Bug Bounty: My First Five Figure Payout
How I received my first five-figure payout ($10,000) from Gitlab.
This happened a month after I quit my job and started full-time looking for bugs. Prior to that, I had done bug hunting only occasionally, in the morning before work, or at night after.
Immediately after the dismissal, I realized that everything was serious, and I needed to at least maintain my previous level of income. I decided to choose a program whose product I like (because I wanted to not only earn money, but also improve my favorite product). But also one that pays well. In general, I settled on gitlab.
And everything didn’t go according to plan. I worked a lot — on adrenaline, and because of the fear of being left without money, of course. I worked 10 hours a day with few days off. As a result, by the end of the month, I found a couple of minor bugs: Content Spoofing and a very poor Information Disclosure. Thus, I didn’t hope for a good income, in general. And I remember how it was now: in the evening I had to go with a friend to drink beer, there was a little time left before leaving the house, and I was sitting and, as always, researching the application.
Below is the technical 👨💻
Signed in under the administrator and came across the function of impersonalization. This is when the admin can select any user and log in under him simply by pressing one button. Apparently, to debug bugs or help with settings. Tried to do something with this function this way and that, but there was nothing.
It worked like this. When an admin clicks impersonate, a new session cookie is given to him (on behalf of the impersonated user). Then he has a stop impersonating button, after clicking on which, his admin session cookie is returned back.
While I was researching how it works, I also logged in under the impersonated user himself. And I noticed that at the moment when the admin pretends to be him, in the user’s personal account, in the list of active sessions (well, where you can often click “terminate all other sessions”), this very session appears, under which the admin sits.
I began to look at what info about this session is available to the user. It turned out that almost nothing but some ID, which is visible when trying to terminate this session. It dawns on me that the format of this ID is somehow very familiar. And then I understand that this is nothing more than the very value of the session cookie.
Thus, for instance, when logging in, the user is set a session cookie
sess=12345
and if he wants to terminate this session in the list of open sessions, a request is sent
/stop_session?id=12345
And the same thing worked for the session under which the admin sits. Therefore, I know this cookie of him and I can log in under this particular session.
Remember, I said that the admin under such a session has a button “log out back to admin”? So I was very interested in whether I will have the same in this case :) Well, the earned bounty hints that yes, it has appeared.
Accordingly, when the admin impersonates any user, this user can himself log in under this tricky admin session, and then go back to the admin. Such is the escalation of privileges.
I rated the bug in Critical when submitting it and thought: “Wow, they’ll probably pay me 5 thousand, 2 times more than ever.” I still remember my feeling when I saw my first five-figure payout in the mail :)
Report is disclosed: https://hackerone.com/reports/493324
If you love my posts you can subscribe me on Patreon (from $1 per month): https://www.patreon.com/skavans
All my posts (including this one) are first published in my Telegram channel. Beyond, there is a lot of exclusive content about being a full-time Bug Bounty Hunter. Subscribe:
