100 hours of reviewing the source code – Bounty vlog #3 – Elastic
? Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
? Follow me on twitter: https://bbre.dev/tw
This video is about my bug bounty journey. This time, I challenged myself to spent 100 hours on a Hackerone’s public bug bounty program: Elasticsearch.
? Get $100 in credits for Digital Ocean: https://bbre.dev/do
Timestamps:
00:00 Intro
00:27 How much time did I spent on setup?
01:24 Path traversal in Datafeeds
04:33 Potential SSRF in package file proxying
05:26 Enterprise search and JRuby
07:25 Badly written regexes in JavaScript
08:48 Funtionality DoS
10:41 Finding a duplicate
11:15 Reversing patches and writing plugins
13:12 Finally, finding a valid bug
14:39 Lessons learned
Add comment