Welcome to the comment section! First, thanks for watching! Make sure you are subscribed if you liked the video! ruclips.net/user/BugBountyReportsExplained Follow me on twitter: twitter.com/gregxsunday ✉️ Sign up for the mailing list ✉️ mailing.bugbountyexplained.com/ ☕️ Support my channel ☕️ www.buymeacoffee.com/bountyexplained 🖥 Get $100 in credits for Digital Ocean 🖥 m.do.co/c/cc700f81d215
Atleast with NPM you're supposed to use namespaces when installing packages. For example @company/example-package would check within a .npmrc file and check if @company correlates to a pirate registry
The most interesting part is that the way it is set up makes a lot more sense if say you where part of a group of people doing package maintenance who had a dev version on a private server and a public version on the pip repo. Thus, once you had a full update ready, you could update the one in the repo to a higher version than yours and then automatically have everyone on your team update to the consumer version.
Hi, I want to congratulate you on your quality content and just wanted to ask where do you find about all those bounty reports, can you give us some links for some daily reading? Thanks and keep up the awesome work!
Thanks for the video I was lit confused when I read the article on dependency pkg names , thanks to you now I know where to look for . But I won't try it out as I don't know how to retrieve the data from server or write custom malware without a template structure .
@@BugBountyReportsExplained Stuck to at coming up with a POC on an issue i found with a NPM package on a bounty program. Do you mind throwing more light on this? Great video as always!
@@BugBountyReportsExplained Creating a node js preinstall script which will phone home to my server once my malicious package is installed on the victim machine. I am basically trying to capture the same details as explained in your video so i can submit a POC.
@@ppan That's very kind and I feel really appreciated ;) at the moment there's no way to support me. I decided that if I want to receive money from viewers, it will be in exchange for some more content from me - I don't want to receive it just like that. So I'm working on a BBRE premium where I will create more (details soon) for paid subscriptions. It's planned to launch in August ;)
Can i ask you something else? I found on a website an error that says Jade Compiler Exception and contains different informations.Have you ever heard about this?
When for example an automated system installs our package instead of the official one, then the application may crash right? Isn't that a problem, when doing bug bounties? Maybe I misunderstood something, please explain me. (Anyway fantastic video as always:) )
That's a very valid question. That's the risk. However, I hope that most systems will build QA/test/staging environment first and once it fails because of that then the change will not be pushed to the production env, so customers won't be affected.
You will be better off by reading the program rules. If you prove the impact it should be accepted but it's not hard to break something with this vulnerability so watch out.
Hi, thanks for the question. DevOps and pentesting are correlated and knowledge from both areas can help in the other one. There's also a new trend called DevSecOps, where Sec stands for security. For example, such person has to build secure pipeline and integrate security tools in the process. If you are interested in both areas this might be a good direction for you.
Welcome to the comment section!
First, thanks for watching!
Make sure you are subscribed if you liked the video!
ruclips.net/user/BugBountyReportsExplained
Follow me on twitter:
twitter.com/gregxsunday
✉️ Sign up for the mailing list ✉️
mailing.bugbountyexplained.com/
☕️ Support my channel ☕️
www.buymeacoffee.com/bountyexplained
🖥 Get $100 in credits for Digital Ocean 🖥
m.do.co/c/cc700f81d215
Atleast with NPM you're supposed to use namespaces when installing packages. For example @company/example-package would check within a .npmrc file and check if @company correlates to a pirate registry
The most interesting part is that the way it is set up makes a lot more sense if say you where part of a group of people doing package maintenance who had a dev version on a private server and a public version on the pip repo. Thus, once you had a full update ready, you could update the one in the repo to a higher version than yours and then automatically have everyone on your team update to the consumer version.
I was eagerly waiting for the video 😍
There it is! I hope you it met your expectations 😏
So well explained! Very easy to understand. Love it when a new attack vector is found.
Thanks Andrew. I am also soo amazed when it seems like it will be a long time before a new impactful vuln and then someone comes up with that.
Good job bro
Amazing job , like always!
ruclips.net/video/uNSxrWCwUqQ/видео.html
Hi, I want to congratulate you on your quality content and just wanted to ask where do you find about all those bounty reports, can you give us some links for some daily reading? Thanks and keep up the awesome work!
Hi, thanks for your comment. I usually find all reports on intigriti's bug bytes newsletter. There should be a few hours of good reading there ;)
Thanks for the video I was lit confused when I read the article on dependency pkg names , thanks to you now I know where to look for . But I won't try it out as I don't know how to retrieve the data from server or write custom malware without a template structure .
I think malware is an overstatement for a script that gets username, hostname and path back to your dns server. It's not that hard
@@BugBountyReportsExplained Stuck to at coming up with a POC on an issue i found with a NPM package on a bounty program. Do you mind throwing more light on this? Great video as always!
what exactly are you stuck with?
@@BugBountyReportsExplained Creating a node js preinstall script which will phone home to my server once my malicious package is installed on the victim machine. I am basically trying to capture the same details as explained in your video so i can submit a POC.
@@mase289 ok, dm me on twitter
I discovered this channel recently. You explain things very easly!
great content, keep up the good work.
thanks mate, I will!
Can you make a video how to find this vulnerability
You sir are my favorite youtuber, no BS no Drama only pure 'Gem' :)
thank you a lot vishaesh!
@@BugBountyReportsExplained I was unable to visit www.buymeacoffee.com/bountyexplained, is there another way to support you? :)
@@ppan That's very kind and I feel really appreciated ;) at the moment there's no way to support me. I decided that if I want to receive money from viewers, it will be in exchange for some more content from me - I don't want to receive it just like that. So I'm working on a BBRE premium where I will create more (details soon) for paid subscriptions. It's planned to launch in August ;)
@@BugBountyReportsExplained sounds sincere and great! I look forward to it :)
Thanks for the video. Nice explanation.
Can i ask you something else?
I found on a website an error that says Jade Compiler Exception and contains different informations.Have you ever heard about this?
jade is template engine for npm. You can try to trigger server-side template injection.
Well explain thanks bro
ruclips.net/video/uNSxrWCwUqQ/видео.html
Thanks man
When for example an automated system installs our package instead of the official one, then the application may crash right? Isn't that a problem, when doing bug bounties? Maybe I misunderstood something, please explain me. (Anyway fantastic video as always:) )
That's a very valid question. That's the risk. However, I hope that most systems will build QA/test/staging environment first and once it fails because of that then the change will not be pushed to the production env, so customers won't be affected.
Can i make you a question?Do you know if cisco gives any bounty or certificate,if you find bug?Thanks!!
you should email psirt@cisco.com
Cisco has wide-used solutions so you might even get a CVE
@@BugBountyReportsExplained Do you know if they are giving CVE for exposed log files?Thanks!!
@@theologos3705 I dont know, but I think you should report it anyway
If i report this time dependency confusion bug will it get accepted?
You will be better off by reading the program rules. If you prove the impact it should be accepted but it's not hard to break something with this vulnerability so watch out.
@@BugBountyReportsExplained can you maybe give me a scirpt to show the impact?
Mr. Author, I have a one question
Is DevOps a good main job to learn pentest as a hobby?
P.s.
The video is amazing
Hi, thanks for the question. DevOps and pentesting are correlated and knowledge from both areas can help in the other one. There's also a new trend called DevSecOps, where Sec stands for security. For example, such person has to build secure pipeline and integrate security tools in the process. If you are interested in both areas this might be a good direction for you.
@@BugBountyReportsExplained Thanks for the answer
Super.
appreciated
Sir how can i start bug bounty ?
Expecting a detail answer
Start with Portswigger's websec academy and then go hack
nice 😲
🔥🔥🔥🔥
😮😮
❤️
Very happy 😍💋 💝💖♥️❤️
ruclips.net/video/uNSxrWCwUqQ/видео.html