CVE-2020-13379

Unauthenticated Full-Read SSRF in Grafana

While doing some security research on Grafana for bug bounty, I discovered that by chaining together some redirects and a URL Parameter Injection bug, it is possible to achieve a full-read, unauthenticated, SSRF on any Grafana instance ranging from version 3.0.1 - 7.0.1. The Grafana advisory for this bug can... [Read More]

Beginners Resources

Where to get started in bug bounty

One of the questions I get all the time is How do I get started in bug bounty? While I really enjoy teaching and mentoring, it is not possible for me to provide tailored guidance for each and every one of you. I will gladly point you in the right... [Read More]