The Bug Bounty Hunter

Advent Calendar 2022
Can you spot the vulnerability?

The Code Security Advent Calendar 2022 comprises 24 code challenges containing hidden security vulnerabilities in real-world Java, JS, C#, PHP, Python and C code.
@[email protected] @[email protected]

https://www.sonarsource.com/knowledge/code-challenges/advent-calendar-2022/

the home of clean code

Sonar’s industry leading solution enables developers and development teams to write clean code and remediate existing code organically.

Dec 4, 2022 at 9:47amWeb
Show threadThe Bug Bounty HunterDec 4, 2022
@[email protected] @[email protected] Day 1 of 24 #codeadvent2022 #PHP @[email protected]
https://twitter.com/Sonar_Research/status/1598346191724388353
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #PHP We just inherited a PHP application from the '90s. Is there anything wrong with it? https://t.co/adIl958hys”

Twitter
Show threadThe Bug Bounty HunterDec 6, 2022
Day 5 of 24 #codeadvent2022 #Python
https://twitter.com/Sonar_Research/status/1599795737256247299
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #Python Can you get admin access? This is a hard one! https://t.co/LkGVNR9Rrv”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 2 of 24 #codeadvent2022 #Java @[email protected]
https://twitter.com/Sonar_Research/status/1598708583356542976
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #Java It's sanitized, so it's 100% safe! https://t.co/QouhcOx0vE”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 3 of 24 #codeadvent2022 #CSharp @[email protected]
https://twitter.com/Sonar_Research/status/1599070966851649536
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #csharp Something was forgotten in this API handler, but what? https://t.co/XhIegPFj5W”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 4 of 24 #codeadvent2022 #JS @[email protected]
https://twitter.com/Sonar_Research/status/1599433347637338114
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #JS This API is protected with auth tokens 🔒 Can you still find a way in? https://t.co/8pwRH6Fy5T”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 5 of 24 #codeadvent2022 #Python @[email protected]
https://twitter.com/Sonar_Research/status/1599795737256247299
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #Python Can you get admin access? This is a hard one! https://t.co/LkGVNR9Rrv”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 6 of 24 #codeadvent2022 #PHP @[email protected]
https://twitter.com/Sonar_Research/status/1600158132604379137
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #PHP Someone wanted to be pretty sure with all these filters, but did it succeed? https://t.co/7TQF3wYWwx”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 7 of 24 #codeadvent2022 #JS @[email protected]
https://twitter.com/Sonar_Research/status/1600520525318479872
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #JS Something is off with this Vue app... https://t.co/zettTzISPe”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 8 of 24 #codeadvent2022 #PHP @[email protected]
https://twitter.com/Sonar_Research/status/1600882904032313347
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #PHP So many restrictions... can you get around them? No CSRF required, you can do it on your own! https://t.co/AvJJ0e8hdy”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 9 of 24 #codeadvent2022 #Python @[email protected]
https://twitter.com/Sonar_Research/status/1601245286004817928
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #Python You can upload any file to /tmp/storage/. Also, remember: unpacking archives may be evil. But a wild copy() appears; can you tame it? https://t.co/PbnAsBaMUL”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 10 of 24 #codeadvent2022 #Java @[email protected]
https://twitter.com/Sonar_Research/status/1601607685857841153
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #Java Do you already know this song? Let us know what your payload would look like! https://t.co/2dxqwDghek”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 11 of 24 #codeadvent2022 #C @[email protected]
https://twitter.com/Sonar_Research/status/1601970066093907974
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #C Find a way to elevate your privileges with this setuid binary! https://t.co/96pG695fd9”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 12 of 24 #codeadvent2022 #JS @[email protected]
https://twitter.com/Sonar_Research/status/1602332456174047232
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #JS This OAuth popup seems to have all the right checks 🤔 Could an attacker page still steal your authorization code? https://t.co/7AD2fakOag”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 13 of 24 #codeadvent2022 #Java @[email protected]
https://twitter.com/Sonar_Research/status/1602694843381256196
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #Java Can you log in as the user 'admin'? You can assume that passwords are alphanumeric and have a length of 10 characters. https://t.co/QIdtELWUWI”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 14 of 24 #codeadvent2022 #PHP @[email protected]
https://twitter.com/Sonar_Research/status/1603057234501636096
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #PHP This code is so simple that nothing can go wrong! Since you may send your private keys, all traffic is done over TLS with the key stored at /key.pem. No way anybody will ever leak it. https://t.co/DuwV2ezKWV”

Twitter
Show threadThe Bug Bounty HunterDec 16, 2022
Day 15 of 24 #codeadvent2022 #Python @[email protected]
https://twitter.com/Sonar_Research/status/1603419622014734336
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #Python Some types of vulnerabilities can be leveraged by an attacker in unusual situations. Can you determine how to exploit this application and get a shell? https://t.co/7jMXvMFqKk”

Twitter
Show threadThe Bug Bounty HunterDec 21, 2022
Day 16 of 24 #codeadvent2022 #Python @[email protected]
https://twitter.com/Sonar_Research/status/1603782005581381634
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #Python Who's to blame for this bug? https://t.co/Ho766cpLyz”

Twitter
Show threadThe Bug Bounty HunterDec 21, 2022
Day 17 of 24 #codeadvent2022 #Python @[email protected]
https://twitter.com/Sonar_Research/status/1604144388375924736
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #Java Sanitization can be tricky, is there a way to exploit this application? https://t.co/JhKcXbONYQ”

Twitter
Show threadThe Bug Bounty HunterDec 21, 2022
Day 18 of 24 #codeadvent2022 #JS
@[email protected]
https://twitter.com/Sonar_Research/status/1604506784403693570
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #JS The administrator is happy to click on any of the links you'll send them, what could go wrong? https://t.co/3BmMOgtZGA”

Twitter
Show threadThe Bug Bounty HunterDec 21, 2022
Day 19 of 24 #codeadvent2022 #Python
@[email protected]
https://twitter.com/Sonar_Research/status/1604869170390237187
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #Python Urgh, the maintainers of unstable-avatar-service.tld are breaking their DNS every now and then. What do you think of this new version of my avatar proxy? https://t.co/vTkzDX2a0N”

Twitter
Show threadThe Bug Bounty HunterDec 21, 2022
Day 20 of 24 #codeadvent2022 #CSharp
@[email protected]
https://twitter.com/Sonar_Research/status/1605231561120501761
Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #csharp This new log ingestion server is super efficient. Let's hope nobody can inject log messages! https://t.co/92rurdax8l”

Twitter
Show threadThe Bug Bounty HunterDec 4, 2022

@[email protected] @[email protected] Day 3 of 24 #codeadvent2022 #CSharp @[email protected]

https://twitter.com/Sonar_Research/status/1599070966851649536

Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #csharp Something was forgotten in this API handler, but what? https://t.co/XhIegPFj5W”

Twitter
Show threadThe Bug Bounty HunterDec 4, 2022

@[email protected] @[email protected] Day 2 of 24 #codeadvent2022 #Java @[email protected]

https://twitter.com/Sonar_Research/status/1598708583356542976

Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #Java It's sanitized, so it's 100% safe! https://t.co/QouhcOx0vE”

Twitter
Show threadThe Bug Bounty HunterDec 4, 2022

@[email protected] @[email protected] Day 4 of 24 #codeadvent2022 #JS @[email protected]

https://twitter.com/Sonar_Research/status/1599433347637338114

Sonar Research on Twitter

“Can you spot the vulnerability? #codeadvent2022 #JS This API is protected with auth tokens 🔒 Can you still find a way in? https://t.co/8pwRH6Fy5T”

Twitter