This video is about an RCE vulnerability in Github pages. The report on hackerone was rewarded $25,000. The issue exploited a YAML file used to configure Jekyll website.

Reporter’s twitter:
His blog:

Follow me on twitter:

Opensnoop tool:

00:00 Intro
00:28 What is Github Pages?
00:56 What is Jekyll?
01:46 What is Kramdown?
02:17 The root cause of the vulnerability
03:34 Uploading our .rb file on the server
04:25 Winning the race condition
05:23 The fix, reward and outro


Add comment

Your email address will not be published. Required fields are marked *