Hello, I am gulizhiguhao, author of PentestSuite. Hope you are fine.
These days I have encountered two cases that I have to share with all bug bounty hunters.
Company A and company B are BOTH PRIVATE bug bounty program.
I first found a account takeover bug and submitted to the company A about half years ago. They had triaged at that time and I was happy. But after that, I got nothing replied. Even I send email to them to ask what happened about that bug. They still ignored me.
And these days I found another bug from company B. It was a bug that can bypass the premium check, which will give normal users ability to use the features that should be owned by Premium users. Since it's a private program, I still can't give too much details about it. And I have no choice to hide this, this is also what I hate! If you are doing a public program, then you can definitely said which company it is and request the exposition of the report.
And now I will show you how the bug is:
Here's the situation: the premium users will be able to specify some senior options about generating the pdf file while the normal users can't.
The front-end uses 'disabled' attribute to block this directly. This is correct way to protect this for the first step. But I found I can directly remove this attribute to unlock the textbox/buttons/whatever to get the ability to use the premium feature.
Yes, this bug is easily to be leveraged: you just need to use F12 to pop your developer tools in your favorite browser and remove that attribute will make this happen.
But the problem is not from the front-end, since the pdf file is not generated from front-end js file. It's generated by the back-end server.
And guys you know what I get? They told me it is a UI design problem.
A UI design problem?
In fact the UI engineer does nothing wrong here. The UI design is correct! The actually wrong thing is the back-end server does not give enough check on whether I(normal user) is a Premium user!
So, if bug bounty hunters, you should really keep your attention on those companies which provide public program and really have nice reputation. Better to check their responses to other hackers in forum before spending your time and effort on it.
I was wrong at first, I think the private program might be easier to find bugs so it might be better to do these program, but the problem is, even you find a bug, they have very high possibility to ignore your effort because it's private.
FUCK PRIVATE PROGRAM.
another victim of bb ? welcome to the club buddy :D
ReplyDeleteYep, happy I am new here. Take care my friendš¤£
DeleteWhat's the program?
ReplyDeleteI think we could have ran into the same one.
DM me on twitter - https://twitter.com/Skeletorkeys