Skip to main content

My experience with Bug Bounties

My experience with Bug Bounties

I wanted to polish my pentest skills and bug bounties are certainly a way where you get to know already hardened real world applications. On the one hand you get to know some new state of art security systems like various kinds of WAF and you can continuously learn to penetrate them. On the other hand once you start digging into the application you get to know about the perspective of different mind set of the developers, how do they mitigate a problem that further gives you a better understanding of mitigating a single problem with different perspectives.
Last but not least, you can make some extra perks.
Following the same path, I started to check for Bug Bounties and I came across a platform called Firebounty which keeps you updated about the newest bug bounties in market out of many other such platform.
After crawling through many potential services, I have found one that has raised interest in me called www.algolia.com, who’s main business model is to provide search as a service, offering web search across a client's website using an externally hosted search engine. For more details, you can either visit their homepage or their Wiki.

After creating a test account, I started looking for various kind of bug starting with checking the input validation whether they are validating the user input properly or not. And I went onto the account page settings in order verify the input validation for my account information.
2016-01-1210_19_11-algolia_hostedcloudsearchasaservice-epicpng
And I noticed that I was able to enter alphabets into the “Phone” field that means this application didn’t do proper input validation, phone numbers that are normally numeric but this application was accepting even the characters.
I started to test for other malicious characters to check the input validation again and I noticed that the ‘(single quotes) are not encoded or sanitized which gave me a chance to produce an XSS.
I started with the following payload into the name field : ‘-confirm(1)-’ but I have realized that the angular bracket were sanitized and my input was blocked. So the next time I have send a request with the following payload: ‘-confirm`1`-’ and the result was as follows:
2015-12-2913_38_24-algoliapng 
 I have closed the single quote prematurely and was able to generate script of my own choice. This was a stored XSS and it has been reflected on each page wherever you crawl. 
2015-12-2913_40_42-https___wwwalgoliacom_users_editpng 
I have reported this bug on HackerOne to the Algolia with the original ticket no as #107328 , first I didn’t get any response for more than a week and after asking them again for a response, they simply replied to me it, “Thank you for the report and for the time dedicated to describing of your finding, unfortunately this is a duplicate of a previously reported thing.” They gave me a reference of the original ticket as #102755 which gives following result :)
2016-01-1311_50_56-accessdenied-hackeronepng 
I guess I am not the first person who have got such an answer. In past few days on twitter I have noticed many such tweets from various security researcher whether their bugs have been reported as duplicate or they got like 5$ for a bug.
From: @geeknik
2016-01-1310_41_35-tweetslikedbyvishalsharma2sharmavishal_twitterpng 
From: @brutelogic 
2016-01-1310_42_18-brutebrutelogic_twitterpng 

Comments

Popular posts from this blog

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services.
To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows: Time Source IP Country Act…

Why not a GDPR for India?

Why not a GDPR for India?
After the recent scandal from Cambridge Analytica, millions of people are concerned over the privacy of their data and so are the Indians. India, one of the biggest markets of Facebook is most exciting market for such companies to test their concepts on artificial intelligence and machine learning. Cheap internet, wide adoption of smartphones and a huge young population totally unaware of the consequences of using the unsafe internet has set the internet product companies to exploit high-value Intel and data generated from India in a much easier way. I will start today with where does India stand in the world of “world wide web or internet” usage. Below are some figures on the number of internet user in millions globally.


Number of Internet users in millions
As the data shows, India stands second in terms of the number of Internet users and it’s increasing at a very rapid rate. Though I must mention that at the moment, India has one of the lowest internet penetr…