100 hours of reviewing the source code - Bounty vlog #3

100 hours of reviewing the source code - Bounty vlog #3 - Elastic

Рет қаралды 9,769

Күн бұрын

📋 Check out my notes from Elastic: bbre.dev/elastic
📧 Subscribe to BBRE Premium: bbre.dev/premium
✉️ Sign up for the mailing list: bbre.dev/nl
📣 Follow me on twitter: bbre.dev/tw
This video is about my bug bounty journey. This time, I challenged myself to spent 100 hours on a Hackerone's public bug bounty program: Elasticsearch.
🖥 Get $100 in credits for Digital Ocean: bbre.dev/do
Timestamps:
00:00 Intro
00:27 How much time did I spent on setup?
01:24 Path traversal in Datafeeds
04:33 Potential SSRF in package file proxying
05:26 Enterprise search and JRuby
07:25 Badly written regexes in JavaScript
08:48 Funtionality DoS
10:41 Finding a duplicate
11:15 Reversing patches and writing plugins
13:12 Finally, finding a valid bug
14:39 Lessons learned

Пікірлер: 25

@BugBountyReportsExplained 2 жыл бұрын

Welcome to the comment section. I hope you enjoyed the video! If you want to check out my notes, go to bbre.dev/elastic

@_CryptoCat 2 жыл бұрын

another great video and props for sharing the notes! if somebody reviews them and finds a bug you missed, it would be really cool to see 🙂

@BugBountyReportsExplained 2 жыл бұрын

I'd hate it and love it at the same time 😂

@ssfdf7751 2 жыл бұрын

Like before watching the video !

@GaurangTandon Жыл бұрын

Thanks for making this honest and comprehensive description of what a bounty hunting journey looks like. Please do make more of these. Even the descriptions of failed bounty attempts are very interesting and teach a lot to a beginner like me.

@crusader_ 2 жыл бұрын

Thanks so much. Loved it

@Mohsinkhan-bh7py 2 жыл бұрын

Learned a lot, today brother :)

@0xsudip892 2 жыл бұрын

Thank you sir. Keep it up :)

@ahmadshami5847 2 жыл бұрын

pretty cool video 👌👌 showing the struggles and the pain involved in such work really sheds the light on the problems that actually discourage a lot of people. I personally am expecting to struggle a lot but that video actually motivates me more to start, no pain no gain. thanks for being honest about your experience and showing everyone the hard truth of the industry, and as always great job man 👌👌

@BugBountyReportsExplained 2 жыл бұрын

Thanks for appreciating that!

@farcryman1 2 жыл бұрын

Great video 👍

@OthmanAlikhan Жыл бұрын

Thanks for the video =)

@fallenangel5265 2 жыл бұрын

please do again the challenge of 100 hours

@Dodo-rb4zf 2 жыл бұрын

bug bounty: working for a month, getting paid for a week, no recognition, NDA trap

@sebastianchmielewski6281 2 жыл бұрын

no risk, no fun

@ZarakKhanNiazi 2 жыл бұрын

i love it How you Say " Enjoy " I wanna make a one hour auto repeat video of you saying Enjoy haha.. i dont know i enjoy it too much

@BugBountyReportsExplained 2 жыл бұрын

Haha, what can I say - enjoy my enjoy

@ZarakKhanNiazi 2 жыл бұрын

@@BugBountyReportsExplained yeah :)

@medhasni6432 Жыл бұрын

hey sir, smart contract testing or web apps testing? like where would the bugs and the rewards exist more?

@cheesaskris6161 2 жыл бұрын

Does it work on linux?

@utensilapparatus8692 2 жыл бұрын

I would'nt recommend wormhole or pip/npm installer (package.json [dependecies]) 🎃

@jpierce2l33t 2 жыл бұрын

Wow no wonder it's a struggle getting into bug bounty, when you've got dudes like that out here just casually banging out decompilers for obscure languages just to audit the source 🤦‍♂️🤣

@exoooooooo 2 жыл бұрын

Not every hunting process like that, this dude just want to look cool by reviewing a code and expect huge bounty from a low severity bug