Me and Paulo Silva wrote a simple golang tool to check full disclosures on HackerOne. Why?
So if you guys want to give it a try, feel free to install it and participate – https://github.com/dsopas/h1-search
Hey guys for those who want to download my presentation at BSides Lisbon you can do it right here.
Also you can watch the 50min video of the talk – https://www.youtube.com/watch?v=6cWHt-h78yY
I had lot’s of interesting questions at the end of the talk which showed me lots of interest in the bug bounty industry.
I also I would like to thank the BSides Lisbon organization because it was a awesome event. I met so many interesting people and got the opportunity to be with my great friends.
Awesome talks in both tracks and lot’s of networking and hacking on the lounge areas.
Next year I’ll be there again for sure!
OLX Stored XSS
https://hackerone.com/reports/152069
Adobe Reflected XSS
https://hackerone.com/reports/50389
I asked for full-disclosure of this reports so other users can learn something from it.
The OLX security report was also mentioned on a portuguese media site- Future Behind. If you know portuguese language feel free to read it.
Guys I’ll be a speaker at BSides Lisbon 2016 with the talk – “The way of the bounty”.
If you want to know some of my tips and secrets on bug bounty programs don’t forget to schedule in your calendar – 11th November.
Just to give a small update on my work… I’ve been more active on my Twitter account so follow me to get the latest updates on my security work π
Also here are some work I’ve done:
Regarding conferences I’ve been on Join 2016 @Braga presenting the talk “Hacking from Black to White”.
Yesterday I was exchanging some messages on Twitter – specially with Kymberlee Price (from BugCrowd) – about the relationship between vendors and security researchers when disclosing a security issue.
In my experience I know what’s the feeling of trying to help a vendor and they ignore you or in some extreme cases even “inviting” you to stop what you are doing on their website. Vendors need to understand that most security researchers are here to help – working in the same side against bad guys. The problem in this connection is trust.
Vendors don’t trust researchers.
Researchers are loosing trust on vendors.
We need to fix it.
I had a bad experience with lots of big IT companies. Specially the ones I usually use on their products. I don’t go around companies and test vulnerabilities like crazy. I just like to feel more secure when using some web application.
In my opinion these are the main issues:
But not all vendors are like that. I already tried different approaches who seemed to work.
If you manage to do all this I bet the treatment in the future will be better for you and for future researchers who try to contact them.
You as a researcher have the responsibility to prepare the path and improve the communication between vendors.
Don’t give them hell! Give them trust!
Even on bug bounty programs you have issues. Vendors who reply to your report in 1 year without even worrying about getting the researcher a feedback like:
We’re working on it. It will take some time, maybe weeks or months…
Even yesterday – Sean Mealia wrote on his Twitter that Uber changed their in-scope program after he sent a couple of security issues.
It also happened to me in a private program for a popular online newspaper. I reported a security issue where a attacker could steal users information and they categorized as “Informative” and fixed it in a couple of days.
This type of situations are not good for the business. Vendors must respect the researchers and visa-versa.
Well this are my thoughts about this, feel free to share yours in the comments section.
For those who are interested about this topic I recommend watching the video of Kymberlee Price at Kaspersky Security Analyst Summit 2016.
That’s a question that sometimes comes in mind of many “hunters”.
Personally in most cases, when I participate on these programs, I use fake information – one of the first reasons is to immediately test the input fields π
Programs that required you to add your credit card info, phone number, bank info, … in most cases I try to slow down my research a bit. [As alternative sometimes I use one-time only credit cards but in other cases you need to provide other information to test further – eg: upload funds using your bank account. Also it’s a positive thing to have a phone number just to test bug appreciation programs. I already smsbomb myself using a vulnerability #shameonme]
I’m not paranoid but in my opinion it would me interesting if the program itself provides the security researcher with a payment sandbox. Some of them already do this.
Programs that want you to test their payment gateways, membership upgrades, etc… could create some private layer to help researchers. This is a win-win situation, where both parties have interest in giving their best.
Just to give you a background on this topic, a couple of weeks ago I had access to bank information using a SQL Injection vulnerability present on a bounty program. The data was in plaintext. Some of the info was from security researchers that were also testing their security.
I asked a couple of other researchers and some of them told me that they used fake payment data – that works if you are not buying or testing payments.
But I wanted more feedback… So I give it a try on the voting quiz available on Twitter and shared with my followers:
Do you use your personal information when bug hunting (name, phone, address, payment information, …)?
Yes – 26%
No – 39%
Not all the info – 35%Total votes: 23 (duration: 24 hours)
Not many votes (timezone is a b****) but we can get a small idea on what bug hunters are doing.
74% of them don’t use their real information or just provide part of their personal data.
Bugcrowd told me that they provide test credentials wherever possible. They believe that providing that information to bug hunters participants is ideal, but that requires support on the backend side. Bugcrowd CEO – Casey Ellis – also told me that they advise programs [private or dojo] to create test accounts. If it’s a public program they advise them only if there’s a txn failsafe on the processing side because public may start using them for regular transactions.
Working with Cobalt I also had the opportunity to work with test accounts in their private programs.
On HackerOne I never come across test accounts, even with private programs. It would be cool if they comment this article about this.
Also I already come across of some bug appreciation programs that provided credit card details [bypassing the payment checks] to give the opportunity to researchers test live transactions.
I hope that with this article I help bug appreciation programs participants to protect themselves but at the same time providing the program a good service.
What you guys think about this?
I’m getting a few emails asking some tips on how to get some bounties. Because I like to help others and I’m a share knowledge believer π I wrote this small article about using the right online tools and earn some bucks on bounty programs.
Most experience bug hunters already know most of this tools but this is mostly for starters.
SSL validation
URL: https://www.ssllabs.com/ssltest/
Qualys provides a free online tool that runs a complete test on a target SSL. Heartbleed, OpenSSL CCS vuln, BEAST, POODLE, etc all of these are covered in this online test.
Missing SPF? Let’s test it…
URL: http://www.kitterman.com/spf/validate.html
These tools are meant to help you check SPF records on your target. For many bug bounties participants this is one of the first things to try. Usually get’s the minimum payout if in-scope. On HackerOne, Shopify already paid $500 on this missing email security header – https://hackerone.com/reports/54779
Test X-FRAME-Options
URL: http://savanttools.com/test-frame
This tool is useful for detecting sites that use the X-FRAME-OPTIONS header to block framing, or use frame-breaking / frame-busting Javascript. Clickjacking attacks can be achieved with the help of this tool.
Find subdomains of a domain
URL: https://pentest-tools.com/information-gathering/find-subdomains-of-domain
pentest-tools.com offers 40 credits every day to a user for free and using this information gathering information on the subdomains will take you 20 credits so you can use it twice a day. This is very usefull to find other domain targets.
Online fuzzer
URL: https://pentest-tools.com/website-vulnerability-scanning/discover-hidden-directories-and-files
With only 10 credits [you have 40 credits every day] this online URL Fuzzer can be used to find hidden files and directories on a web server.
This is a discovery activity which allows you to discover resources that were not meant to be publicly accessible (ex. /backups, /index.php.old, /archive.tgz, /source_code.zip, etc).
With a file/direcotry fuzzer you can always find interesting stuff. I already found a couple of phpinfo.php files on major companies and got few bounties with them.
Using Drupal?
URL: https://hackertarget.com/drupal-security-scan/
With this online you get a overview of the Drupal version used, template name, if directory indexing is enabled, etc. Some of this information you could use to run further tests and determine if you can get someting vulnerable from the Drupal instalation.
Using WordPress?
URL: https://hackertarget.com/wordpress-security-scan/
I’m a big fan of wp-scan but if you need a free online tool HackerTarget will do a good job for you.
This tool will check the version of WordPress, check directory indexing, list plugins [and if new updates are available], user enumeration, etc. With this information you can check for vulnerable plugins and provide a good report about that.
Using Joomla?
URL: https://hackertarget.com/joomla-security-scan/
Like the previous tools this one also checks for Joomla instalattions information. Take a look into the plugins/components. Usually there are something to look for. Compare versions and Google for changelogs about vulnerabilities. Very often in the changelog the vulnerability is not public but if it says CSRF on options-windows.php. Just try to download that version and audit it yourself. I’ll do that π
Target store using Magento?
URL: https://www.magereport.com/
Scan your targets Magento shop for known security vulnerabilities. This is a very useful tool that can get a few vulnerabilities in your bounty quest.
I would like to add that there are better tools that could be installed on your operating system but that could be on another article π
Tip 1: Always read carefully the bounty program details to check what’s in-scope. Always respect the rules.
Tip 2: Don’t forget also to read my article. Don’t copy paste your online results on the report and voila!
As a bug hunter at Cobalt, HackerOne and BugCrowd I always try do my best to give programs the best information needed to understand the security report.
Sometimes I notice that some public disclosures on HackerOne have just two or three paragraphs like:
You guys don’t have SPF header on your mail server.
Check it online here: …
If I was the program manager I would categorize this like “WTF” bug or something. Not for the vulnerability itself but because the lack of information and effort by the bug hunter. You need to sell your service. You need to show the program that you care and you know what you are talking about. Treat the program like your client.
Sometimes this make the difference between earning kudos and earning money.
Elaborate the security vulnerability as much as possible and describe possible attack scenarios. Screenshots and videos are always a bonus.
Also show the “client” clear solutions for their problem.
Hey this is just a small tip… Hope it makes difference on your future reports!
Why? I forgot that’s my grandmother birthday. I could lie and tell something technical or something, but no… It’s true π
I’ll try to post another date next week.
Sorry!