Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Free Bugs Campaign
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
8ayac
March 11, 2019
Technology
980
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Free Bugs Campaign
Burp Suite Japan LT Carnivalの登壇資料
8ayac
March 11, 2019
More Decks by 8ayac
See All by 8ayac
MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド
8ayac
0
1.9k
MBSD Cybersecurity Challenges 2017 最終審査会 発表スライド
8ayac
0
660
Other Decks in Technology
See All in Technology
Claude Code公式skillで 自分の仕事を少しずつ手放そう!(Claude Code開発ノウハウ大公開スペシャル by クラスメソッド)
kaym
1
250
Making sense of Google’s agentic dev tools
glaforge
1
180
LLM/Agent評価:トップ営業の発言を「正解」にする 〜暗黙的正解による評価を営業資産に変える〜
takkuhiro
1
210
AICoEでAIネイティブ組織への進化
yukiogawa
0
160
「早く出す」より「事業に効く」 ── 顧客の業務サイクルから逆算するAI時代の二重ループ開発と「変化の設計者」 / devsumi2026
rakus_dev
1
210
GuardrailからGovernanceへ~AIエージェント運用の次の課題~
sbspsy
2
270
Oracle Exadata Database Service on Cloud@Customer X11M (ExaDB-C@C) サービス概要
oracle4engineer
PRO
2
8.4k
Empower GenAI with Agile - あなたのアジャイルが生成AIのバフになる仕組み
hageyahhoo
1
170
ヘルスケア領域における AI 活用と その安全性担保のための取り組み (Leveraging AI in Healthcare and Our Efforts to Ensure Its Safety) - Google I/O Extended Tokyo 2026, July 11, 2026
zettaittenani
0
270
プロダクトだけじゃない、社内プロセスにおける自動化・省力化ノススメ
kakehashi
PRO
1
3.6k
はじめてのWDM
miyukichi_ospf
1
140
「最後に責任を取るのはチーム」— 人間のPRレビューを最小化してアップデートしたメンタルモデル
jnishime_dresscode
0
540
Featured
See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.4k
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
210
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
cargoodrich
3
750
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Code Reviewing Like a Champion
maltzj
528
40k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
287
14k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
38
2.9k
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
260
Odyssey Design
rkendrick25
PRO
2
730
A brief & incomplete history of UX Design for the World Wide Web: 1989–2019
jct
2
420
For a Future-Friendly Web
brad_frost
183
10k
Transcript
None
: -> @8ayac (Twitter/HackerOne/Flickr) 2 PSIRT (’18/04~) MBSD Cybersecurity Challenges
(’17/’18) GitLab Bug Bounty Program - Hall of Fame 7 (2018) 45 BugHunt / (←New!) CWE CWE-79 / CWE-400 Follow @8ayac 1
Follow @8ayac 2
Free Bugs Campaign Follow @8ayac 3
Free Hugs Campaign ※ Follow @8ayac 4
None
None
Burp Pro Cy-PSIRT HackerOne Follow @8ayac 7
CVE-XXXX-XXXX … ( Burp Pro ) Follow @8ayac 8
None
Follow @8ayac 10
Follow @8ayac 11
None
None
Follow @8ayac 14
Follow @8ayac 15
+ DEMO + α Stored XSS(1) - $0 - $0
Stored XSS(2) - $0 Free Bugs Campaign Follow @8ayac 16
None
OSS GitLab Issue Tracker / ✨ Follow @8ayac 18
None
Title: Issue Stored XSS Issue Type: XSS(CWE-79) Severity: High(7~8.9) Affected
Versions: 11.3.x < 11.3.1 11.2.x < 11.2.4 11.1.x < 11.1.7 Report: https://hackerone.com/reports/384255 Follow @8ayac 20
None
https://github.com/gitlabhq/gitlabhq/commit/6d360c210d3d822fc266eecc04753481ae4bda70#diff-ebb2ac556337fa87bae1c9e999fca8cfR2 Follow @8ayac 22
None
Follow @8ayac 24
Follow @8ayac 25
Follow @8ayac 26
Follow @8ayac 27
GitLab Public Program 10 Follow @8ayac 28
Title: Issue Type: Information Exposure Through Browser Caching(CWE-525) Severity: Medium
Affected Versions: 11.4.x < 11.4.3 11.3.x < 11.3.8 11.2.x < 11.2.7 Report: https://hackerone.com/reports/407763 Follow @8ayac 29
None
https://github.com/gitlabhq/gitlabhq/commit/782badd0a2cd00d2a9cbe591e78b30aca32e252b#diff-55c5b7aecfb519d0e4880eaf2788eb6e Follow @8ayac 31
None
Follow @8ayac 33
Follow @8ayac 34
Follow @8ayac 35
Follow @8ayac 36
Follow @8ayac 37
Follow @8ayac 38
Follow @8ayac 39
Follow @8ayac 40
Follow @8ayac 41
Follow @8ayac 42
Public Program Private Follow @8ayac 43
Title: Stored XSS Issue Type: XSS(CWE-79) Severity: High Affected Versions:
11.4.x < 11.4.3 11.3.x < 11.3.8 11.2.x < 11.2.7 Report: https://hackerone.com/reports/409380 Follow @8ayac 44
None
Follow @8ayac 46
None
None
GitLab Public Program ! !(Low $1000) : https://hackerone.com/gitlab/policy_versions?change=3597572# Follow @8ayac
49
Follow @8ayac 50
Follow @8ayac 51
Follow @8ayac 52
Follow @8ayac 53
Follow @8ayac 54
Follow @8ayac 55
Follow @8ayac 56
None
None
@zseano : Are you submitting bugs for free when others
are being paid?... Follow @8ayac 59
Follow @8ayac 60
Private Private Researcher Follow @8ayac 61
Private Private Researcher Follow @8ayac 62
Free Bugs Campaign : Public Private Follow @8ayac 63
Follow @8ayac 64
Follow @8ayac 65
None
$500 ( ) “Private Program” GitLab ( HackEDU) 100 Burp
( ) Follow @8ayac 67
☺