Exploiting the Unexploitable Insights from the Kibana Bug Bounty
Mikhail Shcherbakov
DEF CON 32 Main Stage · Day 1 · Main Stage
In this insightful talk from DEF CON 32, Mikhail Shcherbakov, a seasoned bug bounty hunter and PhD student, shares captivating stories from his extensive participation in the Kibana bug bounty program. Shcherbakov's presentation, "Exploiting the Unexploitable Insights from the Kibana Bug Bounty," focuses specifically on his discoveries of **remote code execution (RCE)** vulnerabilities within Kibana, a critical component of the popular ELK stack. The talk delves into the intricacies of identifying and exploiting these high-impact flaws, offering a deep dive into the technical bypasses and the defensive implications for organizations leveraging Kibana.
AI review
Dr. Shcherbakov's deep dive into Kibana RCEs from his bug bounty exploits is precisely the kind of substantive research this conference needs. He meticulously dissects a critical Node.js sandbox bypass within Synthetic Monitoring, demonstrating how `process.mainModule.require` can turn a seemingly benign scripting feature into a full system compromise. This isn't just theory; it's a real-world, high-impact vulnerability discovery, complete with actionable defensive implications, making it an essential watch for anyone serious about Node.js security or ELK stack defense.