My experience with Bug Bounties
I wanted to polish my pentest skills and bug bounties are certainly a way where you get to know already hardened real world applications. On the one hand you get to know some new state of art security systems like various kinds of WAF and you can continuously learn to penetrate them. On the other hand once you start digging into the application you get to know about the perspective of different mind set of the developers, how do they mitigate a problem that further gives you a better understanding of mitigating a single problem with different perspectives.
Last but not least, you can make some extra perks.
Following the same path, I started to check for Bug Bounties and I came across a platform called Firebounty which keeps you updated about the newest bug bounties in market out of many other such platform.
After crawling through many potential services, I have found one that has raised interest in me called www.algolia.com, who’s main business model is to provide search as a service, offering web search across a client's website using an externally hosted search engine. For more details, you can either visit their homepage or their Wiki.
After creating a test account, I started looking for various kind of bug starting with checking the input validation whether they are validating the user input properly or not. And I went onto the account page settings in order verify the input validation for my account information.
And I noticed that I was able to enter alphabets into the “Phone” field that means this application didn’t do proper input validation, phone numbers that are normally numeric but this application was accepting even the characters.
I started to test for other malicious characters to check the input validation again and I noticed that the ‘(single quotes) are not encoded or sanitized which gave me a chance to produce an XSS.
I started with the following payload into the name field : ‘-confirm(1)-’ but I have realized that the angular bracket were sanitized and my input was blocked. So the next time I have send a request with the following payload: ‘-confirm`1`-’ and the result was as follows:
I have closed the single quote prematurely and was able to generate script of my own choice. This was a stored XSS and it has been reflected on each page wherever you crawl.
I have reported this bug on HackerOne to the Algolia with the original ticket no as #107328 , first I didn’t get any response for more than a week and after asking them again for a response, they simply replied to me it, “Thank you for the report and for the time dedicated to describing of your finding, unfortunately this is a duplicate of a previously reported thing.” They gave me a reference of the original ticket as #102755 which gives following result :)
I guess I am not the first person who have got such an answer. In past few days on twitter I have noticed many such tweets from various security researcher whether their bugs have been reported as duplicate or they got like 5$ for a bug.
From: @geeknik
From: @brutelogic
Comments
Post a Comment