Shulou(Shulou.com)05/31 Report--

This article shows you how to repeatedly get HackerOne vulnerability testing invitations, concise and easy to understand, definitely make your eyes shine, through the detailed introduction of this article I hope you can gain something.

What I want to share today is that using the vulnerability report email forwarding (Security@email forwarding) and project exit function (Leave Program) of the HackerOne platform, you can repeatedly obtain private project invitation messages on the HackerOne platform without any user interaction with the manufacturer. This is a logical feature Bug, and HackerOne's test invitation acquisition design is flawed.

Vulnerability report email forwarding (Security@email Forwarding)

This vulnerability report email forwarding function (Security@email Forwarding) requires the vendor and HackerOne to negotiate to open, not all vendors 'test projects will have this function, the principle is this, if white hats on HackerOne found vulnerabilities related to a vendor, he may choose to HackerOne to provide the corresponding vendor's security team mailbox security@companyname.com to report vulnerabilities. At the same time, when White Hat reports the vulnerability through the HackerOne platform, White Hat's own Inbox will also forward a report as an archive.

After the tester receives the report, HackerOne automatically sends a private test invitation to White Hat's Inbox to invite White Hat to participate in their organization's private vulnerability testing project to submit further vulnerabilities. As follows:

Project Exit (Leave Program)

Project exit function, simply put, in HackerOne platform, after white hats join a vulnerability testing project, if they find that the testing scope or field of this project is not what you are interested in or good at, then you can choose to click "Leave Program" to exit the project. On the test project's home page (Security Page), you can find the "Leave Program" button.

In this feature, if you opt out of a test project, HackerOne asks you to complete a questionnaire about the project opt-out feature, and in return, the system sends you another test project invitation within 24 hours. As follows:

You helped out us by filling out a survey，in return you will be fast-tracked for invites, with the first one arriving in the next 24 hours. (Thank you for completing the questionnaire for us, and in return we will add you to the fast track and you will receive an invitation within 24 hours)

Could there be an exploitable loophole in this design logic? Can I have HackerOne automatically send me constant test project invitations? The answer is yes.

bug recurrence

Suppose that you have not received any test project invitations, that is, the number of invitations is 0. Then you can use the following steps to reproduce the vulnerability:

1. First of all, find the test project that enables vulnerability report email forwarding function (Security@email Forwarding) on HackerOne. Simply put, you can find it through HackerOne reward project link https://hackerone.com/bug-bounty-programs If it is confirmed that the vulnerability report email security@companyname.com is provided in the test project homepage, then it means that the vulnerability report email forwarding function of the vendor (Security@email Forwarding) is enabled. As shown below:

2. Select the email address used to forward vulnerability reports, and replace it with security@companyname.com;

3. This email is the key to receiving the HackerOne test invitation, so we send it a test email.

4. After that, you will receive a test invitation from the vendor security team through the HackerOne platform, as shown below:

5. Click on the Submit Vulnerability Report link in the above picture and you will become a project participant;

6. Now, select Leave Program, complete the Program Exit Questionnaire and confirm exit;

7. Then, you are added to HackerOne's Quick Invite list, and within the next 24 hours, you can receive another test invitation for another project;

8. Repeat steps 2 through 7 above and you'll continue to get bug testing invitations for different projects.

The following diagram is a simple logical description of this process:

vulnerability affects

An attacker can get invitations to various vulnerability testing programs without any interaction with the vendor, repeat what I did above, and receive more than 100 test invitations within a few months to get the invitations you want.

bug fixes

Now that HackerOne has successfully fixed this logic Bug, white hats who quit the project will no longer receive test invitations from other vendors.

That's how you get repeated bug test invitations from HackerOne. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.