Brett BuerhausGoogle CTF - Web 11 - Flag Storage Service
A challenge involving injecting into Google's Query Language (GQL) using a blind boolean technique to extract a password from the database.
Brett Buerhaus
For anyone familiar with the Counter-Strike competitive scene, you know about ESEA. They just recently launched a bounty program that puts their website, game client, and game servers in scope for security research.
I spent a night taking a look over the website and found a few vulnerabilities. The most interesting discovery was a Server-Side Request Forgery vulnerability. Using a cool trick that Ben Sadeghipour (@NahamSec) showed me, I was able to pull private information from ESEA's AWS metadata.
Brett Buerhaus
In 2014 I discovered a vulnerability on Yahoo's Login Protection seal that allowed for CSS injection. This information was saved to the browser and IP, persisting across login sessions on that computer. The protection seal feature has since been removed from the login page, but the feature still exists in your account preferences.
Brett BuerhausChallenge Info
Challenge Description
Since the Ashley Madison hack, a lot of high profile socialites have scrambled to find the hottest new dating sites. Unfortunately for us, that means they're taking more safety measures and only using secure websites. We have some suspicions that Donald Trump is using a new dating site called "weebdate" and also selling cocaine to fund his presidential campaign. We need you to get both his password and his 2 factor TOTP key so we can break into his profile and investigate.
Flag is md5($totpkey.$password)
http://54.210.118.179/
Brett BuerhausAuthors: 
Brett Buerhaus, Jason Thor Hall
Original Post: http://potatohatsecurity.tumblr.com/post/126411303994/defcon-23-badge-challenge
Brett, Jon, and I teamed up with Council of 9 and won this years badge challenge after having great success in the DEFCON 22 Badge Challenge. Over the last year we have studied a huge number of cryptographic methods and ancient languages to prepare for this. We also released our own crypto-challenge website for the community to follow along and have fun challenging themselves. With our new knowledge and a great team in tow we headed out to DEFCON.
Here is the entire adventure as we experienced it with all of the puzzles, their solutions, and the steps to solve them. Understand that this document contains MASSIVE spoilers so if you do not want to ruin it for yourself please stop reading now.
Brett BuerhausBack in October of last year I discovered a JavaScript flaw on Google.com that bypassed protocol validation by abusing an if check against a URL parsed by regex. I was unable to find a way to attack this vector, but was still rewarded a bounty of $500 due to Google knowing of an active browser vulnerability that allowed them to exploit it successfully.
Brett BuerhausFlickr has a developer application section called The App Garden. Developers are able to create apps that make API calls to Flickr as an authenticated user via OAuth. I discovered a Cross-Site Request Forgery (CSRF) attack vector that allowed you to attack any user on Flickr.
Brett Buerhaus
After learning about Google's bug bounty program, I decided to look for vulnerabilities on their most sensitive services. Finding a vulnerability on admin.google.com was challenging; I managed to find a simple, but interesting form of Cross-Site Scripting.
Brett Buerhaus
I'll keep this one simple and sweet because anyone reading this blog probably knows what SQL Injection is. I discovered a root access SQL injection on tw.yahoo.com.
Brett Buerhaus
This is part two of a three part series on detecting traffic generated by the security tool Burp Suite. These methods are by no means exhaustive, but are simple tricks that can be used for detecting some of the malicious traffic on your web server.