My first ever paid bug report! | $50 for a critical?!

The Lowdown [TL;DR]

So, here it is—my very first paid bug bounty! And yep, you read that right: $50 for a critical vulnerability. 😅 To boot, it was a Starbucks gift card so I had “free” coffee for a little while which was nice but a few grand would’ve been great as well 😂. Though, this bug wasn’t found on a HackerOne program, I had found this bug with Google Dorking and reached out to the head Information Security Officer of the company to report it.

This company didn’t have an official Bug Bounty program in place or let alone a Vulnerability Disclosure Program so I had to reach out to the company on Twitter to get an email to contact. Auke was the person whom I was in contact with throughout this process, what a great guy.

After reporting this bug he simply asked what I wanted in return but stated that he wouldn’t be able to reward me monetarily. Instead he offered some cool swag from the company, a Hall of Fame spot, and a letter of recommendation. Turns out he gifted me the $50 Starbucks gift card out of his own pocket, truly a nice person. I didn’t get a picture of the swag received but there was some awesome Astronomy pictures along with a cool keychain, a hat, and cards and posters.

The Vulnerability

The bug I found is what’s known as an IDOR or Insecure Direct Object Reference. This bugs impact can differ upon what can be achieved with the IDOR. For instance a hacker may have an IDOR vulnerability that allows them to enumerate through user profiles with a parameter such as userid=1 || userid=2 leaking sensitive information such as the email connected to the account with enumeration. Or for instance my IDOR allowed me to edit any post I’d like to without being authenticated by adjusting a parameter action=view to action=edit and also another parameter (discussed below).

Both instances mentioned above would be considered High/Critical impact versus an IDOR that only allows a bad actor to enumerate usernames or profile pictures or something non-impactful (you should be able to determine this).

How I found the Bug

So my methodology a year ago to this current date is completely different and that is simply because you learn and progress with time. I would say I was less serious about hacking a year ago and more in it for the quick cash that I thought I could grab from hacking. Turns out, you kind of actually need to have a clue about what you’re doing when you want to make a career out of hacking. Sure, there are a few strikes of luck every now and then (Even a blind dog can find a bone every so often). But to truly be consistent/successful enough to mend a career out of hacking you need to keep educating yourself!

Let me get back on track.. How I found this bug was with luck! 🐶 No seriously.. I would have to say any bug you find is merely 50% luck and 50% skill others may disagree 🤷‍♂️. I say this because it takes the skills to know where to look and the luck of the application being vulnerable to find a bug!

In all seriousness, I found this bug by Google Dorking for vulnerable PHP applications. Based on my previous experience, I crafted a dork with a certain parameter and browsed through the results until I found a vulnerable page. Google Dorking is still a pretty effective way to find publicly cached endpoints for your targets. I still find bugs with Google Dorking today!

Google Dork Used:

inurl:”php?action=”

With this Google Dork the below link was found by Google:

https://www.astron.nl/dailyimage/action.php?action=view&dir=pictures&submission=20230119

The vulnerable page in question:
https://www.astron.nl/dailyimage

The URL my Google Dork found seemed loaded with parameters, which to me is always a good sign of a potential bug. I broke the link down, messed with the parameters, and things got pretty wild. Read about it below 😎.

How I Broke It Down

Step 1: Flipping the Date

The submission parameter is just a date—super easy to manipulate. By swapping in any valid date from the archives, you can preview old posts with zero authentication.

For example:

• Original:
  https://www.astron.nl/dailyimage/action.php?action=view&dir=pictures&submission=20230119

  

• After my tweak:
  https://www.astron.nl/dailyimage/action.php?action=view&dir=pictures&submission=20230117

  

Now I’m looking at the January 17 post, no problem.

Step 2: Swapping "View" for "Edit"

This is where things get juicy. Changing the action from view to edit let me access the editing mode of any post I wanted—without logging in. 😱 I could’ve turned the homepage into my personal message board. I tested it by dropping a “HELLO WORLD” on one of the posts.

Escalating Impact

Since I could edit the post, my next thought was to test if the application sanitized user input. Since it was what seemed to be an admin panel I assumed they wouldn’t sanitize user input just out of trust of the user. So I appended the payload below to test and sure enough it was vulnerable.

<script>alert('XSS');</script>

And just like that, it executed. An attacker could’ve done way more damage:

• Phish users by redirecting the homepage.

• Steal credentials by injecting malicious scripts.

• Defacement and completely destroy a website.

Below are video proof POCs of me saving the edits and the code executing:

• XSS POC

• Redirect POC

Final Thoughts

My initial feelings after submitting the report and hearing back from Auke that they didn’t have an official RDP or BBP in place weren’t those of sadness as Auke mentioned he was interested in the impact of the bug and wanted to work with me to fix it. Due to it’s impact, he also wanted to reward me. This is where I was rewarded the swag and items mentioned above along with the $50 Starbucks gift card.

The impact of the bug would add up to a CVSS 3.1 score of 9.1 Critical due to the ability to take down the entire website as the vulnerability affected the main application in such a way. Once this vulnerability was patched last year I was added to Astron’s Hall of Fame (first hacker ever added) and I also helped kick start their current Responsible Disclosure Program in-which they now offer rewards for vulnerability reports. I’d like to think my bug report to them is what Auke mentioned and leveraged when asking for a cyber security budget to invest in such a Responsible Disclosure Program but who knows 😅.

My first paid bug bounty taught me that even “small” websites can have big vulnerabilities. And hey, while $50 might seem like a low payout for a critical bug, it’s all part of the journey. Big thanks to ASTRON and their Information Security Officer, Auke Klazema, for letting me disclose this bug and the rewards.

Want to follow my bug bounty adventures? Catch me on Twitter @actuallyclover!

Resources:

• https://www.upguard.com/blog/vulnerability-disclosure-programs#:~:text=Vulnerability%20disclosure%20programs%20(VDPs)%20are,part%20of%20any%20cybersecurity%20strategy.

• https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

• https://www.geeksforgeeks.org/what-is-google-dorking/

• https://portswigger.net/web-security/access-control/idor

• https://www.hackerone.com/vulnerability-management/what-are-bug-bounties-how-do-they-work-examples