Skip to main content

My experience with Bug Bounties

My experience with Bug Bounties

I wanted to polish my pentest skills and bug bounties are certainly a way where you get to know already hardened real world applications. On the one hand you get to know some new state of art security systems like various kinds of WAF and you can continuously learn to penetrate them. On the other hand once you start digging into the application you get to know about the perspective of different mind set of the developers, how do they mitigate a problem that further gives you a better understanding of mitigating a single problem with different perspectives.
Last but not least, you can make some extra perks.
Following the same path, I started to check for Bug Bounties and I came across a platform called Firebounty which keeps you updated about the newest bug bounties in market out of many other such platform.
After crawling through many potential services, I have found one that has raised interest in me called www.algolia.com, who’s main business model is to provide search as a service, offering web search across a client's website using an externally hosted search engine. For more details, you can either visit their homepage or their Wiki.

After creating a test account, I started looking for various kind of bug starting with checking the input validation whether they are validating the user input properly or not. And I went onto the account page settings in order verify the input validation for my account information.
2016-01-1210_19_11-algolia_hostedcloudsearchasaservice-epicpng
And I noticed that I was able to enter alphabets into the “Phone” field that means this application didn’t do proper input validation, phone numbers that are normally numeric but this application was accepting even the characters.
I started to test for other malicious characters to check the input validation again and I noticed that the ‘(single quotes) are not encoded or sanitized which gave me a chance to produce an XSS.
I started with the following payload into the name field : ‘-confirm(1)-’ but I have realized that the angular bracket were sanitized and my input was blocked. So the next time I have send a request with the following payload: ‘-confirm`1`-’ and the result was as follows:
2015-12-2913_38_24-algoliapng 
 I have closed the single quote prematurely and was able to generate script of my own choice. This was a stored XSS and it has been reflected on each page wherever you crawl. 
2015-12-2913_40_42-https___wwwalgoliacom_users_editpng 
I have reported this bug on HackerOne to the Algolia with the original ticket no as #107328 , first I didn’t get any response for more than a week and after asking them again for a response, they simply replied to me it, “Thank you for the report and for the time dedicated to describing of your finding, unfortunately this is a duplicate of a previously reported thing.” They gave me a reference of the original ticket as #102755 which gives following result :)
2016-01-1311_50_56-accessdenied-hackeronepng 
I guess I am not the first person who have got such an answer. In past few days on twitter I have noticed many such tweets from various security researcher whether their bugs have been reported as duplicate or they got like 5$ for a bug.
From: @geeknik
2016-01-1310_41_35-tweetslikedbyvishalsharma2sharmavishal_twitterpng 
From: @brutelogic 
2016-01-1310_42_18-brutebrutelogic_twitterpng 

Comments

Popular posts from this blog

Cloud based WAF sucks more than you thought - Privacy?

In my  previous  post, I have described a basic diagram of WAF into any network. Now imagine if we just place WAF into a cloud and for an easy explanation,instead of reinventing the wheel, I will refer to the Sucuri’s  diagram  here   It is clearly stated in this diagram that Sucuri's network will protect your website against hackers who may perform injection attacks like XSS, SQL Injection, Command injection etc. Now in real life to an end user, it is quite complicated to figure out whether there is a WAF in place or not and actually why an end user would be interested. His/Her only concern would be that their personal information should be properly taken care off while they’re visiting a website. But as an end customer how would you make sure that the information that you are providing will be taken care of and without your consent, it won’t be shared with any third party. Well it is quite a complex question, especially for the people who have nothing to do with the IT Securit

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services. To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows: