All or nothing.
It was time, the day had come. I woke up, booted my computer. Grabbed some breakfast and opened Hackerone.
The first thing you do before you go hunting for bugs is read the program policy real careful. If go out of scope or break the policy, the company might drag you to court. Don’t be that guy!!
Note: I can’t tell you the domain of the target as it’s a private program on Hackerone. I will reefer to them as example.com.
The scope of the program was basically *.example.com.
I started looking for subdomains (subdomain.example.com) and found a tool called Sublist3r that worked really well in finding subdomains.
Now I had a list of 1000 subdomains. What the…. do I even do with these subdomains.
I went back to the main website (www.example.com) and started playing around just focusing on testing out all the functionality.
What do you do when you see a search bar?
- You look for reflected XSS! That’s right.
I enter <h1> in the search bar and to my surprise it worked. The text wasn’t properly escaped! wooohoo.
This is called HTML injection. Let’s see if we can escalate this to pop an alert.
When I tried <script>alert(1)</script> the page didn’t load and an error message was shown. Hmmm weird.
I suspected that there might be a WAF (Web application firewall) in front of the web server. A great tool that will detect most WAF’s out there is WAFW00F.
This was the result…
- Kona Site Defender (Akamai)
That meant I had to find a bypass… I spent two days furiously trying different stuff… All of a sudden I figured it out. There was a parsing bug in the search bar which let me control the URL of the search result. This let me bypass the WAF and pop an alert.
Basically it looked like this:
<a href="javascript:confirm`1`">...
Final step: report writing
The hard part was done. All I had to do now was to write a quality report report and wait for the response.
The report was closed as informative… What does this mean. Well it means that I’m a dumb-ass and didn’t read the policy all that well… Since the payload was only executed if the user typed it in manually and clicked the search result. The impact of the self-xss vulnerability was little to none. This is the reason the report got closed as informative.
Reputation at Hackerone
All hackers at Hackerone start with 100 reputation. If a report is closed as resolved, you will gain +7 reputation.
In my case my report was closed as informative. This means my reputation will neither go up or down.
Learn from your mistakes and come back stronger next time
Don’t waste your time on out of scope bugs. This will only waste the companies time but also yours… 2 days I could have spent on something else…
Also keep the tools to the minimum. Hunting subdomains right away will just waste your time when you don’t know exactly what your looking for.
Next blog post
I’ll tell you how I got my first bug bounty ($$). See ya