Artwork

Content provided by dayzerosec. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by dayzerosec or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Player FM - Podcast App
Go offline with the Player FM app!

[bounty] Stealing Secrets with Security Advisories and CorePlague

30:51
 
Share
 

Manage episode 357960243 series 2606557
Content provided by dayzerosec. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by dayzerosec or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

A few varied issues this week, exploiting an apparently unexploitable CRLF injection, organization secrets exposure in GitHub, and a Jenkins XSS.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/195.html

[00:00:00] Introduction

[00:00:25] Abusing Hop-by-Hop Header to Chain A CRLF Injection Vulnerability

[00:04:26] HubSpot Full Account Takeover in Bug Bounty

[00:12:22] Unauthorized access to organization secrets in GitHub

[00:17:39] CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE

[00:26:37] Firefly: a smart black-box fuzzer for web applications testing

[00:29:27] EJS - Server Side Prototype Pollution gadgets to RCE

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

  continue reading

252 episodes

Artwork
iconShare
 
Manage episode 357960243 series 2606557
Content provided by dayzerosec. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by dayzerosec or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

A few varied issues this week, exploiting an apparently unexploitable CRLF injection, organization secrets exposure in GitHub, and a Jenkins XSS.

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/195.html

[00:00:00] Introduction

[00:00:25] Abusing Hop-by-Hop Header to Chain A CRLF Injection Vulnerability

[00:04:26] HubSpot Full Account Takeover in Bug Bounty

[00:12:22] Unauthorized access to organization secrets in GitHub

[00:17:39] CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE

[00:26:37] Firefly: a smart black-box fuzzer for web applications testing

[00:29:27] EJS - Server Side Prototype Pollution gadgets to RCE

The DAY[0] Podcast episodes are streamed live on Twitch twice a week:

-- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities

-- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits.

We are also available on the usual podcast platforms:

-- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063

-- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt

-- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz

-- Other audio platforms can be found at https://anchor.fm/dayzerosec

You can also join our discord: https://discord.gg/daTxTK9

  continue reading

252 episodes

All episodes

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Quick Reference Guide