Client-side path traversal vulnerability class explained – $6,580 GitLab bug bounty
✉️ Sign up for the mailing list: https://bbre.dev/nl
? Follow me on twitter: https://bbre.dev/tw
This video explains a very rare vulnerability class called client-side path traversal. It has very little commonalities with the classical path traversal attack. Client-side path traversal allows the attacker to perform a CSRF-like attack on endpoints that should not be vulnerable to CSRFs. It was discovered and reported by Johan Carlsson. He received a bounty of $6,580 for it.
Report: https://gitlab.com/gitlab-org/gitlab/-/issues/365427
Reporter’s Twitter: https://twitter.com/joaxcar
You can also listen to the interview I recorded with Johan for my Bug Bounty Reports Discussed podcast:
YouTube: https://youtu.be/SEMeY2HGuVw
Spotify: https://open.spotify.com/show/6tLoJ5foOoZPPELwrHPBO4
Google Podcasts: https://podcasts.google.com/feed/aHR0cHM6Ly93d3cuc3ByZWFrZXIuY29tL3Nob3cvNTA3Mzc4MS9lcGlzb2Rlcy9mZWVk
Apple Podcasts: https://podcasts.apple.com/us/podcast/bug-bounty-reports-discussed/id1583400215?uo=4
? Get $100 in credits for Digital Ocean: https://bbre.dev/do
Timestamps:
00:00 Intro
00:41 Why CSRF should not be possible here?
01:55 GitLab-Sentry integration
03:31 Client-side path traversal vulnerability in GitLab
Add comment