DevSec Selection #10 – Mandiant Snowflake Research, 10 Years of GitHub BugBounty

June 21, 2024


The weekend is coming and I have a couple of articles worth to read. In the articles you will find Mandiant research on recent attacks targeting Snowflake instances which is great for both technical and less technical readers, it may help you to understand recent breaches at Santander and Ticketmaster. If you’re building a Bug Bounty program, you might be interested in the blogpost shared by GitHub briefly summarising their last 10 years running a Bug Bounty.

You will also find a more technical articles presenting code injection vulnerability exploited via payload in an email address, file read vulnerability in popular Python framework leading to steal secrets from HuggingFace and some details about a recent CVE affecting PHP and XAMPP deployments. Also, I released 4th part of Web API Security Champion describing a case study of an Unrestricted Resource Consumption in a password reset feature,

If you’re a beginner ethical hacker or a web application security enthusiast, it might be worth to check “Guide to Effective Web Application Penetration Testing” and “Extending Burp Suite for fun and profit”.

Have a great weekend!


Presenting a case study of an Unrestricted Resource Consumption vulnerability class in a password reset feature. The article shows potential attacks against password reset features leading to high costs of text messages sent with a reset code. As usual, you will find there Python code, vulnerable code example, fixes and recommendations.

This brief article presents 10 key moments from the first decade of the GitHub Security Bug Bounty program, highlighting growth and milestones. Key points include program launch in 2014, payouts increase in 2017, legal safe harbor policy in 2018, scope expansion in 2019, and more. The article also covers the launch of the Bug Bounty swag store in 2022, the highest single reward in 2023, and community engagement efforts in 2023. Looking ahead, the focus is on improving processes, transparency, and program expansion.

Mandiant identified threat actor UNC5537 targeting Snowflake customer instances for data theft and extortion, compromising accounts via stolen credentials. Nearly 165 organizations notified, vast credential exposure since 2020, lack of multi-factor authentication and network allow lists contributed to successful compromises. UNC5537 operated under various aliases and likely to target more SaaS platforms. Urgent need for credential monitoring, MFA, and secure authentication highlighted.

This great article presents a deep dive into CI/CD pipeline vulnerabilities, focusing on Artifact Poisoning and Code Injection. It guides how to protect pipelines from exploits like modifying shell scripts and injecting malicious code. It emphasizes the importance of awareness and using tools to detect vulnerabilities, suggesting setting up a separate Security Gate pipeline for vulnerability checks.

This technical article presents a case study on exploiting the flexibility of email addresses for OS command injection.

Presents how to extend Burp Suite for adding context menu items like ‘Encrypt’ and ‘Decrypt’. It guides on handling encrypted content, decrypting it, and re-encrypting it, with code examples. The tutorial explains the plugin development steps and the implementation logic in detail.

This article explains how penetration testing helps identify and exploit system vulnerabilities. It guides readers on effective web application penetration testing to enhance cybersecurity and prevent potential cyber attacks.

This technical article presents a couple of vulnerabilities affecting Hugging Face, being more specific – software that they utilise.

A critical vulnerability in PHP, tracked as CVE 2024-4577, allows for remote code execution on Windows servers. Exploiting the bug involves bypassing previous protections, impacting PHP CGI mode specifically. The issue originates from the Best Fit feature in Windows, enabling attackers to inject malicious commands. XAMPP for Windows is vulnerable by default. Mitigations include applying rewrite rules or disabling PHP CGI. Check your PHP server for exposure.

Active exploitation of Linux kernel privilege escalation vulnerability CVE 2024-1086 observed. The flaw in netfilter component allows local privilege escalation. Security researcher disclosed exploit in March. CrowdStrike detected exploit attempts in April. CISA includes CVE in known exploited vulnerabilities.

Interesting Article?

Join DevSec Selection!

DevSec Selection is a bi-weekly Newsletter with the latest outstanding articles related with DevSecOps and application security.

Notify of
Inline Feedbacks
View all comments