Analyze a security patch (diff) to understand the vulnerability, recreate the exploit, and hunt for bypasses (variants).
The "Compare" View:
https://github.com/elastic/kibana/compare/v8.10.0...v8.10.1
Use this to see everything changed between two minor versions.
- Search Closed PRs with keywords:
security,fix,cve,sanitize,escape,harden. - Look for "Obscure" commit messages like "update logic" or "fix handling" merged right before a release.
- If you know the vulnerable file (from a CVE description), use
git blameor the File History to find the most recent change.
Clone the repo locally for speed.
# 1. Clone the target
git clone https://github.com/elastic/kibana.git
cd kibana
# 2. Fetch all tags
git fetch --tags
# 3. Diff two tags (Output to file for easy reading)
git diff v8.10.0 v8.10.1 > release_diff.patch
# 4. Diff specific file across versions
git diff v8.10.0 v8.10.1 -- path/to/vulnerable/file.ts
Don't just look at the code; look at the logic change.
Did they wrap a variable in a new function?
The Diff:
- return `<div>${userInput}</div>`;
+ return `<div>${escapeHtml(userInput)}</div>`;
Analysis:
- Vulnerability: XSS (Reflected/Stored).
- Trigger:
userInputcontained raw HTML. - Bypass Hunt: Check
escapeHtml. Does it handle single quotes? Backticks? URL encoding?
Did they add an if statement checking permissions?
The Diff:
+ if (!user.canRead(resource)) {
+ throw new ForbiddenError();
+ }
return database.fetch(resource);
Analysis:
- Vulnerability: IDOR / Missing Access Control.
- Trigger: Requesting a resource ID you don't own.
- Bypass Hunt: Can I control
resourcetype? Isuser.canReadchecking the right scope?
Did they ban specific keys or characters?
The Diff:
- merge(target, source);
+ if (key === '__proto__' || key === 'constructor') continue;
+ merge(target, source);
Analysis:
- Vulnerability: Prototype Pollution.
- Trigger: JSON input with
__proto__. - Bypass Hunt: Did they block
prototype? Is the check recursive? Can I useconstructor.prototype?
Raw diffs are hard to read. Use these tools to see the flow.
Visual Studio Code (GitLens)
- Right-click file -> "Open Changes with Previous Revision".
- Essential for tracing where the variable came from in the code.
Diff2Html
- Converts
.patchfiles to pretty HTML side-by-side views.
Meld / Beyond Compare
- GUI tools for comparing entire directory trees (great for seeing if a fix involved multiple files).
The patch fixes one instance. Developers often copy-paste code. Find the others.
Identify the Sink
- The patch fixed a call to
eval(input).
Search the Codebase
- Use grep/Semgrep to find other calls to
eval()or similar dangerous functions. grep -r "eval(" .
Check for Missing Patches
- Did they fix it in
profile.tsbut forgetsettings.ts?
Check for "Weak" Fixes
- Did they use a regex blacklist? (
replace(/<script>/g, "")). - Bypass:
<SCRIPT>or<scr<script>ipt>.
You haven't understood the patch until you can pop a shell on the pre-patch version.
Checkout the Vulnerable Version
git checkout v8.10.0
Setup the Environment:
- Run the app (Docker is usually best for Kibana).
Trace the Input:
- Use
console.log()(or breakpoints) in the vulnerable file to see what your input looks like right before it hits the sink.
Fire the Payload:
- Verify the crash/alert.
Verify the Fix:
git checkout v8.10.1- Run the same payload. It should fail.