Dancer2, HTML and Bug bounty

For the past 3 weeks I have been working on 3 official projects and 1 personal one. 2 of these project included either development or integration with the Perl dancer2 web development tool kit. Learning dancer has been a steep learn course and it’s had its difficulties but overall, it’s a great learning experience.

The first two projects are about creating a two factor authentication module. I thought of creating two types. One using a QR code Authentication process while the other would use an email account to receive the OTP for authentication. So far, I have been cracking at the QR code authentication and I have not been able to successfully get it working. I have been stuck at getting it to generate the QR image. On the other hand, the email authentication is progressing nicely. At the moment, I am working on the email delivery module which would send the OTP to the user’s email address. This involves using the dancer SMTP class. Final testing would be done today and I should be able to meet up with the deadline at least for the email authentication will I still tinker with the QR code method.

The zroc demo webpage was the other project I was entrusted with. It was supposed to be partly interactive. By this I mean get user input and use that input to generate customized output. Again, Dancer2 was supposed to be used here and sadly once again, I had issues integrating the static HTML and CSS page with dancer. My biggest issue was getting the pictures and buttons to retain their absolute position when opened on different screen sizes. At the end of this project, I am more comfortable developing static webpages with HTML and CSS even though I still have a long way to go with dancer2 development.

On a plus side, I managed to finally complete a personal project. I was able to finish setting up a phishing toolkit o have been working on for a while now. This toolkit is unique in that it is able to bypass 2fa. It does this by not just collecting user credentials but by also saving the authenticated session cookies to a file so it can be reused at a later time. I had to learn the basics of node.js in order to handle file manipulation. I also learnt how to configure and use the puppeteer frame work for headless browser automation. This will definitely come in handy when running phishing simulation tests for organizations.

Finally, I was able to to set up the bug bounty master folder on OneDrive. This folder would be accessible to every zroc team member. So far, just over 20 targets have been selected and I have personally been working to find bugs on one of the targets (Netflix).