

Popping a shell on the Oculus developer portal - bitquark
https://bitquark.co.uk/blog/2014/08/31/popping_a_shell_on_the_oculus_developer_portal

======
readerrrr
If you didn't read:

This was done after Facebook announced that Oculus is a part of their Whitehat
program. OP was awarded 25000$ total for finding the vulnerabilities.

Very effective.

------
voltagex_
I haven't seen the BENCHMARK trick before. It's very clever - a variation on
timing failed login/password attempts.

This is a clear and effective writeup. Congrats OP.

~~~
andypants
> It's very clever - a variation on timing failed login/password attempts.

Can you explain? To me it just looks like a way to prove the exploit exists
without revealing any actual injections.

~~~
1c4050b09
It's a pretty common technique for exploiting Blind SQLi. You can use this as
the one of the Branches in a SELECT IF to be able to determine the value of
something in the DB.

[https://www.owasp.org/index.php/Blind_SQL_Injection#Time-
bas...](https://www.owasp.org/index.php/Blind_SQL_Injection#Time-based)

------
canadev
I liked this. I also wonder if it'd be worthwhile for me to take a few months
off of work and try just poking away at security bounty programs. I doubt it
would pay off to start with, but it seems like a pretty lucrative path. I know
the OWASP Top 10, but don't really know my way around Burp Suite or anything.

~~~
homakov
I don't know any program except FB with such bounties for bugs in web apps. If
you want to hack for money, focus on FB forget about others.

~~~
christop
[https://hackerone.com/programs](https://hackerone.com/programs)

~~~
homakov
Which one is profitable there?

------
iamleppert
Security researchers are some of the most banal people. But I won't argue with
$25k. ;-P

~~~
zuck9
I don't think so. There's creativity in hacking any server. You won't find a
straight same path every time. I think security researchers are the most
patient people or most determined.

