Search across a half million git repos. Search by regular expression. (Great for exploring code for exploitation)

In this video we perform a code audit of Api6 and discover a default configuration that can be escalated to remote code execution. CVE-2022-24112: https://seclists.org/oss-sec/2022/q1/133 GitLab: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/ Challenge files: https://github.com/chaitin/Real-World-CTF-4th-Challenge-Attachments/tree/master/API6 Chapters: 00:00 - Intro 01:09 - Initial Application Overview 02:15 - Discussing Approaches 03:56 - Reading Documentation 04:57 - Initial Attack Idea 06:15 - Identifying Attack Surface 08:46 - Discovering Batch Requests 09:18 - Bypassing X-Real-IP Header 10:15 - Testing the Exploit 11:11 - Reporting the Issue 12:16 - Outro -=[ ❤️ Support ]=- → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join -=[ 🐕 Social ]=- → Twitter: https://twitter.com/LiveOverflow/ → Instagram: https://instagram.com/LiveOverflow/ → Blog: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/