@yu5k3.bsky.social
Doing security research. For fun and profit...
Also planning to finally drop those promised threads in the coming weeks: my V8 exploit dev journey, some client-side #bugbountytips, and maybe more depending on what I dig up from my old notes βοΈ
23.07.2025 09:56 β π 2 π 0 π¬ 0 π 0Due to vacation, June (and probably July) don't bring many reports:
- 1 Crit reported;
- 1 Crit 9.9 π (
@elastic.co
fixed the #RCE chain behind my CVE-2025-2135 exploit discuss.elastic.co/t/kibana-7-1... and CVE-2025-25012 discuss.elastic.co/t/kibana-7-1...);
- 1 new Medium closed as Informative.
Looks like now's the right time to finally dive in! The threat model for extensions looks promising for BB. postMessage() alone opens up new attack variations that don't exist in classic client-side apps π‘
Let's see what I can find in this space π
π 2025 YTD #BugBounty stats update, June:
π 13 issues Reported (5 Crit, 2 High, 6 Medium)
π° 10 issues Paid
βͺ 1 Informative
Late update this time, just came back from vacation and started digging for new targets to research. I've had my eye on browser extensions for a while.
@shaunau.bsky.social If you haven't seen my previous talk about Kibana RCEs (it doesn't cover these ones), you might find it interesting, especially if you're into tricky Prototype Pollution exploits. Check it out youtu.be/H-bhmSwnRdY?...
13.06.2025 11:16 β π 2 π 0 π¬ 1 π 0Yeah, many Kibana RCEs I reported are beautiful. They implemented a lot of mitigations I had to bypass π I'd love to share details, but for this bug it's too early. I'm also too lazy for blog posts, usually just drop stuff at conferences. Definitely need to do one more talk on Kibana RCEs.
13.06.2025 11:10 β π 2 π 0 π¬ 1 π 0If there's interest, I might write a thread on the resources that I used to dev my own Chrome RCE exploit.
Also, if you have an SSRF in Chrome 134 in a BBP, DM me. It could be a great collab to turn the report into a full RCE π€
#bugbounty #infosec #rce #chromium #v8
- Open-source repo = easy diffs for n-days
- Regression tests (if you're lucky) help a lot
- Controlled JS = powerful primitives, e.g., heap- & jit- spraying
- V8 sandbox adds that spicy edge πΆοΈ
I played with Chrome vulns back in Jan, mostly trying to reproduce n-days. In May, I found promising targets and developed an RCE from scratch to reverse shell in Chromium 134.
Low-level exploits are real fun π₯ and Chromium is an awesome playground for them:
π€ 2025 YTD #BugBounty stats update, May:
π 11 issues Reported (4 Crit, 2 High, 5 Medium)
π° 9 issues Paid
A new month means 2 more RCEs reported π
This time I hit Chromium headless browser for the first time in BBPs.
So yeah, I've started thinking about switching back to industry and ending the full-time BB experiment. Don't be surprised if that happens in the next couple of months, it'll just mean the dark side with cookies and performance reviews won this round π
13.05.2025 09:59 β π 0 π 0 π¬ 0 π 0Hitting my Q1 milestone of earning the same as I would've by signing my last job offer definitely gives me motivation to push even harder. That said, my current efforts haven't led to any big breakthroughs in my BB methodology.
13.05.2025 09:59 β π 1 π 0 π¬ 1 π 0Still, it opens up more opportunities that I'm trying to take advantage of. I'm investing time into researching new types of attacks and building out automation.
This is really the kind of life I enjoy: taking risks and being fully responsible for everything that happens!
The first financial goal, reaching income comparable to a full-time IT job, is achieved!
Two RCEs with a bit of "collateral damage" per month has been enough to make it work, though I won't lie, it's way more stressful.
In April, I reported 2 #RCE (consistency π), and once again, one of them was classified as Medium. Fine, move on. Many previously reported vulns also got paid this month πΈ
I've been doing BB full-time since late last year, so it's a good moment to sum things up.
If I have extra time, I go through old notes and mine a few more, usually with less critical severity. As you can see, some RCEs end up being classified as Medium due to BBP restrictions... but even then, the bounties were not too bad.
13.05.2025 09:59 β π 0 π 0 π¬ 1 π 0π 2025 YTD #BugBounty stats update, April:
π 9 issues Reported (2 Crit, 2 High, 5 Medium)
π° 8 issues Paid
Switched to monthly updates instead of weekly. Why? I don't drop new vulns every week π
My stats from the last months confirm my "capacity": ~2 RCEs per month.
RCE in Elastic Kibana via Prototype Pollution (CVSSβ―9.9) π www.cve.org/CVERecord?id...
07.05.2025 19:19 β π 5 π 0 π¬ 1 π 0RCE in Elastic Kibana via Prototype Pollution (CVSS 8.7) π€ Curious about the A:N in the vector for the RCE... typo or did I miss something?.. www.cve.org/CVERecord?id...
07.05.2025 19:19 β π 2 π 0 π¬ 1 π 0Unrestricted File Upload in Elastic Kibana (CVSS 5.4). Part of another chain ending in XSS and showing ATO impact. I shared some details at my last DEF CON, but the deep dive is still in the vault. Looks like I've hoarded enough CVEs for the next talk π www.cve.org/CVERecord?id...
07.05.2025 19:19 β π 1 π 0 π¬ 1 π 0Unrestricted File Upload in Elastic Kibana. Part of the most beautiful and non-trivial chain I've built. I'm excited to get a chance to share the full story in a con talk someday π€ www.cve.org/CVERecord?id...
07.05.2025 19:19 β π 2 π 0 π¬ 1 π 0RCE in Elastic Kibana via Prototype Pollution (CVSSβ―9.1) π₯ www.cve.org/CVERecord?id...
07.05.2025 19:19 β π 2 π 0 π¬ 1 π 0
Just noticed @elastic.co shipped a bunch of CVEs for the 0-days I reported. Threading them here for memory and tipping my hat to the Elastic Security Team β€οΈ top-tier BBP and meticulous triage. Highly recommended for Bug Hunters π
#bugbounty #0day #rce
π«‘ 2025 YTD #BugBounty stats update, March:
π 7 issues Reported (2 Crit, 1 High, 4 Medium)
π° 2 issues Paid
Reported 2 RCEs and some "collateral damage" for March. Still investigating new targets and developing my own tools.
I also agree that there are cases where RCE can be an expected issue,eg via ffmpeg in an isolated container. My concern is about changing the reported CVSS without any clarification. An RCE can be paid as Medium if it affects a non-priority target (and BBP says it),but this fact does not affect CVSS
26.02.2025 10:15 β π 1 π 0 π¬ 1 π 0I agree. I remember @ajxchapman.bsky.social had an even worse case where an RCE was classified as Low, right? Did you try requesting mediation/support from the platform? Did it help?
25.02.2025 14:39 β π 0 π 0 π¬ 1 π 0Thatβs an open source web app in the BB scope of a big corporation πΆ I cannβt say exactly since itβs not fixed yet. Once itβs patched, I definitely want to share the details. Letβs see how it ends up! Still hoping theyβre open to discussion and will fix not just the bug but its severity as well π
25.02.2025 12:16 β π 1 π 0 π¬ 1 π 0- DDay was right: "Finding Bugs is Easy β Finding Scope is Hard." If you haven't read one of the best BB stories yet, go enjoy it: douglas.day/2024/12/13/H...
25.02.2025 11:18 β π 2 π 0 π¬ 0 π 0- Time to expand beyond classic web app targets. Need to invest in learning new threat models, technologies, and attack surfaces. Balancing BBPs with learning new things is hard, but gotta keep pushing!
25.02.2025 11:18 β π 0 π 0 π¬ 1 π 0Need to figure out how to leverage H1/Bugcrowd/Immunefi APIs to pull new targets for analysis automatically instead of wasting time on it.
25.02.2025 11:18 β π 0 π 0 π¬ 1 π 0
