At the very first glance you read the term “Bug Bounty”, what comes to your mind is that it’s a some kind of reward offering program. Actually there is nothing wrong thinking about that topic in that manner. Certainly you are going to be rewarded when you work with a Bug Bounty program but only if you know what you are doing exactly.
A “Bug Bounty Program” is an open deal which is offered by several websites, in order to protect their systems from potential cyber-attacks. The most important fact in here is that each and every party who is involved in this gets many advantages by such programs. But the main and the ultimate advantage of a bug bounty program is it helps making the internet a safer and a better place.
Bug bounty programs allow the developers to research and resolve bugs before the normal people in the society become aware of it. Those developers are commonly called as “Bug Hunters”. Many famous companies and organizations in the world such as Facebook, Yahoo, Google, Microsoft, Reddit, Square, and Tesla Motorsports have given their utmost contribution in implementing those bug bounty programs.
Mr. Hunter and Mr. Ready took the initialization of creating the world’s first bug bounty program in 1983. They had decided to reward a Volkswagen Beetle to anyone who is capable of finding and reporting a bug of their operating system “Versatile Real-Time Executive”. After an about decade later in 1995, Jarrett Ridlinghafer who worked as a technical support engineer at “Netscape Communications Corporation” introduced the phrase “Bug Bounty”. With this initialization later on the bug bounty programs began to expand vastly because of the financial and technical support of the world famous organizations.
In order to become a bug hunter first of all you need to register in a bug bounty platform. Today there is a huge variety of such platforms out there.
There is a huge variety of vulnerabilities that can be found when doing bug hunting.
1) SQL Injection
2) Cross-Site Scripting (XSS)
3) Command Execution
5) Cross-Site Request Forgery
6) Reflected XSS
7) Open Redirects
8) File Upload Vulnerabilities
9) Unencrypted Communication
10) User Enumeration
11) Password Mismanagement
12) Email Spoofing
14) Logging & Monitoring
15) Buffer Overflows
16) Directory Traversal
17) DOM-Based XSS
18) Broken Access Control
19) Privilege Escalation
20) Toxic Dependencies
21) XML Bombs
22) Session Fixation
23) XML External Entities
24) Weak Session IDs
25) Information Leakage
26) Lax Security Settings
In order to do bug hunting there are some tools that need to be installed first.
- Burp Suit
- OWASP ZAP
NOTE :- Most of those tools are pre-installed with the OS Kali Linux.
Bug Hunting consists with a sequence of several processes. After registering for a suitable bug bounty platform you need to do a research on the vulnerabilities in different organizations. So as it was mentioned before there are huge number of vulnerabilities that can be found during bug hunting. So at the beginning you need to select one vulnerability and you should try your best to exploit it. In order to do that the previously mentioned tools are going to be really useful. Here you have to be really careful before start attacking a vulnerability. It’s compulsory to read the scope of that organization carefully before starting the attack. Scope consists with the rules and the regulations of that particular organization. So if you violate any of those there is a possibility of you ending up in prison. So reading the scope is the most important thing to do before you start attacking a vulnerability. After exploiting a vulnerability successfully you have to create a complete report about the vulnerability, exploitation method and the impact that bug might do to their organization. You can directly send that report to that particular organization or you can send that report through the currently registered bug bounty platform.
So if you were able to generate a successful report to organizations about their vulnerabilities most probably they are going to reward you with a bounty. It can be some amount of money, a pen drive or a T shirt. If that bounty is money, then that awarded amount of money will depend on the impact of that particular vulnerability. But it’s important to keep remember that not all the organizations are going to reward you with bounty. Sometimes they might just simply send you a “Thank You” message.
Now let’s see some world popular bug bounty incidents which were reported lately out there.
1) HackerOne Breach Leads to $20,000 Bounty Reward
- Once HackerOne has paid out $20,000 after a high-severity vulnerability was discovered in the bug-bounty platform. The flaw allowed an outside bounty hunter to access customers’ reports and other sensitive information.
- Disclosed this week in a HackerOne report, the security incident stemmed from a session cookie that was exposed via human error, during an interaction between a HackerOne staff member and a bug-bounty hunter under the alias “haxta4ok00.” The session cookie was revoked by HackerOne two hours after it was shared.
- “HackerOne triages incoming reports for HackerOne’s own bug-bounty program,” according to HackerOne’s report.
- “On November 24, 2019, a security analyst tried to reproduce a submission to HackerOne’s program, which failed. The security analyst replied to the hacker, accidentally including one of their own valid session cookies.” Session cookies are tied to a particular application and won’t block access when a session cookie gets reused in another location. That means that all platform features were available, as well as a number of customer reports that were supported by the HackerOne representative involved in this incident.
- In this particular case, parts of a cURL command, copied from a browser console, were not removed before posting it to the report, disclosing the session cookie. Also as part of this, the hacker was able to access a number of reports from HackerOne’s optional service, called Human-Augmented Signal (HAS), which flags reports that look like spam.After realizing that the live session cookie had been exposed, haxta4ok00 submitted a bug-bounty report for the issue, including its impact and what he was able to access. After revoking the cookie, HackerOne also said that it audited existing comments to see if other session cookies were leaked in the past; this fortunately did not yield any results.
2) A critical SQL injection vulnerability exposed nearly one million financial records stored in a Starbucks enterprise database
- Eugene Lim, aka spaceraccoon, earned $4,000 after reporting the flaw to Starbucks via the company’s bug bounty program on HackerOne. The security hole was identified on April 8 and it was patched within two days. The vulnerability report he submitted to HackerOne was made public on August 6 2019.
- It’s worth noting that $4,000 is the maximum amount of money Starbucks pays for critical vulnerabilities through its bug bounty program. The average bounty awarded by the coffee giant is $250 and the total amount paid out so far exceeds $400,000.
- According to Lim, he started by checking the targeted endpoint for file upload vulnerabilities and then tested it for XXE flaws after noticing that it had been running the Microsoft Dynamics AX enterprise resource planning (ERP) platform.
- After his attempts to launch XXE attacks failed, he decided to move on to other potential targets. Roughly a month later, he decided to revisit the endpoint and check for SQL injections, which he soon discovered.
- Then he decided to test on three things. They are : the type of the data in the database, the amount of data, and the recentness of data.
- Then he found the default main table and the relevant columns. After some time he was able to access almost a million entries including the real accounting information. Then soon after realizing this bug he just stopped testing and began to write the report.