Bug bounty vulnerabilities distribution
Some of my thoughts on specific groups of issues are presented below:
Cross-Site Scripting — I love reporting XSSes in bug-bounty programmes, as they are non-disputable and fast to report. Maybe that is the reason I spend most of the time looking specifically for them.
So what are the real-life examples of “inter-application” issues while speaking about XSSes?
In general, vulnerabilities coming from hyperlinks in emails are so common, that I have strong doubts if anyone even tests that.
Well, another group of vulnerabilities which should not exist in web applications in 2018. Again, most of the time they exist as things like “security integration tests” or “inter-application data analysis” are not performed.
Another two real-life examples identified this year:
So again, two cases of “inter-application” vulnerabilities, which would never be identified during regular web application testing in an isolated environment.
This is the class of vulnerabilities in web applications existence of which I somehow understand. Despite it is breaking some of the common web application security concepts (such as not trusting user provided input), it has never been described in publications such as OWASP Top 10 or OWASP Testing Guide. Most common example of this vulnerability would be changing email message content via Host header modification. For more examples of these issues you can refer to my OWASP Poland presentation or great Black Hat talk by @albinowax.
Speaking about blurred responsibilities and lack of testing in a proper environment?
Results of testing for these vulnerabilities might be different depending on your infrastructure and system’s architecture. So, an application for which no vulnerabilities were identified in your vendor’s dev environment may be insecure after you deploy it to your servers. Moreover, adding/removing a load balancer or insecure CDN configuration may also result in an existence of these vulnerabilities.
These issues are not well-known, relatively easy to identify, non-disputable and fast to report. These four things make them a perfect bug bounty vulnerability candidates.
Extensive Google searching allowed to identify data or functionalities which should be restricted to authorized individuals.
These two cases which resulted in accepted vulnerabilities were a result of two factors:
What do these two identified cases have in common? Hyperlinks which included sensitive data were included in e-mail messages being sent by the application. (Did I mention that I have strong doubts if these e-mail sending functionalities are ever tested?).
I decided to split these recommendations to “Basic” and “Advanced” steps, as implementing some of these suggestions may require a significant amount of work.
Basic:
Advanced:
—Marcin Szydlowski
black market cc shop cheap cvv sites