I hoped you enjoyed the video! If you want to learn even more with me, go to bbre.dev/premium
@criticalthinkingpodcast
11 ай бұрын
Thanks for the shout-out and congrats on the great bug!
@BugBountyReportsExplained
11 ай бұрын
Thanks for the great podcast!
@animeshacharya7803
11 ай бұрын
Great video! Congrats on the bounty :)
@skytest1247
11 ай бұрын
clean and clever! I already guessed what you got after reading your bounty tweet! congrats
@BugBountyReportsExplained
11 ай бұрын
Nice!😏
@rafajanicki2456
11 ай бұрын
Awesome finding Grzegorz, congratulations :) Thank you for sharing all the details as well!
@BugBountyReportsExplained
11 ай бұрын
Dzięki!
@_bergee_
11 ай бұрын
Gratulacje!!!! Ja ostatnio zrobiłem trochę wakacji w BB, ale jesienią mam zamiar powrócić do tematu.
@BugBountyReportsExplained
11 ай бұрын
Dzięki! Wracaj, wracaj😏
@renganathanofficial
11 ай бұрын
This is an amazing finding, congrats mate!
@FrankTranDesign
11 ай бұрын
Thank you for this content--it's so eloquent!
@AnkitSingh-gi5zw
11 ай бұрын
Congratulations Greg!
@sven5666
11 ай бұрын
Great explanation. Last third of the video was really valuable and very well explained.
@inderjeetsingh1340
11 ай бұрын
Nice finding!! 🎉
@fabiothebest89lu
6 ай бұрын
Nice video, thanks and congrats for the bounty
@Lainad27
11 ай бұрын
Well done!
@hptech7052
11 ай бұрын
Damnn! Congrats:)
@yuvraj6279
11 ай бұрын
Nice find thanks for sharing bro
@bertrandfossung1216
11 ай бұрын
Congratulations on your bounty. You did great
@stanlyoncm
11 ай бұрын
I can feel that excitement, I feel the same when I catch a big fish!
@duskb1t
11 ай бұрын
Congratulations. This was a really interesting video. Btw, I would recommend that you fix the audio ups and downs between your face cam and the presentation.
@edavidwaner2187
11 ай бұрын
hey bro thanks for sharing this video now i have one more thing to spend more time in applications😅 do not stop ❤
@papkonstantinos6757
11 ай бұрын
Congratulations
@ClashWithHuzefa
11 ай бұрын
Congrats for the bounty bro
@kevinwydler7305
11 ай бұрын
Congrats on the bounty!
@vz7742
11 ай бұрын
Congrats mate,you just got a new sub ;)
@michalk7802
11 ай бұрын
cool, congrats. nice video all the best!
@ДмитрийХимченко-ь4б
11 ай бұрын
Congratulations!🎉
@souraldandothi5681
8 ай бұрын
well explained!
@broomandmopmop
9 ай бұрын
Love your channel bro
@albertcorzo
11 ай бұрын
Awesome information
@camelotenglishtuition6394
11 ай бұрын
Well done dude
@mohittirkey7889
7 ай бұрын
Amazing video. Thank You for the details. Quick question , when you provided the path of the directory in the filename (../) , didnt the application perform any check for the file extension ?
@BugBountyReportsExplained
6 ай бұрын
Nope, there was no check
@monKeman495
11 ай бұрын
Finally this video happened found that pre signed urls very interesting max expiring of sharable object 12hr or 7days ? thank you for sharing
@BugBountyReportsExplained
11 ай бұрын
I didn't actually pay attention to the expiry of the signature
@zbyszggo4626
11 ай бұрын
Dobra robota mordo :)
@BugBountyReportsExplained
11 ай бұрын
Dzięki!
@dominicksavio1221
11 ай бұрын
Congratulations nice bug❤
@DEADCODE_
11 ай бұрын
great Bud
@hackingstudy-g5h
11 ай бұрын
Amazing bug!
@Zizo8182
11 ай бұрын
thanks for sharing
@budhiridholmahfudz5806
11 ай бұрын
Awsome sir👍
@ashiqurrahman275
10 ай бұрын
Thanks
@tomsawyer6247
10 ай бұрын
the fact that they use direct links to images to S3 should be a red flag - GET from S3 is expensive and AFAIK can't handle big scale
@Blank_Chy
11 ай бұрын
god awesome, 8:50 I've been learning about bug bounty and learning basic webs develop and sql, python 2023 since early this year, but I'm still confused about how to report low impact vulnerability methods. for the beginners bug bounty Do you have any suggestions for me?
@MaxMode84
11 ай бұрын
Mądry gość.
@thatbassplayercam
7 ай бұрын
Great video! I'm interested to know how you replicated the vulnerable server code. Would you be able to share?
@BugBountyReportsExplained
7 ай бұрын
I asked chatgpt how this functionality can be implemented in my target's technology and then asked it to build a small webapp around it
@benasin1724
11 ай бұрын
Congratulations!
@forxstsombodi3043
11 ай бұрын
Like the video, thanks for sharing. The audio levels are a bit weird. seems like when you toggle between screenshare and face cam there's some difference in the audio. Kinda jumpscared me.
@BugBountyReportsExplained
11 ай бұрын
Yep, sorry for scarring you! I didn't normalise the audio level across different clips and I uploaded it just before leaving and didn't have time to fix
@SirMarthes
11 ай бұрын
Nice finding! Pozdrowienia od mateuszka z h1 :)
@BugBountyReportsExplained
11 ай бұрын
kojarzę z niejednego leaderborda ;) mam nadzieję że spotkamy się na jakiejś konfie
@a_al_Jahin
9 ай бұрын
Greatt and also thanks a lottt for the video....Can you please provide the aws s3 param list's pdf file you showed in the video...?
@SixMar-c1m
10 ай бұрын
The third step you gave another account name was in the intercept (Burp) or by inspecting the elements tab in browser?
@amrelganainy0
11 ай бұрын
Amazing
@nguyenquockhanh3920
7 ай бұрын
At paragraph 8:00, I see you mentioned changing the max-key to list all filenames, folders,... But somehow, I tried adding the max-keys parameter and got an error: "The request signature we calculated does not match the signature you provided. Check your key and signing method." Please tell me how to list all filenames and folders using max-keys. Thanks
@BugBountyReportsExplained
7 ай бұрын
Max-keys is only used to control how many elements should be listed
@nguyenquockhanh3920
7 ай бұрын
@@BugBountyReportsExplained But the default pre-signed URLs method will list a maximum of 1000. How can you list more as you mentioned in the video? Add any param or any tricks.....
@BugBountyReportsExplained
7 ай бұрын
@@nguyenquockhanh3920try adding the param before you sign the URL
@nguyenquockhanh3920
7 ай бұрын
@@BugBountyReportsExplained In the case of your report, how did you do it? Have you also tried adding this param before it signs and was it successful?
@dhirajsoren8428
11 ай бұрын
Cool bug
@__CJ.__
10 ай бұрын
❤
@flashithackerone
7 ай бұрын
@BugBountyReportsExplained Hi bro. Congrats on your bounty!. I have one Small request. When you try to explain a vulnerability with multiple accounts of a program, Please use terms like Account A and Account B instead of using my account and another account. It would be very understandable. Rest you are doing amazing. Thanks for the Knowledge sharing!
@BugBountyReportsExplained
7 ай бұрын
Do you want to say you had a problem with understanding this server-side path traversal bug just because I used the terms my account and victim's account instead of account A and B?🤔
@flashithackerone
7 ай бұрын
@@BugBountyReportsExplained Yes. But not for myself. Some of my friends are also learning from your channel. I cleared a doubt for them this time. it's their request.
@jomynn
7 ай бұрын
Where are your report the bug to target website or Amazon?
@BugBountyReportsExplained
7 ай бұрын
target, Amazon did nothing wrong here
@ctfs09
10 ай бұрын
If you could list the the bucket with ../ as file name, bucket seems public, did you try to list the bucket through aws-cli?
@BugBountyReportsExplained
10 ай бұрын
yes, I think I have
@DeepakKumar-ym1wr
11 ай бұрын
Congrats keep it keep uploading videos
@expert2570
11 ай бұрын
But it didn't expire after 3600 seconds? due to X-Amz-Expires parameter?
Пікірлер: 82