CRLF + XSS + cache poisoning = Access to Github private pages for $35k bounty
https://mailing.bugbountyexplained.com/news1
This video is an explanation of bug bounty report submitted by 17-years-old Robert Chen and 14-years-old Phillip on Hackerone to Github’s private bug bounty program. The vulnerability was CRLF combined with XSS and cache poisoning that allowed reading private pages. It was paid out $35,000.
✉️ Sign up for the mailing list ✉️
https://mailing.bugbountyexplained.com/
☕️ Support my channel ☕️
https://www.buymeacoffee.com/bountyexplained
? Get $100 in credits for Digital Ocean ?
https://m.do.co/c/cc700f81d215
✎Sign up for Pentesterlab from my referral✎
https://pentesterlab.com/referral/Vtch_7hLg32TqA
Report:
https://robertchen.cc/blog/2021/04/03/github-pages-xss
Reporters’ twitter:
https://twitter.com/NotDeGhost
https://twitter.com/ginkoid
Follow me on twitter:
https://twitter.com/gregxsunday
Timestamps:
00:00 Intro
00:24 What is BBRE newsletter?
01:10 Github Pages auth flow
02:33 XSS by CRLF
04:57 Bypassing Nonce and __Host cookie
08:44 Cache poisoning
09:49 Attacking from outside the org
Add comment