How to Report DMARC Vulnerabilities Efficiently To Earn Bounties Easily
Hello Guys 👋👋 , Prajit here from the BUG XS Team, so in this write-up I will be discussing the most easy P3-P4 vulnerability found on Bugcrowd 😈, and with which you can earn bounties pretty much easily.
So, I have got many many valid and bounties from this bug, but on the other hand many people are getting N/A and not accepted , so many people of social media handlers have asked me that “how are you getting bounty for this vulnerability?” , “I get only negatives and not applicable, you got lucky” and all stuff like that. So first of all, it isn’t about luck, it is about how properly you are able to explain the impact and severity of this bug in your report. So quality of report also matters in case you are reporting a bug such as this. So this write-up will clear all your doubts regarding that point, so hope you will read till the end.
What is DMARC?
DMARC also known as Domain-based Message Authentication Reporting and Conformance is a free and open technical specification that is used to authenticate an email by aligning SPF and DKIM mechanisms. By having DMARC in place, domain owners large and small can fight business email compromise, phishing and spoofing.
What Does DMARC Policy Looks Like?
Now let us understand in detail, what does this different things in the policy mean, from this below table:
Now one more thing to understand is that the p tag can have three different values, which will define how the DMARC Policy will work with suspicious mails:
- p=none: Monitors your email traffic. No further actions are taken.
- p=quarantine: Sends unauthorized emails to the spam folder.
- p=reject: The final policy and the ultimate goal of implementing DMARC. This policy ensures that unauthorized email doesn’t get delivered at all.
So out of the three above modes, it is best if DMARC record is set on p=reject, and in case it is p=none, there is still chances of vulnerability.
What are the Benefits of DMARC Record?
The main benefits of DMARC Record could be listed as followed:
- Reputation: Publishing a DMARC record protects your brand by preventing unauthenticated parties from sending mail from your domain.
- Visibility: DMARC reports increase visibility into your email traffic by letting you know who is sending email from your domain.
- Security: DMARC helps the email community establish a consistent policy for dealing with messages that fail to authenticate. This helps the email ecosystem as a whole become more secure and more trustworthy.
How to Find DMARC Record For a Domain and What are the Different cases of vulnerability?
To find DMARC Record of the domain use online tool https://mxtoolbox.com/ to read the records.
Now in different cases there are two vulnerabilities that can one say, “DMARC Policy Not Available” , in such case there is no DMARC Record available, which leads to possible spoofing of that domain. The second case is “DMARC Policy Not Enabled”, in such cases, DMARC Record is present but not enabled properly, due to which spoofing will still be possible. This is the case in which p is set on none.
Now this all vulnerability are worth reporting only if the given domain is “email domain”. So what does email mean?, It simply means that the given target domain is used for mailing purposes.(For eg if we have a site named example.com and it have emails such as email@example.com or firstname.lastname@example.org , so the given example.com is an email domain.)
Now how to find a certain domain is an email domain?, Simply if you do MXLookup on the given website, and below you see a statement like “Email Service Provider is …” then that domain is an email domain.
Now let us different cases you will observe in case of MXLookup for hunting this vulnerability, and also see what is worth reporting and what is not…
Here as you can see there is the line “Your email service provider is Google Apps”, hence it is an email domain, but here both the statements “DMARC Policy Not Enabled” and “DMARC Record Published” has green tick , hence this is completely secure and not vulnerable.
Here as you can see, there is the line “Your email service provider is Proofpoint” , hence it is an email domain, and here as you can see “DMARC Policy Enabled” has a yellow tick, which means, DMARC Policy is there but has not been properly enabled (i.e. p=none), so still chances of spoof emails to come into the inbox. So this is vulnerable and worth reporting. On Bugcrowd it’s VRT is “Server Security Misconfiguration > Mail Server Misconfiguration > No Spoofing Protection on Email Domain”. This is a P3 vulnerability but is also given as P4 sometimes depending from program to program.
Here as you can see, there is the line “Your email service provider is Google Apps” , hence it is an email domain, and here as you can see “DMARC Record Published” has red cross, hence there is no DMARC record for that domain, so spoof emails to come into the inbox. So this is vulnerable and worth reporting. On Bugcrowd it’s VRT it is same as above “Server Security Misconfiguration > Mail Server Misconfiguration > No Spoofing Protection on Email Domain”. This is a P3 vulnerability but is also given as P4 sometimes depending from program to program.
Here as you can see there is no line “Email Service Provider is…” , hence it is a non-email domain, so not worth reporting, the reason is that if the given email is not even an email domain so it won’t matter if it has spoofing protection or not, as either way it isn’t being used for mailing purpose. So it vulnerable but not worth reporting , as no impact is there. In Bugcrowd VRT it is “Server Security Misconfiguration > Mail Server Misconfiguration > No Spoofing Protection on Non-Email Domain”, which is P5 vulnerability.
How to provide Exploit PoC?
Nowadays, on Bugcrowd and Hackerone are declining this as a vulnerability as saying “it has SPF Record, so protected against spoofing” , so in such cases you end up getting Not Reproducible and negatives, so I recommend you to follow the below steps and then report them with proof that spoofing is still possible.
For this we are going to use fake mailer website: http://www.anonymailer.net/
- Go to www.anonymailer.net
- In From Name write the name of target company.
- In From E-mail, write an email from your target domain, for eg: email@example.com.
- In To Email , write your email
- Now send the mail, and if you get the given mail in your inbox then it will be proved that it is sending spoofed email directly to inbox, hence no spoofing protection on email domain.
Impact and How to Report?
The most simple impact is that if there is no spoofing protection on target website, attacker can impersonate as company and send emails to users from their email. Now this could lead to many bad things like account takeover, or in case of e-banking website, capturing funds of victims, etc like that, which will degrade the reputation of the company.
I have given here the sample report of the one which I use, so you can use that as to report efficiently. Also before reporting check the Out Of Scope section properly.
Some of My Valid Reports
So all this bounty and many more, just for a vulnerability which could be found in few seconds. So that is why I tell this is the easiest P3-P4 vulnerability on Bugcrowd.
Hope you enjoyed this write-up and , do let me know if you have any doubts✌️.
Thanks For Reading 😊
BUG XS Official Website: https://www.bugxs.co/