Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Free Bugs Campaign

Avatar for 8ayac 8ayac
March 11, 2019
Technology
0
930

Free Bugs Campaign

Burp Suite Japan LT Carnivalの登壇資料

Avatar for 8ayac

8ayac

March 11, 2019
Tweet

More Decks by 8ayac

See All by 8ayac
MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド
Avatar for 8ayac 8ayac
0
1.8k
MBSD Cybersecurity Challenges 2017 最終審査会 発表スライド
Avatar for 8ayac 8ayac
0
540

Other Decks in Technology

See All in Technology
Amazon CloudWatchのメトリクスインターバルについて / Metrics interval matters
Avatar for ymotongpoo ymotongpoo
3
290
AIを使っていい感じにE2Eテストを書けるようになるまで / Trying to Write Good E2E Tests with AI
Avatar for Akihiro Yokota katawara
3
1.9k
OpenTelemetry の Log を使いこなそう
Avatar for Shota Iwami biwashi
5
1.1k
怖くない!GritQLでBiomeプラグインを作ろうよ
Avatar for 晴れ井戸 pal4de
1
140
手動からの解放!!Strands Agents で実現する総合テスト自動化
Avatar for 井手亮太 ideaws
3
390
私とAWSとの関わりの歩み~意志あるところに道は開けるかも?~
Avatar for nagisa_53 nagisa53
1
140
MCPと認可まわりの話 / mcp_and_authorization
Avatar for convto convto
2
300
KCD Lima: eBee in Peru!
Avatar for Liz Rice lizrice
0
110
「手を動かした者だけが世界を変える」ソフトウェア開発だけではない開発者人生
Avatar for Yasuhiro Onishi onishi
15
7.6k
東京海上日動におけるセキュアな開発プロセスの取り組み
Avatar for miyabit miyabit
0
200
複数のGemini CLIが同時開発する狂気 - Jujutsuが実現するAIエージェント協調の新世界
Avatar for Gunther Brunner gunta
13
3.8k
Kiroから考える AIコーディングツールの潮流
Avatar for Oikon s4yuba
1
430

Featured

See All Featured
The Language of Interfaces
Avatar for Des Traynor destraynor
158
25k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.7k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
248
1.3M
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
58
9.5k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
278
23k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
37
2.8k
Building an army of robots
Avatar for Kyle Neath kneath
306
45k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
33
2.4k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
53
2.9k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
54
11k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
48
2.9k

Transcript

  1. None

  2. : -> @8ayac (Twitter/HackerOne/Flickr) 2 PSIRT (’18/04~) MBSD Cybersecurity Challenges

    (’17/’18) GitLab Bug Bounty Program - Hall of Fame 7 (2018) 45 BugHunt / (←New!) CWE CWE-79 / CWE-400 Follow @8ayac 1

  3. Follow @8ayac 2

  4. Free Bugs Campaign Follow @8ayac 3

  5. Free Hugs Campaign ※ Follow @8ayac 4

  6. None
  7. None

  8. Burp Pro Cy-PSIRT HackerOne Follow @8ayac 7

  9. CVE-XXXX-XXXX … ( Burp Pro ) Follow @8ayac 8

  10. None

  11. Follow @8ayac 10

  12. Follow @8ayac 11

  13. None
  14. None

  15. Follow @8ayac 14

  16. Follow @8ayac 15

  17. + DEMO + α Stored XSS(1) - $0 - $0

    Stored XSS(2) - $0 Free Bugs Campaign Follow @8ayac 16
  18. None

  19. OSS GitLab Issue Tracker / ✨ Follow @8ayac 18

  20. None

  21. Title: Issue Stored XSS Issue Type: XSS(CWE-79) Severity: High(7~8.9) Affected

    Versions: 11.3.x < 11.3.1 11.2.x < 11.2.4 11.1.x < 11.1.7 Report: https://hackerone.com/reports/384255 Follow @8ayac 20
  22. None

  23. https://github.com/gitlabhq/gitlabhq/commit/6d360c210d3d822fc266eecc04753481ae4bda70#diff-ebb2ac556337fa87bae1c9e999fca8cfR2 Follow @8ayac 22

  24. None

  25. Follow @8ayac 24

  26. Follow @8ayac 25

  27. Follow @8ayac 26

  28. Follow @8ayac 27

  29. GitLab Public Program 10 Follow @8ayac 28

  30. Title: Issue Type: Information Exposure Through Browser Caching(CWE-525) Severity: Medium

    Affected Versions: 11.4.x < 11.4.3 11.3.x < 11.3.8 11.2.x < 11.2.7 Report: https://hackerone.com/reports/407763 Follow @8ayac 29
  31. None

  32. https://github.com/gitlabhq/gitlabhq/commit/782badd0a2cd00d2a9cbe591e78b30aca32e252b#diff-55c5b7aecfb519d0e4880eaf2788eb6e Follow @8ayac 31

  33. None

  34. Follow @8ayac 33

  35. Follow @8ayac 34

  36. Follow @8ayac 35

  37. Follow @8ayac 36

  38. Follow @8ayac 37

  39. Follow @8ayac 38

  40. Follow @8ayac 39

  41. Follow @8ayac 40

  42. Follow @8ayac 41

  43. Follow @8ayac 42

  44. Public Program Private Follow @8ayac 43

  45. Title: Stored XSS Issue Type: XSS(CWE-79) Severity: High Affected Versions:

    11.4.x < 11.4.3 11.3.x < 11.3.8 11.2.x < 11.2.7 Report: https://hackerone.com/reports/409380 Follow @8ayac 44
  46. None

  47. Follow @8ayac 46

  48. None
  49. None

  50. GitLab Public Program ! !(Low $1000) : https://hackerone.com/gitlab/policy_versions?change=3597572# Follow @8ayac

    49

  51. Follow @8ayac 50

  52. Follow @8ayac 51

  53. Follow @8ayac 52

  54. Follow @8ayac 53

  55. Follow @8ayac 54

  56. Follow @8ayac 55

  57. Follow @8ayac 56

  58. None
  59. None

  60. @zseano : Are you submitting bugs for free when others

    are being paid?... Follow @8ayac 59

  61. Follow @8ayac 60

  62. Private Private Researcher Follow @8ayac 61

  63. Private Private Researcher Follow @8ayac 62

  64. Free Bugs Campaign : Public Private Follow @8ayac 63

  65. Follow @8ayac 64

  66. Follow @8ayac 65

  67. None

  68. $500 ( ) “Private Program” GitLab ( HackEDU) 100 Burp

    ( ) Follow @8ayac 67