How not to implement AWS S3 signed URLs? $25,000 bounty

Поделиться
HTML-код
  • Опубликовано: 8 фев 2025

Комментарии • 26

  • @BugBountyReportsExplained
    @BugBountyReportsExplained  3 года назад +1

    Welcome to the comment section! I hope you enjoyed the video.
    Sign up for my mailing list to receive the BBRE newsletter to get the best hacking info delivered right to your inbox: mailing.bugbountyexplained.com/

  • @monKeman495
    @monKeman495 Год назад +1

    Came after your recent finding so here it is all started 😂😂watching again after long time

  • @dhruvkandpal9909
    @dhruvkandpal9909 3 года назад +1

    Love your content and meticulous explanation! 👏🏻👏🏻👏🏻 Keep posting such amazing videos!

  • @test-vf3iv
    @test-vf3iv 3 года назад

    nice video man really enjoyed watching it and a very easy explaination

  • @_DeProgrammer
    @_DeProgrammer 3 года назад

    Love these videos! Thanks.

  • @jaeger809
    @jaeger809 3 года назад

    I hope i can do this. Thanks

  • @ahmadshami5847
    @ahmadshami5847 3 года назад

    my goodness that bug is so cool yet it looks so random. did the hunter mention any thing about luck involved or did he use a certain methodology.

    • @BugBountyReportsExplained
      @BugBountyReportsExplained  3 года назад

      unfortunately this aspect was not mentioned in the blogpost😕 I'd love to hear that too

  • @000t9
    @000t9 3 года назад

    Hello
    Is this vulnerability disclosed 2 years ago as I saw in this video?

    • @BugBountyReportsExplained
      @BugBountyReportsExplained  3 года назад

      yes, but cloud-related topics are only more and more popular

    • @000t9
      @000t9 3 года назад

      @@BugBountyReportsExplained Thank you!

  • @cybersecurity3523
    @cybersecurity3523 3 года назад

    Good bro

  • @tekken-pakistan2718
    @tekken-pakistan2718 3 года назад

    04:04 Thanks!

  • @hamzabettache497
    @hamzabettache497 3 года назад

    any chance with "GET /api/aws/getSignedImageUrl?objectName=316923.jpg&contentType=image%2Fjpeg" ?

    • @BugBountyReportsExplained
      @BugBountyReportsExplained  3 года назад

      yeah, definitely test the objectName parameter. Also, there's a chance for header injection using the contentType param

    • @hamzabettache497
      @hamzabettache497 3 года назад

      @@BugBountyReportsExplained thanks, how to exploit the content type and header ?

    • @BugBountyReportsExplained
      @BugBountyReportsExplained  3 года назад +1

      @@hamzabettache497 use %0d%0a characters. You'll find more by googling CRLF injection

  • @dzakialthalsyah
    @dzakialthalsyah 3 года назад

  • @hamzakhaled1144
    @hamzakhaled1144 2 месяца назад

    dsa

  • @sameersh.5647
    @sameersh.5647 3 года назад

    one day i am gonna hack google because of this guy

  • @pmohan67
    @pmohan67 3 года назад

    I am beginner of bug finding
    How I find bug using tools
    Tell any tool name to finding
    How know the bug is there
    How check the bug status securely
    Make an video about
    How find bug
    How verify it
    How report it
    Pls
    Make an video
    👆
    👆
    👆
    👆

Следующие
Автовоспроизведение
My $20,000 S3 bug that leaked everyone’s attachments - S3 bucket misconfig of pre-signed URLs9:53My $20,000 S3 bug that leaked everyone’s attachments - S3 bucket misconfig of pre-signed URLs
My $20,000 S3 bug that leaked everyone’s attachments - S3 bucket misconfig of pre-signed URLsBug Bounty Reports Explained
Просмотров 26 тыс.
S3 Is A Security Nightmare (Common Exploit Showcase)16:47S3 Is A Security Nightmare (Common Exploit Showcase)
S3 Is A Security Nightmare (Common Exploit Showcase)Theo - t3․gg
Просмотров 57 тыс.
Why should you use S3 presigned URLs? (A full demo included)18:25Why should you use S3 presigned URLs? (A full demo included)
Why should you use S3 presigned URLs? (A full demo included)Enlear Academy
Просмотров 36 тыс.
The Breakfast Club Reacts To Jay-Z’s Attorney Saying Him & Diddy Aren’t Friends + More13:45The Breakfast Club Reacts To Jay-Z’s Attorney Saying Him & Diddy Aren’t Friends + More
The Breakfast Club Reacts To Jay-Z’s Attorney Saying Him & Diddy Aren’t Friends + MoreBreakfast Club Power 105.1 FM
Просмотров 704 тыс.
where i have been.05:45where i have been.
where i have been.Morgan Bailey
Просмотров 109 тыс.
Imagine Dragons - Take Me To The Beach (feat. Ado) (Official Lyric Video)02:48Imagine Dragons - Take Me To The Beach (feat. Ado) (Official Lyric Video)
Imagine Dragons - Take Me To The Beach (feat. Ado) (Official Lyric Video)ImagineDragonsVEVO
Просмотров 2 млн
Victim - Animator vs. Animation 1120:24Victim - Animator vs. Animation 11
Victim - Animator vs. Animation 11Alan Becker
Просмотров 6 млн
$130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports Explained11:12$130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports Explained
$130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports ExplainedBug Bounty Reports Explained
Просмотров 15 тыс.
What functionalities are vulnerable to SSRFs? Case study of 124 bug bounty reports19:58What functionalities are vulnerable to SSRFs? Case study of 124 bug bounty reports
What functionalities are vulnerable to SSRFs? Case study of 124 bug bounty reportsBug Bounty Reports Explained
Просмотров 17 тыс.
Dumping S3 Buckets | Exploiting S3 Bucket Misconfigurations17:35Dumping S3 Buckets | Exploiting S3 Bucket Misconfigurations
Dumping S3 Buckets | Exploiting S3 Bucket MisconfigurationsHackerSploit
Просмотров 39 тыс.
2022-style OAuth account takeover on Facebook - $45,000 bug bounty9:312022-style OAuth account takeover on Facebook - $45,000 bug bounty
2022-style OAuth account takeover on Facebook - $45,000 bug bountyBug Bounty Reports Explained
Просмотров 16 тыс.
Dangerous Hacking Gadgets You Can Still Buy8:38Dangerous Hacking Gadgets You Can Still Buy
Dangerous Hacking Gadgets You Can Still BuyNext Tech
Просмотров 321 тыс.
Updated Beginners Guide to API Bug Bounty30:05Updated Beginners Guide to API Bug Bounty
Updated Beginners Guide to API Bug BountyInsiderPhD
Просмотров 17 тыс.
$16k Stealing secrets.yaml from GitLab using stored XSS - Hackerone bug bounty9:48$16k Stealing secrets.yaml from GitLab using stored XSS - Hackerone bug bounty
$16k Stealing secrets.yaml from GitLab using stored XSS - Hackerone bug bountyBug Bounty Reports Explained
Просмотров 7 тыс.
$20,000 Hackerone data leakage via GraphQL6:33$20,000 Hackerone data leakage via GraphQL
$20,000 Hackerone data leakage via GraphQLBug Bounty Reports Explained
Просмотров 22 тыс.
BUG BOUNTY: HOW TO FIND MISCONFIGURATION IN AWS S3 BUCKET #110:24BUG BOUNTY: HOW TO FIND MISCONFIGURATION IN AWS S3 BUCKET #1
BUG BOUNTY: HOW TO FIND MISCONFIGURATION IN AWS S3 BUCKET #1BePractical
Просмотров 6 тыс.
Avoid The Person Challenge 😱00:49Avoid The Person Challenge 😱
Avoid The Person Challenge 😱Zhong
Просмотров 11 млн
Первый день отдыха в Сочах. Антон Теляков #пранк01:28Первый день отдыха в Сочах. Антон Теляков #пранк
Первый день отдыха в Сочах. Антон Теляков #пранкСклад Телякова
Просмотров 409 тыс.
Secret to sawing daughter in half00:40Secret to sawing daughter in half
Secret to sawing daughter in halfJustin Flom
Просмотров 14 млн
Мой тг: Подвал Стинта #стинт #stint #stintik00:29Мой тг: Подвал Стинта #стинт #stint #stintik
Мой тг: Подвал Стинта #стинт #stint #stintikStintik
Просмотров 143 тыс.
Handshake rating med Spånga P12A🤝 #fotboll2400:20Handshake rating med Spånga P12A🤝 #fotboll24
Handshake rating med Spånga P12A🤝 #fotboll24Fotboll24
Просмотров 3,4 млн
ГРАМОТНЫЙ ЮРИСТ ПОСТАВИЛ БОРЗЫХ ПОЛИЦЕЙСКИХ НА МЕСТО / ПОЛИЦИЯ ЗАДЕРЖАЛА БЛОГЕРА / БЕСПРЕДЕЛ ОХРАНЫ47:24ГРАМОТНЫЙ ЮРИСТ ПОСТАВИЛ БОРЗЫХ ПОЛИЦЕЙСКИХ НА МЕСТО / ПОЛИЦИЯ ЗАДЕРЖАЛА БЛОГЕРА / БЕСПРЕДЕЛ ОХРАНЫ
ГРАМОТНЫЙ ЮРИСТ ПОСТАВИЛ БОРЗЫХ ПОЛИЦЕЙСКИХ НА МЕСТО / ПОЛИЦИЯ ЗАДЕРЖАЛА БЛОГЕРА / БЕСПРЕДЕЛ ОХРАНЫAnatoly Andreevich
Просмотров 63 тыс.
Нашла ли она пропажу?..00:24Нашла ли она пропажу?..
Нашла ли она пропажу?..Новостной Гусь
Просмотров 791 тыс.
Day 1 | IEM Katowice 2025 Playoffs | 🎙КРИВОЙ ЭФИР6:05:50Day 1 | IEM Katowice 2025 Playoffs | 🎙КРИВОЙ ЭФИР
Day 1 | IEM Katowice 2025 Playoffs | 🎙КРИВОЙ ЭФИРSL4M & Counter-Strike
Просмотров 333 тыс.