Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to analyze HackerOne's two-factor authentication and whistleblower blacklist to bypass vulnerabilities. Many people may not know much about it. In order to let everyone know more, Xiaobian summarized the following contents for everyone. I hope everyone can gain something according to this article.

Hi, what I'm going to share with you today is a HackerOne vulnerability that allows me to bypass the two-factor authentication mechanism (2FA) and the whistleblower blacklist restrictions in the Bug Bounty Program. The vulnerability was eventually rated Medium in severity, due to improper authorization, and offered a reward of $10,000.

Vulnerability Description

The bug was a functional Bug, and when I first reported it to HackerOne, they offered me a reward of $2,500 with a vulnerability rating of CVSS 5.0, but after the HackerOne security team performed Root Cause Analysis (RCA) on the bug, they discovered another high-risk critical vulnerability (CVSS 7.1) based on the vulnerability I reported, so HackerOne officials finally rewarded me with an additional $7,500.

vulnerability discovery

As we all know, HackerOne is a vulnerability testing site, and I often participate in vulnerability testing of various vendors on it. Usually, I keep an eye out for some new features coming out of HackerOne, and one day I stumbled upon a trial feature called Embedded Submission Form, which allows white hats to:

1. After using its embedded submission script to provide a personal mailbox, you can report the submission vulnerability without creating a HackerOne account, and then HackerOne will feed back the specific vulnerability handling process to this mailbox;

2. In addition, if you do not provide your personal email address, it will be regarded as anonymous vulnerability submission. Under this submission method, the white hats will not receive any reporting points and rewards. Anonymous reporting is an option for this feature.

You can click here to see how to use the Embedded Submission Form function.

Around this feature, I have the following Incorrect Authorization vulnerabilities found:

1. When reporting a vulnerability submitted by a vendor's test project, you can use the "Embedded Submission Form" function to bypass HackerOne's two-factor authentication (2FA) condition limit when submitting vulnerabilities when anonymous reporting is not enabled. Of course, bypassing this 2FA limit, this submitted vulnerability is still counted as your reported vulnerability. Specific 2FA settings can be viewed here;

2, can bypass the manufacturer vulnerability test project reporter blacklist restrictions. The blacklist of reporters here means that if a white hat always reports some unrelated vulnerabilities, or there is behavior beyond the scope of testing or violating the test method, then the tester can pull this white hat to the blacklist and will not receive the white hat report again. This reporter blacklist function can be viewed here.

Vulnerability analysis bypasses HackerOne pair's two-factor authentication (2FA) when submitting vulnerabilities

Generally, vulnerability testers can force a vulnerability submitter to perform a two-factor authentication (2FA) check before white hats submit vulnerabilities. The URL style is something like this:

https://hackerone.com//submission_requirements

The specific settings are as follows:

For example, Parrot Sec's test project requires the vulnerability submitter to perform a two-factor authentication (2FA) verification step before submitting the vulnerability. Even if I try to disable the 2FA verification operation submitted by the vulnerability in my own account, it will not work in the end. In this case, I will be blocked by Parrot Sec and cannot submit the vulnerability. Therefore, 2FA verification must be enabled.

Now, let's take advantage of the Embedded Submission Form feature to try and see if we can bypass the 2FA verification mechanism submitted by this vulnerability:

1. Log in to your own HackerOne account and remove the 2FA verification function setting in your account;

2. Go to https://hackerone.com/parrot_sec under the bounty project of vulnerability tester Parrot Sec and click Submit Report. At this time, because you have not enabled 2FA verification function, you cannot submit vulnerabilities. Only by enabling 2FA verification function can you submit vulnerabilities smoothly;

3. Find the vulnerability submission link related to Embedded Submission Form from the vulnerability testing policy of Parrot Sec manufacturer. The vulnerability submission link is in the form of https://hackerone.com//embedded_submissions/new, where the redacted_UUID is a string of numbers similar to 0a1e1f11-257e-4b46-b949-c7151212ffbb.

4. In the login state of your HackerOne account, use the above Embedded Submission Form function to submit vulnerabilities, and then you can eliminate the mandatory 2FA verification requirements of the test project. After testing, this method of vulnerability submission can also bypass the vulnerability submission frequency (Report Rate Limit) and internal Abuse limit set in the test project.

Impact of vulnerability:

White hats can bypass 2FA verification, vulnerability submission frequency and other internal function abuse restrictions in vulnerability testing projects. This improper authorization operation interferes with the vulnerability handling of manufacturers and undermines the rigorous security of the HackerOne platform. The second vulnerability discovered by the HackerOne security team based on this is more serious, and if another white hat is writing a vulnerability submission report at this time, the attacker can access the attachment content of his vulnerability report.

Bypass vulnerability testing program whistleblower blacklist restrictions

If a hacker's commit behavior is inconsistent with the policy in the test project, or exceeds the scope of the test, or violates the test method, the tester can blacklist the white hat, prohibit the receipt of its submission vulnerability, and of course restrict the white hat in public or private projects. More information here. The specific settings are as follows:

So I thought of my friend Ace Candelario, the company representative for Parrot Sec and vulnerability identifier for Parrot Sec on HackerOne. So I asked him to blacklist my HackerOne account in the background of the Parrot Sec test project and prohibit me from submitting vulnerabilities. After that, I click Submit Bug and the following error page appears:

Well, I've been blacklisted for the Parrot Sec vulnerability testing program. However, when I tried using the aforementioned method steps to bypass 2FA, I could still continue to submit vulnerabilities to Parrot Sec!

Vulnerability Impact:

Some malicious white hats, after being blacklisted, can continue to submit vulnerabilities to test vendors, interfering with the vendor's vulnerability handling and undermining the rigorous security of the HackerOne platform.

Cause of vulnerability

According to the assessment of HackerOne security team, the trigger cause of the above two vulnerabilities is the same, both of which are due to the insecure verification method interact_without_authorization enabled in the debug request uuid/embedded_submissions when writing vulnerability reports using Embedded Submission Form function. In this case, the access control list mechanism (ACL) of the backend will be bypassed.

After reading the above, do you have any further understanding of how to analyze HackerOne's two-factor authentication and whistleblower blacklist to bypass vulnerabilities? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.