Bounty hunter: I found your code is written in C company: Thanks, that was a security risk

It's not a bug, it's a feature!

Regarding the ssh auth: I think a more realistic use case is when you have multiple users and you don't trust them to all create a secure password. In this case key auth is better than any secure password policy

3:55 - "so you type `useradd`" (types `adduser`) - the "which way does the USB connector go?" of the command line :)

lesson is: dont report open redirects until you have something to chain them with

Understanding RISC requires even more knowledge about how computers work

For any practitioners out there who are still confused, security risk is a way to measure your overall exposure to some sort of security event or circumstance. It's most commonly a function of likelihood the event will materialize and, if it does, what the impact will be. How orgs do this varies quite a bit, and how elaborate you get depends. A good risk analysis weighs a combination of everything from which vulns exist that could be used to materialize the risk event, who your adversaries are, etc. Check out NIST 800-30 for an overview of the basic risk concepts. Vulnerabilities on the other hand are weaknesses (technical, procedural, human, or otherwise) that could be exploited. Putting it all together, one risk a healthcare org might have is compromise of an RDS instance containing patient health information. When assessing the risk, you'd take into account what data are stored there, what the response cost would be, what the loss of reputation in your industry would be, breach notification costs, etc. You'd also weight that against any vulnerabilities. For example, one vulnerability might be that the RDS instance is open to the public internet. In this case, the vulnerability would shift your likelihood calculations; if the RDS instance is exposed like that, it's very likely to be identified and targeted. In most real world applications though, risk is not assessed just based on how likely an adversary is to be successful. Our risk models, for example, account for everything from what would be exposed, how we'd have to respond, how regulators would get involved, etc.

"I'm luckily not into bug bounties" I felt it 😂

they way he said "I'm luckily not into bug bounties" explains everything 😂

I manage the Bug Bounty program in the company I work for. Our rule of thumb as to if something is valid as for bounty or not is whether the reported issue will lead to us fixing the issue or not. If it will lead us to fixing the issue, its a valid for bounty. It doesn’t really matter if its a vulnerability or a risk. If its risk its sometimes harder to get R&D onboard to fix/prioritize the issue, but that’s another problem

I always regard open redirects as a pretty minor vulnerability if at all, and certainly agree that it is usually just a case of "makes other things worse". But I do think it makes sense to also use them as a warning - more than a canary but a reason to look for more.

Let me add real borderline example. Putting a corp Domain Controller on the public internet, RDP accessible, no other mitigations. Clearly a risk but not a vulnerability. As of today* there are no public vulnerabilities in RDP that would allow takeover. If all your passwords are strong you should be fine. However in terms of "real security", this will get you hacked. Either 1) someone in the company will have a weak/reused password or 2) a vulnerability will be discovered in RDP and you will have literally minutes to patch before it is exploited. This is a risk so severe I no longer care if there is a distinction between risk and vulnerability. Also, thanks for the video. It helped me get my mental models of risk/vuln clearer.

Interesting distinction. Perhaps a better example would be: SQLi is a vulnerability, not having a WAF is a risk.

Great view, I think that nowadays a huge challenge is to look at a context and get the risk at all and not a piece isolated (vulnerability), the impact is more important than the vuln. About the bounties… it’s complicated when the result of your job is (sometimes) subjective…

The point is that not every vulnerability is a security risk. Just like you don't invest in a 15'000$ door lock in your house where you keep things that in total may be worthy of 500$, there is just no significant risk in that.

3:43 this has actually happened to me. "test" as a password. Got myself a crypto miner and then decided to never leave pw auth on because I can't trust myself to always think about that risk when making a purely-for-research user on a development box.

interesting, at my university we definitely learnt to consider security by risk rather than absolute vulnerabilities, now I understand why I disagreed with your server hardening video so much!

Simple answer: A vulnerability is a security bug that allows a potential attacker to gain access to a system. Complicated answer: A vulnerability is caused by a logical error that requires a certain mindset to fully understand the security bug. The most common and yet most dangerous is a vulnerability that allows for (arbitrary code execution) things that allow this can vary between programming languages in C language you have bugs that allow ACE by buffer overflow, dangling pointers and etc... these vulnerabilities are classified as memory violations. There are also input vulns if not sanitized correctly that allow for injection attacks like code injection, XSS, format strings and etc... Conclusion: a vuln is common sense imagine if you were under attack by a man but you have not fighting skill everything has a weak point the eyes, groin, joints and etc... computers are the same just find the function that allows for ACE or input errors and I recommend looking up vulnerable functions in the programing language you work with and try to understand it at the logical level. Hint computers are dumb they need the users input just to function so if you want to discover a vuln just think like a computer on how it executes functions at the literal sense. Good luck and have fun bug hunting

Too, that conclusion was super smooth!

Vulnerability = Security weakness(es) that could be exploited by any threat actor, e.g. lack of rate-limit in OTP form, improper input validation, failure to invalidate session after logout, etc. Threat = An entity or situation which took advantage of exploitable vulnerability intentionally/unintentionally to produce risk, e.g. Hacker, Malware, Natural disasters, Non-vigilant employee, etc. Risk = Potential damage or impact if attacker successfully exploit the vulnerability to compromise the system, e.g. reputation loss, data breach, identity theft, etc. Risk = Threat * Vulnerability

Love these verses videos. Keep them coming. 🤝👨‍💻

There was an open redirect used as a part of a chain in one of Google's desktop apps that ran on Electron, which lead to the window loading a user-controlled URL and (likely because of security features that were disabled by default) it could use `require`, i.e. leading to an RCE.

I have a slightly different viewpoint: on a server where creation of accounts with weak password could be expected, ssh password login is a vulnerability.

Love this security absolutism thingy!

Finally another masterpiece!

this new style of video is really cool 👍👍

A improvement tipp for your lightning: Put a rim light behind you.

People are reporting things, but couldn't exploit but asking for $$. However, all vulnerabilities are security risk and risk can be answered by accept, mitigate, avoid, or transfered. If vuln are found to be exploitable, they should be paying depending on the impact x asset value.

I have watched you for so long that you feel like family lol.

Sehr gutes Video :)

what an insightful video, love it

It's like having a shitty lock on my front door is a vulnerability, whereas leaving it unlocked anyways is a risk. However, change that context to be an interior door, and it's no longer either because it doesn't matter for the general use case.

Nice vid!

Don’t use password instead use authentication key.

Looks like we’re early

Holy shit, this guy does videos with cameras nowadays huh

Like always, genius 😎

@LiveOverflow A great explanation. another commonly use terms but understanding and definition is subjective in bug bounty / VR is "exploitable vulnerability" and "non-exploitable vulnerability". Would love to hear your thoughts on this. Some people label exploitable vulnerability that is having exploit that immediately compromise system or gain system access. While some people label it as having a way exploiting vulnerability even when does not immediate compromise system Just a suggestion of examples that draw lines between the definition. Web example would be "information disclosure vulnerability that leaks username which can further allows user enumeration." Another example in the case of exploitable and non-exploitable vulnerability situation would be in binary vulnerability. As this might be sightly different definition from web example.

Yeah that's a way for companies to get away with not paying bounties a company did that to me but not in that way. They just said I was gonna be arrested if I asked for the bounty they promised

Awesome one

Thanks 😁

After watching this, I perceived the Risk as something that may or may not lead to an insecure system depending upon the cases scenario; while the Vulnerability, if it is exploitable, it can be exploited in each cases. Does it right ? Or is my understanding not clear yet ?

Perfect video doesn't exi.... oh wait

lol this happend to me with youtube , injection xss

I reported to the PicsArt but it was closed my report as not applicable and after some times fixed the vulnerability in their latest version in the playstore 🤬🤬🤬🤬😡😡😠😠

Why don't you call weakness a security risk? CWE exists exactly for this

It's not a bug it's a feature

Ok I'm going to state something that is logically factual. Most people disagree. They are wrong. For both C and C++: ANY "potential" nullptr dereference, by definition, CAN be a nullptr dereference. If it happens: that is a vulnerability, not a risk. That is: you do NOT need any actual exploit. Why? Because whatever the code compiles to is NOT a program. It has no defined behavior. It can do exactly what you want, nothing, or anything. What it cannot do is: produce any deterministic output. Again, most people disagree. It's irrelevant. Here is my best attempt at a metaphore: (Best as in: I can't be bothered to do better) Would you get in a car which can cease to exist at any moment, isn't required to move, doesn't follow the laws of physics, and can make your cat pregnant. You can keep calling it what you want, but it doesn't fit the definition of a car anymore. Now if you agree: please prove it because I'm getting sick of fixing the same bug every week.

Who the f disliked his video?

Vanten thala

If I ever go into a bug bounty program it wouldn't go well for the business who runs it.... I can get very legal very quickly if I want to...

Threat + Vulnerability = Risk

MR. BEAST

Hello!

#DEJAVU this same scenario happened to me today by tomato > i reported them and they rejected saying it's not applicable and then few minutes later i saw that bug was fixed

It's not a vuln it's a feature

So simple and fast Vuln : a payload that when exec can access sth not be accessed (%100) risk : can help to exploit the target with x% y% chance

nth

2⁴th lol

1st

If you have a bug bounty program and don't pay out for something that you found risky and fixed, then you are acting in incredibly bad faith. Shame on you.

First

FIRST

Sehr gutes Video :)