Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
in 2021 by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,099,746 coordinated disclosures
669,837 fixed vulnerabilities
1,437 bug bounty programs, 2,861 websites
25,157 researchers, 1,374 honor badges

Pyae_Phyo_Thu | Security Researcher Profile


Security researcher Pyae_Phyo_Thu has already helped fix 335 vulnerabilities.



Researcher reputation:  60

Real name:
Pyae Phyo Thu

About me:
I am a Junior Cyber Security Specialist/Penetration Tester @ RITZ.com.mm. Over 3 years of total experience, with 2 years in professional penetration tester career, I've identified major security vulnerabilities in well-known enterprise companies of Myanmar.I've found CVE-2020-8591, CVE-2020-8592 in eG Manager, which is one of the IT performance monitoring software.

Contact email:
[email protected]

Alternative Contacts:
https://pyaephyothu.com/

Certifications & Diplomas:
B.C.Tech

Experience in Application Security
1-3 years

Award / Bug Bounty I prefer:
Bug Bounty as Money,
Acknowledgement Letter or Certificate,
Swag (T-shirts/Goodies/Backpack),
Hall of Fame

Halls of Fame:
Dell, ASUS, SAP, iflix, Bosch, APKPure, Lenovo, University of Oxford, JumpShare, eG Innovations, Inc, Owayride, Starticket, FileNurse

Follow me on:
Twitter
Facebook
LinkedIn

Recommendations and Acknowledgements

@mousepotatothet     16 November, 2018
    Twitter mousepotatothet Wint Mie from Oway Ride:
Thanks to your continuous support, sharing the security vulnerability, and keeping our cyber space secure.
@ngjermundshaug     13 November, 2018
    Twitter ngjermundshaug Njal Gjermundshaug from [email protected]:
Awesome work - you seem very skilled. Best of luck with university and career.
@eulenberger     25 May, 2018
    Twitter eulenberger Sven from netclusive GmbH:
Great work! Thank you.

Please login via Twitter to add a recommendation

Honor Badges


Number of Secured Websites

10+ Secured Websites Badge
50+ Secured Websites Badge
500+ Secured Websites Badge
Web Security Veteran Badge
10+ Websites
50+ Websites
500+ Websites
WEB SECURITY VETERAN
1000+ Websites

Advanced Security Research

WAF Bypasser Badge
CSRF Master Badge
AppSec Logic Master Badge
Fastest Fix Badge
WAF Bypasser
CSRF Master
30+ Reports
AppSec Logic Master
30+ Reports
Fastest Fix
Fix in 24 hours

Outstanding Achievements

Secured OBB Badge
OBB Advocate Badge
Improved OBB Badge
Secured OBB
OBB Advocate
Improved OBB

Commitment to Remediate and Patch

Patch Master Badge
Patch Guru Badge
Patch Lord Badge
Patch Master
55% Patched
Patch Guru
65% Patched
Patch Lord
75% Patched

Recommendations and Recognition

REPUTABLE Badge
FAMOUS Badge
GLOBALLY TRUSTED Badge
REPUTABLE
10+ Recommends
FAMOUS
25+ Recommends
GLOBALLY TRUSTED
50+ Recommends

Distinguished Blog Author

Distinguished Blog Author Badge
Distinguished Blog Author Badge
Distinguished Blog Author Badge
1 Post
3 Posts
5+ Posts

Research Statistics



Total reports:387
Total reports on VIP sites:40
Total patched vulnerabilities:335
Recommendations received:3
Active since:01.12.2017

Open Bug Bounty Certificate


Researcher Certificate

Reported Vulnerabilities

All Submissions VIP SubmissionsFeatured Submissions


26.08.2021  eG Manager v7.1.2: Improper Access Control lead to Remote Code Execution (CVE-2020-8591)

Improper Access Control to Remote Code Execution (CVE-2020-8591)

In this post. I will explain how I hacked a whole system by exploiting improper access control vulnerability in the popular java-based MaaS software "eG Manager" and how I can escalated it to execute code remotely.

Impact

The Improper Access Control weakness describes a case where software fails to restrict access to an object properly. A malicious user can compromise security of the software and perform certain unauthorized actions by gaining elevated privileges, reading otherwise restricted information, executing commands, bypassing implemented security mechanisms, etc.

  Latest Patched

 19.10.2021 ulakbim.gov.tr
 19.10.2021 societe.com
 19.10.2021 tga.gov.au
 19.10.2021 mydomain.com
 19.10.2021 ipower.com
 19.10.2021 picuki.com
 19.10.2021 filmdaily.co
 19.10.2021 fileforum.com

  Latest Blog Posts

08.10.2021 by NNeuchi
How I Found My First Bug Reflected Xss On PIA.GOV.PH(Philippine Information Agency)
26.08.2021 by PyaePhyoThu98
eG Manager v7.1.2: Improper Access Control lead to Remote Code Execution (CVE-2020-8591)
14.07.2021 by Open Bug Bounty
Interview With Open Bug Bounty
25.05.2021 by 0xrocky
Google XSS Game
25.05.2021 by ShivanshMalik12
Testing for XSS (Cross Site Scripting)

  Recent Recommendations

@xnih     18 October, 2021
    Twitter xnih:
Thanks to mistry4592 for his report and extra feedback on the issue. He was quick to provide us a link to reproduce the issue when asked!
@abulte     15 October, 2021
    Twitter abulte:
JlsPentest has responsibly disclosed a confirmed vulnerability. It had already been patched on our latest dev build but we still appreciated the report and the professional way it has been handled.
@vinitbhoir543     15 October, 2021
    Twitter vinitbhoir543:
Our team would like to thank you for finding vulnerability on our website.
@kitcert     14 October, 2021
    Twitter kitcert:
KIT-CERT would like to thank Tanzil Khan for responsibly disclosing an XSS-Vulnerability on one of our departments websites and offering the time required to fix the issue!
@diogenesverlag     13 October, 2021
    Twitter diogenesverlag:
Thanks a lot for reporting this bug and thus making our site more secure.