Wow, sounds like a bug with some serious potential impact. I guess it depends on where the input is reflected. Here’s a few ideas:
Is the input reflected in a Location response header? I know you didn’t say so, but it seems likely judging by the nature of the request header. In that case, you’ve got a stored open redirect.
Try to inject HTML or Javascript in the X-Forwarded-Host header. If you can execute Javascript, it’s a stored XSS vulnerability. If you can inject HTML, you can maybe completely deface the website and make it say whatever your want. Your evil-url.com/maliciousfile.exe idea is great, but the attack is more convincing with some HTML formatting.
Is the input reflected as an error message? In that case, you can probably perform a pretty scary DoS attack (check the program rules first). For more information on CPDoS, check out this awesome article.
If all else fails, it’s not a bad idea to inject a malicious link, but that obviously requires that the link is reflected visibly on the page. You should try to escalate it as much as you can first.
When testing, you should use a cache-buster (/path/endpoint.php?letsnotpoisonnormalusers=1) to get more reliable results and avoid bothering legitimate users.
I’m not exactly new, as I joined a couple of years ago.
I participated in a few public programs but wasn’t able to put the requisite time in in order to find anything worthy of submitting.
Fast forward to the present - it would appear that things have changed significantly.
It seems that all of the public programs have a list of 2 to 4 requirements that must be met before the “join” button becomes functional. All the requirements (except one) relate to past performance, of which I have exactly none.
So - is this a case of “You snooze, you lose”? Am I basically barred from participating due to not having submitted any reports in the past?
The “waitlisted” and “joinable” programs are news kinds of private programs that do not require an invitation. If you meet the requirements, you are eligible to participate or apply to participate in the programs. There are stills tons of public programs that don’t have any requirements - you just have to scroll a little further, since Bugcrowd just dropped about 30 waitlisted/joinable programs.
I had a chat with Breonna and she explained the various nuances. My main misconception was that I assumed that if a program had no “join” button at all, it meant that it was either full to capacity or otherwise off-limits to me. I didn’t realize that some programs don’t require you to explicitly “join” them in order to participate.
I’m new in bug bounty, I must learn many things, I just need your help to know if there’s a possibility of exploitation in a website based on these remarks :
Let’s start with naming our target : website*com and this is what I observed :
Signing in, registration and password reset are made in the main website
Once signed in, you are redirected to a subdomain hosted on amazon (not sure yet) where you have your dashboard (settings, credit card details etc…)
And it is where weird things started to happen :
1-Subdomain dashboard : In my account settings I can change my email address, and here’s what I did :
A - I created two accounts with different emails : mymail1@gmailcom and mymail2@gmailcom
B - I logged in with myemail1@gmailcom and went to settings to change the email address to myemail2@gmailcom , then I put the two email addresses in the same field separated by a “,”
myemail1@gmailcom,myemail2@gmailcom and saved changes :
Result =
Both email received verification links.
Verification links are not the same, I wanted to verify the email of the account I wanted to takeover but it says invalid token
Using this method (two emails in one field), both tokens are not valid even when i verify e legitimate account with it’s token.
My new username is showing : mymail1@gmail,mymail2@gmail
Tried this with burp &email=mymail1@gmail.c*m&email=mymail2@gmail.com : Same result both mails received verification url
Random emails with special characters : This notification shows up in my dashboard: “Sent email verification to t^mp0$@nothing.com” or “Sent email verification to mail@.com”
I do not enter any email in the field and I click on “Send email verification” I get this notification : “Sent email verification to”
I put many characters let’s say 100 in the field , and the result shows the same notification, and the new data become my username but the email is not changed.
I sent a verification link to an existing email (but not registered in the site) : I can receive a verification link to email even when i’m not registered in the site.
Can I register with the same email after? Yes
Once i registered with the new email, Can I use the previously sent verification llink? No.
All I have to do is to request a new verification link
2- Main domain Reset password :
Send password reset with empty email field. Result : Email ‘’ not found.
Send password reset with random email “randommail@email.com”. Result : Email ‘randommail@email.com’ not found
Send password reset with tow random emails seperated by “,” “randommail1@email.com,randommail2@email.com”.
Result : Email ‘randommail1@email.com,randommail2@email.com’ not found
Other observations :
There’s a second subdomain where I can login with the same credentials to an empty dashboard (no settings, no fields to change, only logout link).
Once you put your credit card details and save, all card details are visible not masked.
My goal here is to see if there’s a possibility of an account takeover and send custom content using the website email address.
There’s something is not right about this website. I know that I have to dig more and learn many things and it is what I’m doing and still, I’m just lost.
If you use Burp Suite, you can set a Match and Replace rule that adds the header automatically to every request. Alternatively, you can use a browser extension such as User-Agent Switcher for Chrome.
It’s just marked as a duplicate and minimal points are awarded (assuming it’s an otherwise valid submission). No negative marks as a result, to my knowledge.
Hey i have a question,
I found this in a private program and don’t know if it is valid.
so i logged in with valid credentials and copied the response(cookies)
then i logged in with wrong credentials and pasted the response and got full access to the account.
Is this a vulnerability??
What do you mean when you say you “pasted the response”?
Anyway, ask yourself how you could use what you’ve just found to do something that you’re not supposed to be able to do. If you somehow obtain someone else’s session cookies, then of course you’ll get access to their account. How would you obtain these cookies though? In your case it sound like you only got them because you had their credentials in the first place.
Yes thats why I doubt this, by pasted the response i meant i replaced the login again response to “go ahead response” that i got from passing valid credentials
If you can steal the cookie by exploiting a vulnerability like XSS, LFI or MiTM and access the account by stealed cookie, yes its called as “session hijacking” vulnerability. Because the developer should also check some information from sessions like IP address, user agent or other unique credentials.
Also, the account-related cookie must be Http-Only and must be renewed regularly.
Hey guys, does anyone know that if you find valid SSH users on a large number of servers running SSH service and are publicly accessible, is considered a security issue or not?
also I have found a vulnerable server which runs an unprotected elastic search service and has been already hacked! when you reach the search endpoint(which is part of an internal network) to query the data you face a message saying that all the data is gone and can be recovered by transferring some amount of BTC to a BTC wallet!. I reported the issue which has also been marked as not applicable by bugcrowd
I would like to know.: How to ensure legal compliance when performing bug hunting? For example lets suppose you join a program and the company says: We are looking for vunerabilities at example.com/vunerable . Hack it and submit your findings.
Good. Lets also suppose you perform some pen testing and you find a vunerabiity (Without significantly exploiting it).
How can you assure that the company won’t sue you? Is there some kind of way that bugcrowd protects you from that?
OK I read my very first pages of WAHH today. Seduced by the writing skills after a few pages I’ve decided to review the bio of the lead author that I suspect to be Dafydd Stuttard .
Obviously there is not much things about him online. But I believe I read he has a Phd in Philosophy. That makes him interesting. Before diving in with Google I though It would interesting to pass by here.
Bugcrowd search engine doesn’t return any search results for his full name. But at the same time does anyone know a search engine that is reliable or efficient ? Or am I doing something wrong ?
Above all does anyone knows if there is a paper here written about him or a link to a blog post or an interview from someone who checked this out ? or is it out of scope ? He wrote burp so I believe it’s not.
Or do this task is going to be me first post here ?
Hi Everyone,
I am new guy, so it seems I can’t open a new topic on this. I did good amount of reading on how the community working on bug hunting and learning. I have few basic questions which I couldn’t quite clearly understand:
I see few people using their own computer and running all the tools on their computer few others using cloud vms like Digital Ocean and installing the tools there. Can you guys please advise which is preferred when and what are the pros and cons of each approach?
Extension to above question, I see few people using base Debian OS and installing their own tools. Few others using OS like Kali Linux. I understand Kali is prepackaged extension of Debian, but my question is, what is the the reason behind opting for Kali rather having base Debian OS and install the tools needed for their activity. Please advise.
Hi,
I am new in this vast ocean of bugcrowd. I’ve a couple of things to dicuss.
I’ve studied OWASP top 10 vulnerabilities, learned some basic things about BugCrowd in the previous 3 hours. Now I have some questions:
Which softwares I have to use to test the bugs?
May those softwares be installed on Windows or I’ve got to install Kali Linux?
After installing those softwares, which codes I’ve to practice there to check for the vulnerabilities?
Waiting for the favorable replies!
Thank you.