Top 25 RCE Bug Bounty Reports

What is RCE?

Types of RCE

  1. Blind RCE: The output of the command/code executed will not be displayed in the response. A best practice to validate a Blind Remote Code Execution is to execute the sleep command and check if the application actually sleeps for a specified time before returning the response, or even a reverse shell but probably this will be against the bug bounty program policies because companies dislike the fact that someone is playing inside their network/systems where confidential data resides.
  2. Generic RCE: The output of the command/code executed is returned in the response. An echo or whoami commands are enough to validate this type of Remote Code Execution.

How to find an RCE in a Bug Bounty Program

  • Direct Execution: when the command/code is executed directly as part of the user-supplied input. In order to find a Direct Remote Code Execution, test every user input, URL parameters values, headers values and more mechanisms that are used to execute commands on the back-end.
  • Indirect Execution: when the data that resides on an external source is used to execute a command/code. To test for an Indirect Remote Code Execution, check the code or data from files that are used to execute back-end commands, check the upload functions, environment variables and so on.

Top 25 RCE Bug Bounty Reports

Bonus: 10 Zero Dollars RCE Reports

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cristian Cornea

Cristian Cornea

🇷🇴 Cyber Security Enthusiast, Freelancer, Researcher, Bug Bounty Hunter and InfoSec Writer | OSEP | OSWE | OSCP | CEH | CPTC | PenTest+ | eWPT | ECIH