CRLF + XSS + cache poisoning = Access to Github private pages for $35k bounty

preview_player
Показать описание
✉️ Get the 1st issue of the BBRE newsletter and sign up for the next ones ✉️

This video is an explanation of bug bounty report submitted by 17-years-old Robert Chen and 14-years-old Phillip on Hackerone to Github's private bug bounty program. The vulnerability was CRLF combined with XSS and cache poisoning that allowed reading private pages. It was paid out $35,000.

🖥 Get $100 in credits for Digital Ocean 🖥

Report:

Reporters' twitter:

Follow me on twitter:

Timestamps:
00:00 Intro
00:24 What is BBRE newsletter?
01:10 Github Pages auth flow
02:33 XSS by CRLF
04:57 Bypassing Nonce and __Host cookie
08:44 Cache poisoning
09:49 Attacking from outside the org
  1. Bug Bounty Reports Explained
  2. crlf
  3. xss
  4. cache poisoning
  5. crlf vulnerability
  6. Carriage Return Line Feed vulnerability
Рекомендации по теме
CRLF + XSS 0:11:22

CRLF + XSS + cache poisoning = Access to Github private pages for $35k bounty

crlf injection to 0:03:22

crlf injection to XSS #bugbounty

$750 Bounty for 0:00:21

$750 Bounty for Cache Poisoning Allows Stored XSS | Bug Bounty 2023

CRLF to Blind 0:02:00

CRLF to Blind XSS Injection Vulnerability || POC || Bug Bounty || Dolby

crlf injection 0:00:14

crlf injection

Cache Poisoning - 0:16:02

Cache Poisoning - CRLF Attack Side Effect - Web Application Security Session5

How to detect 0:03:36

How to detect the site for CRLF Injection

Web Cache Deception 0:00:57

Web Cache Deception POC | Bug Bounty POC | Lazy Pentester

CRLF Injection Tutorial: 0:13:29

CRLF Injection Tutorial: Using Burp Bounty Extension 🔴🔴

CRLF Injection | 0:01:35

CRLF Injection | Bug Bounty POC | Lazy Pentester

web cache poisoning 0:01:01

web cache poisoning [bugbounty]

Web Cache Poisoning 0:01:15

Web Cache Poisoning PoC - Bug Bounty

HTTP Response Splitting 0:00:31

HTTP Response Splitting (CRLF injection) in report_story (Twitter)

What is CRLF 0:05:20

What is CRLF Injection?

$200 - CRLF 0:01:11

$200 - CRLF Injection - Http Response Splitting on www.exness.com | #HackerOne

$200 Bounty - 0:01:48

$200 Bounty - CRLF Injection - Http Response Splitting | www.exness.com | #HackerOne | #mufazmi

CRLF Injection Vulnerability 0:01:13

CRLF Injection Vulnerability | McAfee | Bug Bounty POC

Cache Poisoning? - 0:22:02

Cache Poisoning? - Solution to November '22 XSS Challenge

155 - Akamai 0:33:06

155 - Akamai Cache Poisoning and a Chrome Universal XSS [Bug bounty Podcast]

Fleep.io HTTP Header 0:00:34

Fleep.io HTTP Header Injection | Response Splitting | CRLF

$4,250 Bounty for 0:00:56

$4,250 Bounty for Stored XSS | Bug Bounty 2020

Hack CRLF Injection 0:04:35

Hack CRLF Injection Demonstration

Web cache poisoning 0:01:33

Web cache poisoning through--- host header attack :)

04. CRLF injection 0:09:41

04. CRLF injection POC with it's impact - Details information about CRLF - Professor

Комментарии
Автор

Hi! Welcome to the comment section! I hope you enjoyed the video!
You have time until Saturday 8th May to sign up if you want to receive the 2nd newsletter.

BugBountyReportsExplained
Автор

It's amazing how 2 high school students did all that! now those are some newborn legends

ahmadshami
Автор

Clear and concise explaination . thankyou for helping the community .

brijendarsingh
Автор

Holyyyy moly! This is huges! Thanks and this channel it's amazing!

estebanroman
Автор

Another fantastic explanation, super concise and easy to understand as always! Thanks for working so hard to keep us update to date and informed. Noticing that little distinction in the source code between converting to int for accessing the page but not when setting the cookie val as a 14 and 17 year old is seriously impressive. Not to mention the cookie scoping bypasses afterwards. Pretty sure at that age I was nothing more than a dumb script kiddie pressing buttons on Havij 😂

-bubby
Автор

Crazy. I'm 14 and these guys are obviously doing some crazy stuff!

SPwn
Автор

You the man, i love your videos, and the time you put into them. I was always wondering when someone would, reverse engineer the bugs so we can see how they went about finding the bug, along with a proof of concept. I knew the young wipper snappers would rise up and make my job even harder, lol. I love that shirt, looks good on you. I go the gym as well, have to fill out my club shirts, hehe.

bugrd_hunter
Автор

Success unlocked: pay back the bank for all school years.

blablablabla