In the hunt for security issues, the pursuit of unexplored assets and hidden endpoints often ends up distracting you from the obvious but still essential functionality.
, โ , , , - . , , . , , , PayPal: .
PayPal, javascript, , CSRF.
, JS .
, XSSI, - <script>, [ CORS], , .
, , , , : , .
, , . , _csrf _sessionID .
CSRF pay pal _csrf , . , , c .
, , . PayPal, , brute force โ . , .
: , , . , , .
, , , Google, , , POST- /auth/validatecaptcha.
_csrf sessionID, , .
, . , .
, , .
, , โ , . , . , .
jse .
recapcha , Google , c, , , , .
, , , .
XSSI; , , . , .
PayPal , . โ , , /auth/validatecaptcha, .
, .
Bug Bounty PayPal 18 2019 HackerOne 18 . PayPal . $ 15300, 10 . , 8 ( ) CVSS โ , .
24 . , 5 โ .
/auth/validatecaptch CSRF, .
, , , : .
. ยซ ยป . - โ , ยซยป, .
, :
Data Scientist
Data Analyst
Data Engineering
Fullstack- Python
Java-
QA- JAVA
Frontend-
C++
Unity
-
iOS-
Android-
Machine Learning
"Machine Learning Deep Learning"
" Data Science"
" Machine Learning Data Science"
"Python -"
" "
DevOps