Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author of this post had found a vulnerability in GitHub previously. They decided to conduct a scan for Dependency Confusion issues on GitLab and GitHub. While looking at package.json, they didn't find anything.

Their next step was to check Ruby dependencies on GitHub Enterprise, which is an open-source platform. They thought this was a good target because A) GitHub Enterprise isn't well-known to be open source, and B) dependency confusion in Ruby is less well-known. They noticed over 100 packages that were unregistered externally! So, they created a Ruby Gem for all of these that exfiltrated data via DNS to prove impact.

After waiting a bit, they had about 2K callbacks within a 24-hour window of submitting the vulnerability. This allowed them to execute code in several locations, including buildkitsandbox, vscode, and several others. After reporting the vulnerability, they were asked to take down the malicious gems to prevent further impact of the issue.

The author claims that they had access to the domain, which was used for the build process and dev code workspaces. They were awarded $20K but though it was going to be more. To give them credit, they stopped executing further payloads and didn't try to pivot at all. Based on this, they believe the payout should have been higher than the minimum payout for a critical. GitHub is known to have a good bug bounty program so it's hard to say who is right/wrong here.

A good write-up with sound guidance on the discovery process! I thoroughly enjoyed the blog post!