Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Free Bugs Campaign
Search
8ayac
March 11, 2019
Technology
0
830
Free Bugs Campaign
Burp Suite Japan LT Carnivalの登壇資料
8ayac
March 11, 2019
Tweet
Share
More Decks by 8ayac
See All by 8ayac
MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド
8ayac
0
1.7k
MBSD Cybersecurity Challenges 2017 最終審査会 発表スライド
8ayac
0
410
Other Decks in Technology
See All in Technology
四国のあのイベントの〇〇システムを45日間で構築した話 / cloudohenro2024_tachibana
biatunky
0
230
OCI コスト管理
ocise
1
130
疎通2024
sadnessojisan
5
800
実践的なバグバウンティ入門
scgajge12
4
2.2k
AI でアップデートする既存テクノロジーと、クラウドエンジニアの生きる道
soracom
PRO
1
270
MySQLのあらたしいリリースモデル LTSとIR
sakaik
1
120
目標設定と習慣化で今よりも一歩生産性を上げる
sansantech
PRO
7
2.3k
スーパーマリオRPGのリメイク版の変更点からみるUX
nishiharatsubasa
1
220
20240906_JAWS_Yamanashi_#1_leap_beyond_the_AWS_all_certifications
tsumita
1
190
サイボウズ 開発本部採用ピッチ / Cybozu Engineer Recruit
cybozuinsideout
PRO
9
41k
脆弱星に導かれて
nishimunea
1
1.6k
リクルート新人研修2024 テキスト生成AI活用
recruitengineers
PRO
10
450
Featured
See All Featured
Facilitating Awesome Meetings
lara
49
5.9k
The Illustrated Children's Guide to Kubernetes
chrisshort
46
48k
Navigating Team Friction
lara
183
13k
How To Stay Up To Date on Web Technology
chriscoyier
785
250k
Visualization
eitanlees
142
15k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
27
8.9k
GitHub's CSS Performance
jonrohan
1029
450k
Making Projects Easy
brettharned
113
5.8k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
103
47k
Building a Modern Day E-commerce SEO Strategy
aleyda
35
6.8k
StorybookのUI Testing Handbookを読んだ
zakiyama
25
5k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
33
1.7k
Transcript
None
: -> @8ayac (Twitter/HackerOne/Flickr) 2 PSIRT (’18/04~) MBSD Cybersecurity Challenges
(’17/’18) GitLab Bug Bounty Program - Hall of Fame 7 (2018) 45 BugHunt / (←New!) CWE CWE-79 / CWE-400 Follow @8ayac 1
Follow @8ayac 2
Free Bugs Campaign Follow @8ayac 3
Free Hugs Campaign ※ Follow @8ayac 4
None
None
Burp Pro Cy-PSIRT HackerOne Follow @8ayac 7
CVE-XXXX-XXXX … ( Burp Pro ) Follow @8ayac 8
None
Follow @8ayac 10
Follow @8ayac 11
None
None
Follow @8ayac 14
Follow @8ayac 15
+ DEMO + α Stored XSS(1) - $0 - $0
Stored XSS(2) - $0 Free Bugs Campaign Follow @8ayac 16
None
OSS GitLab Issue Tracker / ✨ Follow @8ayac 18
None
Title: Issue Stored XSS Issue Type: XSS(CWE-79) Severity: High(7~8.9) Affected
Versions: 11.3.x < 11.3.1 11.2.x < 11.2.4 11.1.x < 11.1.7 Report: https://hackerone.com/reports/384255 Follow @8ayac 20
None
https://github.com/gitlabhq/gitlabhq/commit/6d360c210d3d822fc266eecc04753481ae4bda70#diff-ebb2ac556337fa87bae1c9e999fca8cfR2 Follow @8ayac 22
None
Follow @8ayac 24
Follow @8ayac 25
Follow @8ayac 26
Follow @8ayac 27
GitLab Public Program 10 Follow @8ayac 28
Title: Issue Type: Information Exposure Through Browser Caching(CWE-525) Severity: Medium
Affected Versions: 11.4.x < 11.4.3 11.3.x < 11.3.8 11.2.x < 11.2.7 Report: https://hackerone.com/reports/407763 Follow @8ayac 29
None
https://github.com/gitlabhq/gitlabhq/commit/782badd0a2cd00d2a9cbe591e78b30aca32e252b#diff-55c5b7aecfb519d0e4880eaf2788eb6e Follow @8ayac 31
None
Follow @8ayac 33
Follow @8ayac 34
Follow @8ayac 35
Follow @8ayac 36
Follow @8ayac 37
Follow @8ayac 38
Follow @8ayac 39
Follow @8ayac 40
Follow @8ayac 41
Follow @8ayac 42
Public Program Private Follow @8ayac 43
Title: Stored XSS Issue Type: XSS(CWE-79) Severity: High Affected Versions:
11.4.x < 11.4.3 11.3.x < 11.3.8 11.2.x < 11.2.7 Report: https://hackerone.com/reports/409380 Follow @8ayac 44
None
Follow @8ayac 46
None
None
GitLab Public Program ! !(Low $1000) : https://hackerone.com/gitlab/policy_versions?change=3597572# Follow @8ayac
49
Follow @8ayac 50
Follow @8ayac 51
Follow @8ayac 52
Follow @8ayac 53
Follow @8ayac 54
Follow @8ayac 55
Follow @8ayac 56
None
None
@zseano : Are you submitting bugs for free when others
are being paid?... Follow @8ayac 59
Follow @8ayac 60
Private Private Researcher Follow @8ayac 61
Private Private Researcher Follow @8ayac 62
Free Bugs Campaign : Public Private Follow @8ayac 63
Follow @8ayac 64
Follow @8ayac 65
None
$500 ( ) “Private Program” GitLab ( HackEDU) 100 Burp
( ) Follow @8ayac 67
☺