Check out the free, 2-week trial of Detectify:
https://www.detectify.com/BBRE

✉️ Sign up for the mailing list ✉️
https://mailing.bugbountyexplained.com/

This video is an explanation of a bug bounty report submitted to GitLab bug bounty program via Hackerone by William Bowling. It was a 4 step XSS with CSP bypass that at the end was escalated to a critical, serve-side vulnerability that allowed reading arbitrary files from the server. The bug hunter was awarded $16,000 bug bounty for this report.

? Get $100 in credits for Digital Ocean ?
https://m.do.co/c/cc700f81d215

Report:
https://hackerone.com/reports/1212067

Reporter’s twitter:
https://twitter.com/wcbowling

Follow me on twitter:
https://twitter.com/gregxsunday

Timestamps:

00:00 Intro
00:32 Detectify – the sponsor of today’s video
01:37 Escaping href attribute
03:02 How to bypass filename validation?
03:54 XSS without spaces and /
06:32 How to bypass CSP?
07:37 Escalating the XSS to arbitrary file read

Add comment

Your email address will not be published. Required fields are marked *