry charge to mention companies and have pages on every major city. You can do the same thing!
You don’t have to even be in that city to legally use photos from there and write about it, then charge companies to have a blurb written about them as long that you disclose you do this. Talk to your lawyer, this isn’t legal advice.
So now you have 3 ways of making money that we are giving away for free as a tour operator during coronavirus to help your business try not to go out of business. We have plenty of paid ways to keep tour operators in business, one that we publicize is tour Operators SEO, so you get seen on google and other search engines. We have plenty of other ways tours can make money without customers, but we keep those for paying customers.
We hope your company will profit off of this article.
Free Shopify Stores & WordPress sites For Stores impacted by covid 19
Posted on March 21, 2020March 21, 2020Categories UncategorizedFrom our press release
” Ryan Satterfield, founder of Planet Zuda LLC, is now offering free set- up services for Shopify online stores and WordPress sites. These complimentary services are primarily for brick and mortar store owners as well as small business owners and independent contractors who do not have an online presence and were forced to shut down due to COVID-19.
Planet Zuda LLC is now offering to set up your Shopify store and include adding the first 5 items in your online store for free. They will also provide a complimentary how-to guide that explains how to use your new online store.
For business owners that offer a service or need to feature a portfolio, Planet Zuda LLC, is offering to set up a WordPress site and theme as well as add limited text that business owners provide to be on the front page.
Due to the extreme impact the Corona Virus has already had on the economy,Planet Zuda LLC, will be offering a discounted rate to business owners for additional services beyond the complimentary initial set up. These complimentary services and discounts will continue until the National Emergency is lifted.
*customers pay for any and all additional costs incurred by customers, including but not limited to shopify fees. Only one complimentary service per customer.
Planet Zuda LLC is now offering to set up your Shopify store and include adding the first 5 items in your online store for free. They will also provide a complimentary how-to guide that explains how to use your new online store.
For business owners that offer a service or need to feature a portfolio, Planet Zuda LLC, is offering to set up a WordPress site and theme as well as add limited text that business owners provide to be on the front page.
Due to the extreme impact the Corona Virus has already had on the economy,Planet Zuda LLC, will be offering a discounted rate to business owners for additional services beyond the complimentary initial set up. These complimentary services and discounts will continue until the National Emergency is lifted.
*customers pay for any and all additional costs incurred by customers, including but not limited to shopify fees. Only one complimentary service per customer.
Artificial Intelligence Gets You Seen Quicker On Search
Posted on March 10, 2020March 10, 2020Categories UncategorizedPersonalization is nothing new in life, since companies through the ages try to tailor to their audience. Thanks to advances in artificial intelligence (AI) technology, we can make better personalization quicker for customers.
you’ve probably used paid per click ads, which use artificial intelligence to target customers with relevant content to make sales. We are using AI to help you have new content on your site faster, quicker and with far more content. We make sure the content is tailored to your site.
If you’ve never heard of Google RankBrain or Quality Score in Google AdWords, they are very important for Google to decide if your site is good enough to retain users and rank higher in search results.
Digital marketing technologies and platforms are evolving rapidly, but they require a number of specific skills. If you want to opt for intelligent marketing technologies, but don’t want to deal with the technology side we build, use and handle it for you. You’ll get a huge jump on your competitors, since 76 percent of marketers aren’t using artificial intelligence for their clients.
Get a competitive edge on your competitors today by hiring Planet Zuda.