The Circle of Unfixable Security Issues

preview_player
Показать описание
Not every security issues can be fixed. There exist (what I call) "unfixable" bugs, where you can always argue and shift the goal posts. The idea is to only report these kind of issues to create an endless stream of bug bounty money!

hackerone reports:

Chapters:
00:00 - Intro
00:30 - Denial of Service with loooong passwords
03:18 - Invalid vs. Valid DoS Reports
05:11 - Deployment Differences
06:54 - Denial of Service vs. Bruteforce Protection
09:27 - IP Rate-Limiting "fix"
12:06 - Locking User Accounts?
13:59 - The Circle of Unfixable Security Issues
15:25 - Vulnerability vs. Weakness
16:49 - The Cybersecurity Industry
19:03 - Conclusion: Cybersecurity vs. Hacking
21:34 - Outro

=[ ❤️ Support ]=

=[ 🐕 Social ]=

  1. LiveOverflow
  2. Live Overflow
  3. liveoverflow
  4. hacking tutorial
  5. how to hack
  6. exploit tutorial
Рекомендации по теме
The Circle of 0:22:13

The Circle of Unfixable Security Issues

Binary Exploitation vs. 0:00:24

Binary Exploitation vs. Web Security

Bluetooth: Hacked... Unfixable 0:08:53

Bluetooth: Hacked... Unfixable Apple M1 Exploit

When Do Friendships 0:13:38

When Do Friendships Expire And How to End Them

Aftons react to 0:01:17

Aftons react to Circus baby turns real (Credits: Zamination

Top 5 Linux 0:05:08

Top 5 Linux Distros for Beginners in 2024

FNAF 6 SONG 0:05:02

FNAF 6 SONG ▶ 'Labyrinth' | CG5

FNAF SONG - 0:03:08

FNAF SONG - Creepin' Towards the Door Remix/Cover | FNAF LYRIC VIDEO

Narcissistic women 0:12:04

Narcissistic women

Why Nobody Can 0:10:25

Why Nobody Can Fix This New York Skyscraper

How To Protect 0:20:38

How To Protect Your Linux Server From Hackers!

Attacking LLM - 0:13:23

Attacking LLM - Prompt Injection

Aviators - Mechanical 0:04:07

Aviators - Mechanical Instinct (Five Nights at Freddy's 2 Song)

Missing HTTP Security 0:15:48

Missing HTTP Security Headers - Bug Bounty Tips

LEVELS (Basic Version) 0:26:59

LEVELS (Basic Version)

Cybercrime is Not 0:11:16

Cybercrime is Not Hacking!

To Be Beautiful 0:04:45

To Be Beautiful ▶ FAZBEAR FRIGHTS SONG (BOOK 1)

Hacking for an 0:13:56

Hacking for an Intelligence Agency

Cooltech Podcast Number 0:46:41

Cooltech Podcast Number 2

Discord Store TAKES 0:07:07

Discord Store TAKES ON STEAM!

Zenbleed (CVE-2023-20593) 0:26:46

Zenbleed (CVE-2023-20593)

Is Nintendo Labo 1:35:33

Is Nintendo Labo Worth The Cost?

Mach-E Web Series 0:57:24

Mach-E Web Series Part Two: SYNC 4A

Every Computer Can 0:21:42

Every Computer Can Be Hacked!

Комментарии
Автор

A important point: Most programs mention DOS reports are not eligible for bounty. So do read the policy before spending your time guys!

DragonStoneCreations
Автор

I've tried reporting a DoS to a company which literally just involves sending a request to their API with a deeply nested array as the request body, which wasn't accepted, making me all the more mad seeing these bogus reports getting accepted and receiving a bounty..

hhhhhhhhhhhhhhhhhhhhhh
Автор

From personal experience, DoS vulnerabilities are usually addressed if and when they become an actual issue. There is no point in defending against theoretical scenarios, especially if they are rather contrived.

MechMK
Автор

So what you're saying is instead of looking for bugs in code, look for bugs in the bug bounty programs

BalintCsala
Автор

It's up to the program's to adapt their policy. If DoS is in the policy, the bug hunter has no fault in reporting.

gcm
Автор

Wait, has LiveOverflow just found an exploit in the bounty system? Is this a vulnerability that should be fixed?

vix
Автор

12:30 I thought there was in intruder in my house dude. scared the s out of me.

bimalpandey
Автор

12:33 and 12:36 literally scared for a second, just thought that the background sound comes from my device.

prakharx
Автор

Alex from TCM Security recommended this channel in one of his live streams, and he's right; the content here is excellent; thanks for sharing liveoverflow.

demotedcder
Автор

@liveoverflow I am a pentester and for me there is a distinction between DOS 'attack by single ip' and DDOS 'attack by multiple ips'. If I see that I can render the server unavailable for other users simply by using one machine I will report it as an issue. To me it is unacceptable since a single machine should not have the ability to affect other users of the platform. Especially when it comes paired with a function that sends email or a SQL store since there is absolutely no reason why a legitimate user would need to inject 5000 calendar items in 1 minute time for example. It's not about complete protection but its about putting up boundries.

izbromz
Автор

11:06 you're brushing off a legitimate report here. The report says that IPv6 rate limiting is not properly implemented, rate-limiting the single IP instead of the subnet. The IPv6 spec requires that each device can select its ip itself from a /64 subnet (at least). That is 2x the bit size of the whole ipv4 space, more IPs than you could ever use, making this way of IPv6 rate-limiting ineffective. IPv6 needs to be IP-Ratelimited/Banned differently from ipv4.

leumasme
Автор

Thanks for this and your HospitalRun video; it is great to expose these issues that are potentially working against improving the state of infosec.

korockinout
Автор

Bug Report: WTF is that voice at 12:33

homelabsmart
Автор

It's funny how these people say "there is money in hacking, it's easy", but then fail to mention that all that money is pretty much unreachable from people at the start. All the veterans claim it by running automatization bots. This is the same with web bug bounties. Unless you're advanced level, you really don't have a chance.

impostorsyndrome
Автор

IMHO there's an additional factor that needs to be considered - in at least some cases it would be difficult to exclude these bogus DoS reports without also excluding important security flaws from a bug bounty program, and even if the fixes for these trivial attacks cost more than just buying some bandwidth that extra cost might still be worth it to a project in order to catch those actually sinister bugs.

bosstowndynamics
Автор

Glad you mentioned threat models. One of the most annoying things that happens regularly in my job is we get messages that we need to "fix" CVEs related to third party dependencies. Normally we just end up patching the software even if there is no actual attack vector for the CVE to be relevant to our software because that's easier than analyzing and documenting why it is irrelevant. Same thing applies to most findings from penetration tests.

timseguine
Автор

a video to impress laymen with no clue. max string length setting for the input form? problem fixed. Second problem is a self own/dev skill issue. Don't use sleep to rate limit.Limit user actions.

excitedbox
Автор

I thought it would be some normal video because of the title but being honest, this was one of the most informative video I've watched.

itsanantsingh
Автор

Sleeping is a dumb solution for me, why not just check with a redis DB and just drop requests, why sleep and hang the process ?
That's how i would do it because i'am so used to writing non blocking code for Single core microcontrollers usually we avoid a blocking state at all cost to avoid "wasting" cycles.

justbendev
Автор

I think the tradeoff between "bandwidth needed to send a long password" and "time server needs to compute hash" can be modified to the attackers advantage by using compression. If compression is possible at the TLS layer (which it shouldn't be anyways, CRIME is a thing), this is very easy, but depending on the way the password is transfered to the server, you may be able to use HTTP compression.

vincviertytaccount