How to Report DMARC Vulnerabilities Efficiently To Earn Bounties Easily
Hello Guys đđ , Prajit here from the BUG XS Team, so in this write-up I will be discussing the most easy P3-P4 vulnerability found on Bugcrowd đ, and with which you can earn bounties pretty much easily.
So, I have got many many valid and bounties from this bug, but on the other hand many people are getting N/A and not accepted , so many people of social media handlers have asked me that âhow are you getting bounty for this vulnerability?â , âI get only negatives and not applicable, you got luckyâ and all stuff like that. So first of all, it isnât about luck, it is about how properly you are able to explain the impact and severity of this bug in your report. So quality of report also matters in case you are reporting a bug such as this. So this write-up will clear all your doubts regarding that point, so hope you will read till the end.
What is DMARC?
DMARC also known as Domain-based Message Authentication Reporting and Conformance is a free and open technical specification that is used to authenticate an email by aligning SPF and DKIM mechanisms. By having DMARC in place, domain owners large and small can fight business email compromise, phishing and spoofing.
What Does DMARC Policy Looks Like?
Now let us understand in detail, what does this different things in the policy mean, from this below table:
Now one more thing to understand is that the p tag can have three different values, which will define how the DMARC Policy will work with suspicious mails:
- p=none: Monitors your email traffic. No further actions are taken.
- p=quarantine: Sends unauthorized emails to the spam folder.
- p=reject: The final policy and the ultimate goal of implementing DMARC. This policy ensures that unauthorized email doesnât get delivered at all.
So out of the three above modes, it is best if DMARC record is set on p=reject, and in case it is p=none, there is still chances of vulnerability.
What are the Benefits of DMARC Record?
The main benefits of DMARC Record could be listed as followed:
- Reputation: Publishing a DMARC record protects your brand by preventing unauthenticated parties from sending mail from your domain.
- Visibility: DMARC reports increase visibility into your email traffic by letting you know who is sending email from your domain.
- Security: DMARC helps the email community establish a consistent policy for dealing with messages that fail to authenticate. This helps the email ecosystem as a whole become more secure and more trustworthy.
How to Find DMARC Record For a Domain and What are the Different cases of vulnerability?
To find DMARC Record of the domain use online tool https://mxtoolbox.com/ to read the records.
Now in different cases there are two vulnerabilities that can one say, âDMARC Policy Not Availableâ , in such case there is no DMARC Record available, which leads to possible spoofing of that domain. The second case is âDMARC Policy Not Enabledâ, in such cases, DMARC Record is present but not enabled properly, due to which spoofing will still be possible. This is the case in which p is set on none.
Now this all vulnerability are worth reporting only if the given domain is âemail domainâ. So what does email mean?, It simply means that the given target domain is used for mailing purposes.(For eg if we have a site named example.com and it have emails such as privacy@example.com or support@example.com , so the given example.com is an email domain.)
Now how to find a certain domain is an email domain?, Simply if you do MXLookup on the given website, and below you see a statement like âEmail Service Provider is âŚâ then that domain is an email domain.
Now let us different cases you will observe in case of MXLookup for hunting this vulnerability, and also see what is worth reporting and what is notâŚ
Case-I:
Here as you can see there is the line âYour email service provider is Google Appsâ, hence it is an email domain, but here both the statements âDMARC Policy Not Enabledâ and âDMARC Record Publishedâ has green tick , hence this is completely secure and not vulnerable.
Case-II:
Here as you can see, there is the line âYour email service provider is Proofpointâ , hence it is an email domain, and here as you can see âDMARC Policy Enabledâ has a yellow tick, which means, DMARC Policy is there but has not been properly enabled (i.e. p=none), so still chances of spoof emails to come into the inbox. So this is vulnerable and worth reporting. On Bugcrowd itâs VRT is âServer Security Misconfiguration > Mail Server Misconfiguration > No Spoofing Protection on Email Domainâ. This is a P3 vulnerability but is also given as P4 sometimes depending from program to program.
Case-III:
Here as you can see, there is the line âYour email service provider is Google Appsâ , hence it is an email domain, and here as you can see âDMARC Record Publishedâ has red cross, hence there is no DMARC record for that domain, so spoof emails to come into the inbox. So this is vulnerable and worth reporting. On Bugcrowd itâs VRT it is same as above âServer Security Misconfiguration > Mail Server Misconfiguration > No Spoofing Protection on Email Domainâ. This is a P3 vulnerability but is also given as P4 sometimes depending from program to program.
Case IV:
Here as you can see there is no line âEmail Service Provider isâŚâ , hence it is a non-email domain, so not worth reporting, the reason is that if the given email is not even an email domain so it wonât matter if it has spoofing protection or not, as either way it isnât being used for mailing purpose. So it vulnerable but not worth reporting , as no impact is there. In Bugcrowd VRT it is âServer Security Misconfiguration > Mail Server Misconfiguration > No Spoofing Protection on Non-Email Domainâ, which is P5 vulnerability.
How to provide Exploit PoC?
Nowadays, on Bugcrowd and Hackerone are declining this as a vulnerability as saying âit has SPF Record, so protected against spoofingâ , so in such cases you end up getting Not Reproducible and negatives, so I recommend you to follow the below steps and then report them with proof that spoofing is still possible.
For this we are going to use fake mailer website: http://www.anonymailer.net/
Steps:
- Go to www.anonymailer.net
- In From Name write the name of target company.
- In From E-mail, write an email from your target domain, for eg: privacy@target.com.
- In To Email , write your email
- Now send the mail, and if you get the given mail in your inbox then it will be proved that it is sending spoofed email directly to inbox, hence no spoofing protection on email domain.
Tip: In privacy policy of the website there is always an email which could be used if it is an email domain.
Impact and How to Report?
The most simple impact is that if there is no spoofing protection on target website, attacker can impersonate as company and send emails to users from their email. Now this could lead to many bad things like account takeover, or in case of e-banking website, capturing funds of victims, etc like that, which will degrade the reputation of the company.
I have given here the sample report of the one which I use, so you can use that as to report efficiently. Also before reporting check the Out Of Scope section properly.
Some of My Valid Reports
So all this bounty and many more, just for a vulnerability which could be found in few seconds. So that is why I tell this is the easiest P3-P4 vulnerability on Bugcrowd.
Hope you enjoyed this write-up and , do let me know if you have any doubtsâď¸.
Thanks For Reading đ
Profile Links:
Twitter: https://twitter.com/SAPT01
LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/
Instagram: https://instagram.com/prajit_01?utm_medium=copy_link
BUG XS Official Website: https://www.bugxs.co/