Overview
Explore a comprehensive conference talk detailing the discovery, exploitation, and impact of CVE-2020-13379, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Grafana. Dive into the methodology for identifying security vulnerabilities in open-source software, focusing on goal-setting, pinpointing areas of interest, and persistence in research. Witness a live demonstration of the bug, including a working Proof of Concept (PoC) and an exploitation kit, while learning about escalation techniques and the implications for companies with Grafana instances in DMZs or internal networks. Gain insights into the bug reporting process across different vendors, the challenges and rewards of mass-exploitation in bug bounty programs, and the value of collaboration within the hacking community. This 30-minute presentation from h@cktivitycon 2020 offers a deep dive into a critical vulnerability that affected thousands of companies, providing valuable lessons for both offensive and defensive security professionals.
Syllabus
h@cktivitycon 2020: Graphing Out Internal Networks with CVE-2020-13379 (Unauthed Grafana SSRF)
Taught by
HackerOne