I value transparency a lot, especially when it comes to the bug bounty space. Bug bounty hunters all around the world are submitting a range of reports where the issues found span across multiple domains, often leveraging numerous techniques and methodologies. However, if you’re not already an active bug bounty hunter who has a good understanding of what a bounty program expects, or will pay out for, you have a major disadvantage compared to someone who does have this knowledge. I hope through this blog post, I can demystify the sort of issues bug bounty programs pay for.
The last blog post I did in this series was around four years ago, 120 days, 120 bugs. In the last four years, a lot has happened. I moved to Europe for six months, I moved interstate in Australia twice, I won a live hacking event, I co-founded a company and helped build an attack surface management platform with a team of people I consider family.
Unlike my previous blog post, I did not set myself a goal to find a bug a day. Instead, I participated in bug bounties whenever time allowed. There were many months where I found nothing at all, which often terrified me when it came to evaluating my self worth as a hacker. I also admitted to myself, that I might be a good hacker, but there is always going to be a better hacker out there, and I’ve made my peace with that as a hyper-competitve person.
If you don’t have an excellent understanding of fundamental application security attacks and weaknesses before you approach bug bounties, in my opinion, you are wasting your time. Practice and learn more here.
If you’re looking for a paid, more extensive resource, check out and practice with PentesterLab.
Participating so heavily in bug bounties has given us the knowledge at Assetnote about what security teams actually care about. It’s the reason we can maintain high signal when we are continuously finding exposures.
My primary motivation for this blog post is to educate the masses on what bug bounty programs are paying out for.
For example, would you know that you could submit a dangling EC2 IP (subdomain pointing to an EC2 IP that is no longer owned by the company) as a bug report without reading the proof in the pudding below? I’ve been paid for this by programs, so clearly they value this sort of information.
Below are all of my findings for the last four years. I’ve redacted information where necessary, but by reading the titles, it should give you a good understanding of what I was reporting to programs.
| Date | Bug | Payout |
|---|---|---|
| 2020-09-02 14:04:11 UTC | [redacted] Hosted Zone Takeover | $1,000.00 |
| 2020-07-16 18:39:22 UTC | Spring debugging endpoints exposed leading to disclosure of all secrets via heapdump on [redacted] & Account takeover by Trace | $2,500.00 |
| 2020-06-30 22:54:07 UTC | Blind SSRF on [redacted] through invoicing API – access to internal hosts | $60.00 |
| 2020-06-10 13:53:43 UTC | Full Account takeover through subdomain takeover via [redacted] | $300.00 |
| 2020-06-10 13:24:10 UTC | Full Account takeover through subdomain takeover via [redacted] | $300.00 |
| 2020-06-10 13:21:57 UTC | Full Account takeover through subdomain takeover via [redacted] | $300.00 |
| 2020-06-08 14:28:05 UTC | Amazon S3 Subdomain Hijack – [redacted] | $256.00 |
| 2020-06-08 05:29:58 UTC | Route53 Hosted Zone Takeover of [redacted] | $500.00 |
| 2020-06-05 16:27:42 UTC | Admin panel for Cisco IP Conference Station CP-7937G exposed on the internet on [redacted] IP ranges | $400.00 |
| 2020-06-03 21:07:51 UTC | Pre-auth Blind MSSQL Injection affecting [redacted] | $1,024.00 |
| 2020-06-03 14:18:24 UTC | Pre-auth MSSQL Injection affecting [redacted] | $1,024.00 |
| 2020-06-02 15:28:50 UTC | Pre-auth SQL Injection affecting [redacted] | $1,024.00 |
| 2020-06-02 15:26:58 UTC | RCE via arbitrary file write and path traversal [redacted] | $1,024.00 |
| 2020-06-02 15:25:08 UTC | RCE via arbitrary file write and path traversal [redacted] | $1,024.00 |
| 2020-05-18 10:12:38 UTC | Route53 Hosted Zone Takeover of [redacted] | $1,000.00 |
| 2020-05-18 10:11:58 UTC | Route53 Hosted Zone Takeover of [redacted] | $1,000.00 |
| 2020-05-18 10:06:22 UTC | Route53 Hosted Zone Takeover of [redacted] | $1,000.00 |
| 2020-05-18 10:05:20 UTC | Route53 Hosted Zone Takeover of [redacted] | $1,000.00 |
| 2020-05-11 18:47:54 UTC | Route53 Hosted Zone Takeover of [redacted] | $100.00 |
| 2020-05-11 14:59:23 UTC | Account takeover through Subdomain Takeover of [redacted] (Cookie Disclosure -> Account Takeover) | $2,500.00 |
| 2020-05-11 14:31:18 UTC | Account takeover through Subdomain Takeover of [redacted] (Cookie Disclosure -> Account Takeover) | $2,500.00 |
| 2020-05-07 01:47:49 UTC | View all metadata for any [redacted] IDOR [redacted] | $1,000.00 |
| 2020-04-29 22:58:57 UTC | IDOR view all [redacted] | $4,000.00 |
| 2020-04-29 22:57:55 UTC | IDOR view the [redacted] | $2,500.00 |
| 2020-04-24 18:19:23 UTC | Subdomain takeover of [redacted] through Heroku | $300.00 |
| 2020-04-24 18:18:45 UTC | Subdomain takeover of [redacted] through Heroku | $300.00 |
| 2020-04-23 19:45:04 UTC | Ability to horizontal bruteforce [redacted] accounts by abusing [redacted] sign up flow | $500.00 |
| 2020-04-22 17:44:29 UTC | View all metadata for any [redacted] IDOR [redacted] | $500.00 |
| 2020-04-22 17:42:51 UTC | IDOR view the [redacted] for any [redacted] for today [redacted] | $500.00 |
| 2020-04-22 17:42:06 UTC | IDOR view all [redacted] for a [redacted] [redacted] | $500.00 |
| 2020-04-06 19:13:19 UTC | Facebook – Payout For [redacted] | $5,000.00 |
| 2020-03-07 15:12:24 UTC | Accessing Querybuilder on [redacted] to gain access to secrets | $3,000.00 |
| 2020-02-25 15:02:20 UTC | Subdomain takeover of [redacted] via Amazon S3 | $750.00 |
| 2020-02-20 23:01:58 UTC | HTML injection, DOS of email receipts and potentially template injection within [redacted] via “Expense Info” section | $500.00 |
| 2020-02-18 14:45:40 UTC | Admin account bruteforce via [redacted]/libs/granite/core/content/login.html | $500.00 |
| 2020-02-15 12:24:57 UTC | Blind XSS via registering on [redacted] | $500.00 |
| 2020-02-04 03:45:38 UTC | HTML Injection in email when contributing to a [redacted] | $700.00 |
| 2020-01-21 17:13:58 UTC | Ability to attach malicious attachments (of any name and of any content type) to [redacted] support staff via [redacted] | $2,000.00 |
| 2020-01-15 11:41:59 UTC | No authentication required to view and delete Terraform locks at [redacted] | $250.00 |
| 2019-12-12 16:25:11 UTC | [redacted] Webhook URL + object leaked in JavaScript on [redacted] | $3,000.00 |
| 2019-11-21 22:15:20 UTC | AWS & Screenhero JWT Credentials from [redacted] not rotated, still working | $1,000.00 |
| 2019-10-17 13:44:23 UTC | RCE on [redacted] via IBM Aspera exploit leading to compromise of secure file storage | $1,000.00 |
| 2019-10-15 14:29:25 UTC | SSO bypass on [redacted] leading to access of internal documents and portals | $250.00 |
| 2019-10-11 18:07:51 UTC | Admin access to [redacted] via guessing credentials | $1,500.00 |
| 2019-10-11 18:06:15 UTC | 3rd party subdomain hijack – EC2 IP of [redacted] is no longer controlled by [redacted] | $250.00 |
| 2019-09-30 16:56:50 UTC | Multiple server-side issues affecting [redacted] (SSRF, admin panels) | $2,660.00 |
| 2019-09-25 22:10:00 UTC | Read any [redacted] details using UUID – IDOR in [redacted] | $1,000.00 |
| 2019-09-10 16:17:59 UTC | SSRF in [redacted] | $2,000.00 |
| 2019-09-03 15:28:36 UTC | SSRF in [redacted] | $17,900.00 |
| 2019-08-29 00:43:00 UTC | Bypassing email whitelists for organisation signup flows on [redacted] | $250.00 |
| 2019-08-09 05:15:44 UTC | [Pre-Submission] SSRF in [redacted] (Iframely) | $2,970.30 |
| 2019-07-29 16:32:59 UTC | [Bypass] SSRF via [redacted] leads to internal network access, ability to read internal JSON responses | $23,000.00 |
| 2019-07-24 02:52:42 UTC | PHPInfo exposed at [redacted] | $100.00 |
| 2019-07-24 02:46:02 UTC | SSRF on [redacted] leading to AWS breach via security credentials | $5,000.00 |
| 2019-07-08 14:44:23 UTC | Remote command execution on production [redacted] (via tsi parameter) – CVE-2017-12611 | $2,000.00 |
| 2019-06-12 17:42:53 UTC | Username/Password for Aspera and other secrets leaked in [redacted] | $1,500.00 |
| 2019-06-12 17:42:08 UTC | SSO/Authorization bypass for APIs hosted on [redacted] | $1,500.00 |
| 2019-06-12 14:45:09 UTC | Remote Code Execution (many endpoints) – [redacted] | $4,500.00 |
| 2019-06-10 17:29:35 UTC | Extract email, dob, full address, federal tax ID and other PII for all leads in [redacted] | $1,800.00 |
| 2019-06-10 16:53:22 UTC | Obtain email, mobile of customers of [redacted] by iterating through Lead IDs via the API | $12,600.00 |
| 2019-06-10 16:52:40 UTC | Ability to pull out all opportunities (IDOR) extract PII for customers of [redacted] | $12,600.00 |
| 2019-06-07 18:51:24 UTC | [redacted][IDOR] – Accessing all accounts via regression / new attack vector by abusing [redacted] (regression?) | $2,500.00 |
| 2019-06-07 18:17:31 UTC | Blind SSRF on [redacted] through RPC call to checkAvailableLivechatAgents | $62.50 |
| 2019-06-07 18:07:22 UTC | HTML injection in emails when adding a reviewer to [redacted] | $125.00 |
| 2019-06-07 17:42:09 UTC | [IDOR] Impersonating an [redacted] employee via /api/readHandler on [redacted] | $1,500.00 |
| 2019-06-07 15:33:31 UTC | Extract mobile number and [redacted] using only an email address, for any [redacted] | $750.00 |
| 2019-06-07 14:36:01 UTC | Zendesk Ticket IDOR / Ability to enumerate IDs via [redacted] | $125.00 |
| 2019-06-07 14:24:15 UTC | Extract mobile number and [redacted] using only an email address, for any [redacted] user | $750.00 |
| 2019-06-07 14:11:20 UTC | HTML Injection in [redacted] receipts if printed from [redacted] | $100.00 |
| 2019-06-07 13:56:46 UTC | Ability to access the airwatch admin panels and APIs in [redacted] | $1,000.00 |
| 2019-06-07 13:21:31 UTC | IDOR on [redacted] allows you to access [redacted] information for any [redacted] user | $250.00 |
| 2019-06-07 10:13:20 UTC | [redacted][IDOR] – Accessing all accounts via regression / new attack vector by abusing [redacted] (regression?) | $15,000.00 |
| 2019-05-22 19:33:27 UTC | SQLi and Authentication Bypass in [redacted] | $4,500.00 |
| 2019-04-29 14:14:42 UTC | Reflected XSS in [redacted] | $500.00 |
| 2019-04-29 14:14:29 UTC | SSRF in [redacted] | $1,500.00 |
| 2019-04-25 07:33:22 UTC | Local file disclosure through Rails CVE-2019-5418 in [redacted] | $100.00 |
| 2019-04-19 02:28:54 UTC | SSRF – [redacted] | $4,950.00 |
| 2019-04-19 02:28:35 UTC | SSRF at [redacted] via the ‘url’ parameter | $4,950.00 |
| 2019-03-29 11:23:14 UTC | AWS S3 secrets leaked in [redacted] meeting connector giving attackers write access to [redacted] | $364.50 |
| 2019-03-27 18:41:51 UTC | Subdomain takeover of [redacted] through Heroku | $750.00 |
| 2019-03-20 17:08:11 UTC | Reflected XSS in [redacted] | $500.00 |
| 2019-03-18 17:29:00 UTC | Reflected XSS in [redacted] | $500.00 |
| 2019-03-18 17:28:49 UTC | Reflected XSS in [redacted] | $500.00 |
| 2019-03-18 17:28:35 UTC | CVS Repos being leaked on [redacted], including username and password | $750.00 |
| 2019-03-18 15:35:10 UTC | Form on [redacted] leaks username and password for [redacted]/Wowza Steaming Server | $500.00 |
| 2019-03-15 15:08:35 UTC | Extract BCrypt pinCode, associated phone numbers and emails for any [redacted] | $5,000.00 |
| 2019-03-14 17:51:32 UTC | Multiple IDORs on [redacted] | $500.00 |
| 2019-03-14 17:51:18 UTC | Multiple persistent XSS vulnerabilities in [redacted] | $1,000.00 |
| 2019-03-14 17:51:02 UTC | Auth bypass on [redacted] & [redacted] allowing for full access to anonymous users (including private streams) | $1,000.00 |
| 2019-03-14 17:50:45 UTC | Slack Webhook Tokens leaked within JavaScript on [redacted] | $500.00 |
| 2019-03-11 23:06:12 UTC | Ability to send arbitrary Subject + HTML emails as verified [redacted] | $900.00 |
| 2019-03-04 21:58:43 UTC | WP-Engine Subdomain Takeover of [redacted] | $500.00 |
| 2019-03-04 19:04:59 UTC | Extract BCrypt pinCode, associated phone numbers and emails for any [redacted] | $500.00 |
| 2019-02-22 18:41:36 UTC | [redacted] | $8,000.00 |
| 2019-02-13 17:59:01 UTC | Ability to close down any [redacted] using an IDOR in [redacted] | $8,000.00 |
| 2019-02-07 00:05:37 UTC | HTML injection in the [redacted] signup flow on [redacted] | $500.00 |
| 2019-01-30 16:59:57 UTC | VHost header hopping on [redacted] allowing us to access MSSQL DB explorer | $1,900.00 |
| 2019-01-30 16:14:57 UTC | RCE on [redacted] via ObjectStateFormatter deserialization | $4,000.00 |
| 2019-01-30 16:13:00 UTC | ZIP file in webroot containing all source code and database of [redacted] | $3,000.00 |
| 2019-01-29 21:52:20 UTC | Multiple reflected XSS on [redacted] | $500.00 |
| 2019-01-29 17:54:05 UTC | Sensitive data exposure in debug file via [redacted] | $100.00 |
| 2019-01-23 16:09:32 UTC | Git repo’s disclosed on multiple [redacted] and [redacted] subdomains | $600.00 |
| 2019-01-22 23:02:09 UTC | Critical: Prod access to all [redacted] Admins and Employees – obtain all emails uuids and access to administrative actions | $4,500.00 |
| 2019-01-07 21:02:45 UTC | SSRF via [redacted] leads to internal network access, ability to read internal JSON responses | $23,000.00 |
| 2018-12-06 15:58:56 UTC | Reflected XSS in [redacted]/pay/alipay/wap.php | $400.00 |
| 2018-12-06 15:37:27 UTC | Reflected XSS in the JavaScript context on [redacted] via `http_referer` parameter | $400.00 |
| 2018-11-30 15:35:15 UTC | Django debug mode being enabled leads to Postgres password leaked on [redacted] | $500.00 |
| 2018-11-30 15:20:07 UTC | Ability to upload SWF files on [redacted] via CKFinder | $400.00 |
| 2018-11-30 15:08:41 UTC | [redacted] discloses sensitive information leading to customer data access via APIs | $800.00 |
| 2018-11-30 13:46:33 UTC | [redacted] Newsroom CMS (China) source code leaked on GitHub, with a WeChat secret – Leads to RCE on contractors machine | $200.00 |
| 2018-11-29 17:41:02 UTC | Bypassing email whitelists for organisation signup flows on [redacted] | $500.00 |
| 2018-11-29 15:29:00 UTC | Blind MSSQL Injection in [redacted] | $2,000.00 |
| 2018-11-28 15:02:39 UTC | Alipay Merchant RSA Private Key disclosed on [redacted] | $200.00 |
| 2018-11-21 16:58:25 UTC | Recursively obtain [redacted] UUIDs by exploiting [redacted] | $1,000.00 |
| 2018-11-20 22:19:04 UTC | API under [redacted] allows unauthenticated users to send messages to [redacted] Slack | $100.00 |
| 2018-11-15 10:13:13 UTC | Externally available MSSQL server for [redacted] reveals a large amount of data + local file read | $400.00 |
| 2018-11-02 20:18:53 UTC | Ability to adjust your own [redacted] order price [redacted] | $1,500.00 |
| 2018-10-24 14:40:13 UTC | Arbitrary File Upload Leading to Persistent XSS on [redacted] | $400.00 |
| 2018-10-24 10:36:13 UTC | Extract the details of every [redacted] User (name, openid, unionid, mobile, nickname, province, city, gender, bday) via [redacted] | $400.00 |
| 2018-10-22 14:26:23 UTC | Critical: Prod access to all [redacted] Admins and Employees – obtain all emails uuids and access to administrative actions | $500.00 |
| 2018-10-12 18:56:47 UTC | Unauthenticated XXE on [redacted]/OA_HTML/lcmServiceController.jsp | $166.67 |
| 2018-10-06 18:26:10 UTC | PhantomJS SSRF with ability to read full response via [redacted] AWS | $500.00 |
| 2018-09-30 00:29:08 UTC | Multiple issues with [redacted] (SSO bypass, Git repo with employee credentials, and broken application logic) | $2,000.00 |
| 2018-09-03 09:55:32 UTC | Multiple instances of error based MSSQL injection on `[redacted]` with access to 30 databases | $5,000.00 |
| 2018-09-03 09:15:04 UTC | RCE through arbitrary file upload via [redacted]/cms/Handler/kvimgupload.ashx | $3,000.00 |
| 2018-09-03 09:13:37 UTC | RCE through arbitrary file upload via [redacted]/staff/cms/Handler/toolsupload.ashx | $3,000.00 |
| 2018-09-03 09:03:06 UTC | MSSQL injection via [redacted]/incentive/report.aspx | $2,000.00 |
| 2018-08-30 17:52:47 UTC | Directory listing on [redacted] leads to Russian [redacted] PII and internal documentation/slide deck disclosure | $1,000.00 |
| 2018-08-28 07:07:34 UTC | Highly sensitive repo’s containing internal [redacted] application source and databases with over ~700 emails leaked | $800.00 |
| 2018-08-20 13:01:40 UTC | Server variables leaked on [redacted]/servvar.asp, also allowing for the ability to steal HTTPOnly cookies | $400.00 |
| 2018-08-14 17:08:24 UTC | 3rd party subdomain hijack – EC2 IP of [redacted]is no longer controlled by Salesforce | $62.50 |
| 2018-08-13 18:25:52 UTC | DOM based XSS on [redacted] (works on all browsers) | $125.00 |
| 2018-08-12 07:04:32 UTC | [First 30] Blind SSRF at [redacted]/handle_pasted_images via fileURLs | $375.00 |
| 2018-08-10 06:36:30 UTC | [First 30] Accessible ca and secrets.enc file exposed on VPN – [redacted] | $1,250.00 |
| 2018-08-10 02:11:48 UTC | [first 30] Subdomain takeover [redacted] | $555.00 |
| 2018-08-09 08:08:16 UTC | Ability to obtain profile info and metadata (email, payments, account type, associations) for any [redacted] user if you know their UUID | $1,000.00 |
| 2018-08-09 07:39:29 UTC | Ability to bruteforce any [redacted] dashboard user without any rate limiting | $500.00 |
| 2018-08-09 05:56:38 UTC | Leaked promotion codes (including internal employee promotion codes) and employee UUID’s (containing payment profiles)on [redacted] | $1,000.00 |
| 2018-08-09 05:49:26 UTC | Ability to obtain payment profiles and sensitive information of any [redacted] user if you know their UUID | $1,000.00 |
| 2018-08-09 05:47:46 UTC | Ability to obtain profile info and metadata (email, payments, account type, associations) for any [redacted] user if you know their UUID | $2,000.00 |
| 2018-07-26 16:21:23 UTC | Reflected XSS on Jplayer.swf located on the [redacted] owned S3 bucket [redacted] | $250.00 |
| 2018-07-19 18:46:43 UTC | POST based XSS via [redacted]/api/utils/signup | $300.00 |
| 2018-07-11 22:48:23 UTC | (Potential) IDOR in `/api/[redacted]` via [redacted] | $500.00 |
| 2018-07-11 22:44:36 UTC | Ability to enumerate [redacted] via `/api/[redacted]` on [redacted] | $2,000.00 |
| 2018-07-06 06:53:19 UTC | Incentives administration panel is accessible without auth, revealing a large number of users registered on [redacted] | $800.00 |
| 2018-07-06 06:47:06 UTC | RCE on [redacted] through arbitrary file upload | $3,000.00 |
| 2018-07-06 06:40:07 UTC | Auth bypass leading to administrative access to [redacted]/locationcms/ (can modify/delete/add anything) | $800.00 |
| 2018-07-06 06:31:23 UTC | MSSQL injection via [redacted]/locationcms/Template/StoreList.aspx | $2,000.00 |
| 2018-07-02 12:08:16 UTC | Critical issues on [redacted] (database credentials, entire application source code leaked and SQLi) | $800.00 |
| 2018-06-28 20:17:38 UTC | Extract payment method used (email or last 4 card no) through [redacted] | $500.00 |
| 2018-06-22 15:48:11 UTC | Multiple full-response SSRFs on [redacted] API `/api/utils/download-file` leading to internal access to [redacted] assets | $3,250.00 |
| 2018-06-22 15:47:31 UTC | Multiple full-response SSRFs on [redacted] API `/api/partner/[redacted]` leading to internal access to [redacted] | $625.00 |
| 2018-06-16 19:14:30 UTC | Facebook Submission [redacted] | $500.00 |
| 2018-06-16 17:56:17 UTC | Facebook Submission [redacted] | $4,000.00 |
| 2018-06-16 17:55:00 UTC | Facebook Submission [redacted] | $5,000.00 |
| 2018-06-16 15:54:20 UTC | Facebook Submission [redacted] | $500.00 |
| 2018-06-16 15:10:50 UTC | Facebook Submission [redacted] | $500.00 |
| 2018-06-16 14:56:58 UTC | Facebook Submission [redacted] | $500.00 |
| 2018-06-16 14:38:05 UTC | Facebook Submission [redacted] | $3,000.00 |
| 2018-06-16 13:47:59 UTC | Facebook Submission [redacted] | $5,000.00 |
| 2018-06-16 13:27:27 UTC | Facebook Submission [redacted] | $500.00 |
| 2018-06-13 21:24:58 UTC | Stealing Zendesk admin credentials for [redacted].zendesk.com via [redacted] | $2,250.00 |
| 2018-06-13 21:21:41 UTC | Ability to receive a support call with the identity of another [redacted] store using an IDOR in [redacted] | $1,500.00 |
| 2018-05-31 13:02:19 UTC | Incorrect implementation of cloudflare on [redacted] | $500.00 |
| 2018-05-26 17:51:18 UTC | SSRF on [redacted] allows for access to internal hosts [redacted] | $1,000.00 |
| 2018-05-26 16:52:38 UTC | [first 30] – Stored XSS on [redacted] within the Roles dialog | $1,206.00 |
| 2018-05-26 13:59:34 UTC | SSRF on [redacted] allows for access to internal hosts [redacted] | $1,728.00 |
| 2018-05-26 12:40:45 UTC | [first 30] – EC2 IP of [redacted] is no longer controlled by [redacted] | $216.00 |
| 2018-05-26 11:45:03 UTC | [first 30] – Stored XSS on [redacted] within the Roles dialog | $125.00 |
| 2018-05-26 09:10:39 UTC | Ability to bruteforce the password of a current user without locking them out by using an active session | $125.00 |
| 2018-05-25 13:34:24 UTC | [redacted] owned Cisco 3750 on the external internet – bruteforcable via Telnet/SSH/HTTP [redacted] | $250.00 |
| 2018-05-25 13:33:35 UTC | Two wordpress administration panels for [redacted] on WPEngine [redacted] | $400.00 |
| 2018-05-23 21:59:17 UTC | AWS secret key and other secrets (sessions) leaked on [redacted] | $500.00 |
| 2018-05-02 12:35:46 UTC | Server-side source code disclosed on [redacted] | $250.00 |
| 2018-04-20 13:29:13 UTC | Exposed Rabbit-MQ administration panel located at [redacted] | $250.00 |
| 2018-04-11 22:41:51 UTC | Multiple vulnerabilities in [redacted] Russia Telegram bot API leading to significant [redacted] data being exposed | $3,750.00 |
| 2018-04-05 21:07:29 UTC | Sensitive APIs discovered on [redacted] requiring no auth leading to AWS cloud data and user leakage (20k staff details leaked) | $15,000.00 |
| 2018-04-05 21:06:52 UTC | Postgres SQL Injection on [redacted] leading to potential AWS cloud account takeover | $15,000.00 |
| 2018-03-23 22:29:19 UTC | Secrets (CloudFront credentials, private keys, server settings) from config/secrets/secrets.json found on [redacted] | $9,500.00 |
| 2018-03-22 15:33:20 UTC | Django admin panel exposed at [redacted] | $250.00 |
| 2018-03-16 17:32:47 UTC | Multiple vulnerabilities in [redacted] Russia Telegram bot API leading to significant [redacted] data being exposed | $500.00 |
| 2018-03-09 17:01:55 UTC | Arbitrary origins trusted when making authenticated API calls to [redacted] | $250.00 |
| 2018-03-09 16:58:16 UTC | Exposed Django Administration Panel @ [redacted] | $750.00 |
| 2018-03-02 12:53:11 UTC | Exposed Django Administration Panel @ [redacted] | $750.00 |
| 2018-03-02 12:48:41 UTC | Taking over [redacted] owned domain [redacted] due to unclaimed Amazon S3 bucket | $500.00 |
| 2018-02-28 22:48:14 UTC | Multiple SQL injection vulnerabilities on [redacted] | $2,500.00 |
| 2018-02-20 02:34:49 UTC | Secrets (CloudFront credentials, private keys, server settings) from config/secrets/secrets.json found on [redacted] | $500.00 |
| 2018-02-06 17:40:24 UTC | P2P Referral Program Django Admin Panel @ [redacted] | $250.00 |
| 2018-02-06 17:34:27 UTC | Subdomain takeover of [redacted] | $4,000.00 |
| 2018-01-31 23:17:37 UTC | Subdomain takeover of [redacted] and [redacted] via Azure VMs | $4,000.00 |
| 2018-01-31 14:59:44 UTC | AWS credentials disclosure via SSRF in Atlassian Confluence [redacted] | $2,500.00 |
| 2018-01-24 15:11:23 UTC | PHP testing scripts and PHPMyAdmin exposed on the external internet on [redacted]:81 | $200.00 |
| 2018-01-05 07:00:59 UTC | AWS key disclosure via SSRF on [redacted] leads to privileged AWS access | $10,000.00 |
| 2018-01-04 13:05:48 UTC | Domain/subdomain takeover of [redacted] via Azure | $400.00 |
| 2018-01-04 13:04:15 UTC | [redacted] pointing to an IP address no longer owned by [redacted] | $200.00 |
| 2017-12-27 16:15:40 UTC | Ability to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries | $20,000.00 |
| 2017-12-11 17:46:11 UTC | HTML Injection via Emails in company names on [redacted] | $500.00 |
| 2017-12-11 17:41:39 UTC | Persistent XSS on [redacted] via subdomain takeover | $500.00 |
| 2017-11-28 15:57:33 UTC | Ability to write to [redacted].s3.amazonaws.com due to misconfigured S3 ACLs | $400.00 |
| 2017-11-24 11:32:26 UTC | ELMAH exposed on [redacted] exposing usernames, session details, sensitive information | $800.00 |
| 2017-11-21 00:48:14 UTC | Ability to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries | $2,500.00 |
| 2017-11-14 18:30:11 UTC | Ability to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries | $500.00 |
| 2017-11-13 23:43:58 UTC | Persistent XSS on [redacted] via subdomain takeover | $500.00 |
| 2017-10-23 11:10:21 UTC | OpenVPN administration panel exposed for [redacted] | $250.00 |
| 2017-10-02 23:33:44 UTC | No rate limiting enforced on [redacted] allowing for the ability to bruteforce event promo codes | $1,150.00 |
| 2017-08-29 16:33:52 UTC | ███████████ | $5,000.00 |
| 2017-08-29 16:33:19 UTC | ██████████████ | $5,000.00 |
| 2017-08-29 16:32:25 UTC | ████████ | $1,500.00 |
| 2017-08-29 16:32:04 UTC | ██████████ | $1,500.00 |
| 2017-08-29 16:31:24 UTC | ████████████ | $500.00 |
| 2017-08-29 16:31:04 UTC | ████████████ | $500.00 |
| 2017-08-29 16:30:45 UTC | █████████ | $500.00 |
| 2017-08-29 16:30:25 UTC | ████████████ | $500.00 |
| 2017-08-29 16:30:05 UTC | ██████████ | $500.00 |
| 2017-08-29 16:29:44 UTC | ████████████ | $500.00 |
| 2017-08-29 16:29:22 UTC | █████████████ | $500.00 |
| 2017-08-29 16:29:00 UTC | █████████████ | $500.00 |
| 2017-08-29 16:28:34 UTC | █████████████████ | $500.00 |
| 2017-08-29 16:28:04 UTC | ███████████ | $500.00 |
| 2017-08-29 16:27:16 UTC | ███████████ | $100.00 |
| 2017-08-29 16:26:58 UTC | ███████████ | $100.00 |
| 2017-08-02 22:55:34 UTC | Source code disclosure (including current MySQL DB creds) for https://[redacted] | $1,000.00 |
| 2017-08-02 22:55:18 UTC | Potential second order RCE on https://[redacted] | $9,000.00 |
| 2017-08-02 22:53:54 UTC | SQL Injection in https://[redacted]/job.php | $2,000.00 |
| 2017-08-02 22:53:40 UTC | SQL Injection in https://[redacted]/detail.php | $2,000.00 |
| 2017-08-02 22:53:16 UTC | SQL Injection in https://[redacted]/controls/PE/loaddata.php | $2,000.00 |
| 2017-07-28 12:58:25 UTC | Deep dive into [redacted] crash dump reporting tool – Persistent XSS + Downloading all crash dumps – [redacted] | $2,000.00 |
| 2017-07-20 01:19:28 UTC | Exposed [redacted] statistics/administration panel | $500.00 |
| 2017-07-20 01:18:15 UTC | Ability to enumerate and bruteforce user accounts on [redacted] | $400.00 |
| 2017-07-18 00:28:37 UTC | Git repository access on QA machines on [redacted] and [redacted] exposing source code and production secrets | $10,000.00 |
| 2017-07-14 23:00:16 UTC | Stored cross-site scripting on exposed development server @ [redacted] | $300.00 |
| 2017-06-09 10:13:30 UTC | Ability to submit bugs on behalf of other users on the [redacted] environments for [redacted] | $250.00 |
| 2017-06-05 09:42:55 UTC | Admin access to Grafana instance with Credential Disclosure | $500.00 |
| 2017-06-02 09:32:33 UTC | WordPress Database Credentials Leakage + Find and replace MySQL tool (searchreplacedb2.php) on [redacted] + MySQL root password | $1,000.00 |
| 2017-05-12 11:20:10 UTC | Prevent [redacted] users from using their own VK account on [redacted] | $1,000.00 |
| 2017-05-12 11:19:28 UTC | Open admin panel / Multiple WordPress related issues on [redacted] | $250.00 |
| 2017-05-12 11:18:36 UTC | URL Redirection flaw affecting [redacted] official login flow [redacted] | $600.00 |
| 2017-05-12 11:11:24 UTC | Tomcat Manager left enabled on [redacted] (authentication required – exposed admin interface) | $250.00 |
| 2017-05-12 11:09:23 UTC | Ability to upload arbitrary files to the [redacted] S3 bucket via signed Amazon requests [redacted] | $1,500.00 |
| 2017-05-12 11:07:07 UTC | Open administrative interface at [redacted] for [redacted] | $500.00 |
| 2017-05-04 00:25:09 UTC | Arbitrary file write and remote command exection on [redacted] | $9,500.00 |
| 2017-05-04 00:24:11 UTC | Local file disclosure on [redacted] | $2,000.00 |
| 2017-05-04 00:22:00 UTC | MySQL Injection on [redacted] Drupal endpoint [redacted], potentially able to escalate | $9,500.00 |
| 2017-04-21 04:00:55 UTC | Critical 2nd instance of SQL injection (no authentication required) on [redacted] | $1,000.00 |
| 2017-04-21 04:00:00 UTC | Persistent XSS + CSRF via [redacted] | $250.00 |
| 2017-04-21 03:59:44 UTC | Multiple reflected XSS on [redacted] | $200.00 |
| 2017-04-21 03:57:58 UTC | Reflected XSS via video-js.swf on [redacted] | $500.00 |
| 2017-04-21 03:57:44 UTC | Reflected XSS via copy_csv_xls_pdf.swf on [redacted] | $500.00 |
| 2017-04-21 03:57:26 UTC | Reflected XSS via flowplayer-3.2.16.swf on [redacted] | $500.00 |
| 2017-04-21 03:47:11 UTC | Source code disclosure through Git repo exposed on [redacted]/subs/.git/config | $1,000.00 |
| 2017-04-18 12:51:50 UTC | Django debugging mode enabled on [redacted] | $250.00 |
| 2017-04-18 12:47:29 UTC | Fully controllable SSRF on [redacted] allowing for GET/POST to internal resources | $17,500.00 |
| 2017-04-17 23:09:26 UTC | Building control system (Niagara) and 4g CradlePoint router externally exposed for [redacted] Pittsburgh office | $500.00 |
| 2017-04-14 15:07:24 UTC | No rate limiting enforced on [redacted] allowing for the ability to bruteforce event promo codes | $500.00 |
| 2017-04-14 03:13:46 UTC | RCE on [redacted] after bruteforcing valid credentials | $9,600.00 |
| 2017-04-14 03:11:38 UTC | Local file disclosure and SSRF in [redacted] | $3,100.00 |
| 2017-04-14 03:08:36 UTC | SQL injection on [redacted] | $1,100.00 |
| 2017-04-11 17:36:38 UTC | updateUserInfo RPC endpoint IDOR on [redacted] (view/update any users details via UUID) | $3,000.00 |
| 2017-03-30 00:53:31 UTC | 3rd party subdomain hijack – EC2 IP of [redacted] is no longer controlled by [redacted] | $150.00 |
| 2017-03-21 19:31:45 UTC | PHPInfo debug scripts exposed on [redacted] and [redacted] | $150.00 |
| 2017-03-03 11:03:03 UTC | XSS on [redacted] through uploading SWFs as JPG | $1,800.00 |
| 2017-03-03 11:01:13 UTC | XSS on [redacted] due to WordPress vulnerability | $2,000.00 |
| 2017-03-01 20:58:14 UTC | Ability to bruteforce users on [redacted] confluence via bypassing route redirections | $3,000.00 |
| 2017-02-24 10:43:41 UTC | Account bruteforce bug for [redacted] users | $500.00 |
| 2017-02-24 10:43:09 UTC | [redacted] vulnerable to IIS short name disclosure | $250.00 |
| 2017-02-17 11:48:41 UTC | [redacted] vulnerable to IIS short name disclosure | $250.00 |
| 2017-02-17 11:46:10 UTC | WordPress admin bruteforce and interface through XMLRPC.php on [redacted] | $1,000.00 |
| 2017-01-24 00:05:33 UTC | Subdomain takeover of [redacted] through StatusPage.io | $110.00 |
| 2017-01-20 10:26:53 UTC | Reflected XSS via flashmediaelement.swf on [redacted] | $2,000.00 |
| 2017-01-19 23:07:35 UTC | Ability to bruteforce [redacted] accounts using associated mobile number via [redacted] | $3,300.00 |
| 2017-01-17 23:24:01 UTC | Ability to bruteforce [redacted] active directory through [redacted] | $300.00 |
| 2017-01-11 01:37:53 UTC | Ability to bruteforce [redacted] active directory through [redacted] | $3,000.00 |
| 2016-12-23 21:02:39 UTC | Exposed git repository on [redacted] reveals all application source code, including 1k user plain text passwords + db info | $4,000.00 |
| 2016-12-20 06:56:47 UTC | Publicly accessible sign up for Rocket Chat leading to potential breach of internal employees | $50.00 |
| 2016-12-16 10:46:58 UTC | Expired domain referenced in iframe elements on [redacted] | $1,000.00 |
| 2016-12-09 11:22:13 UTC | Information disclosure – subdomain leaks internal host via DNS | $250.00 |
| 2016-12-09 11:21:36 UTC | Account bruteforce bug on [redacted] | $750.00 |
| 2016-12-09 11:20:18 UTC | Critical – Perform administrative actions via an IDOR on [redacted] – Manipulation of the leaderboard and more | $500.00 |
| 2016-12-09 11:16:50 UTC | [redacted] Administration Panel [redacted] | $750.00 |
| 2016-12-09 11:15:00 UTC | Subdomains [redacted] pointing to EC2 instance owned by LucidPress (*.lucidpress.com) | $750.00 |
| 2016-12-09 11:13:10 UTC | Page takeover of [redacted]/ru/page/cosplay_contest due to expired Wufoo form | $750.00 |
| 2016-12-09 10:57:37 UTC | Publicly accessible *admin* access to AWS auditing tool used by [redacted] | $15,000.00 |
| 2016-11-29 10:49:02 UTC | Ability to map arbitrary VK.com IDs with [redacted] players via [redacted] | $750.00 |
| 2016-11-29 10:48:37 UTC | Info Disc. of Internal Docker Instance | $250.00 |
| 2016-11-28 14:10:40 UTC | Information disclosure (internal IP addresses of all workers, memory usage, status) for [redacted] | $250.00 |
| 2016-11-18 11:52:25 UTC | SQL Injection on [redacted] leading to full administrative access | $5,000.00 |
| 2016-11-18 11:49:29 UTC | Persistent cross-site scripting/partial arbitrary file upload on [redacted] | $3,000.00 |
| 2016-11-18 11:47:47 UTC | Partial Git repo information found on [redacted] | $250.00 |
| 2016-11-07 18:18:41 UTC | Potential dangling subdomain record [redacted] for thismoment’s SaaS tool | $2,000.00 |
| 2016-11-04 17:04:57 UTC | Weird Reflected XSS on [redacted] | $750.00 |
| 2016-11-04 16:50:25 UTC | Reflected cross-site scripting on [redacted] | $1,200.00 |
| 2016-11-03 11:58:18 UTC | Subdomain takeover of [redacted] via dangling CloudFront CNAME | $250.00 |
| 2016-10-31 15:46:05 UTC | Public read/write to Amazon S3 bucket [redacted] allowing for ability to replace Android [redacted] APKs and subdomain takeover | $200.00 |
| 2016-10-24 19:35:37 UTC | X-Forwarded-For bypasses to access debugging pages across multiple [redacted] hosts | $1,000.00 |
| 2016-10-13 17:25:36 UTC | Subdomain takeover of [redacted] leading to Starbucks account takeovers via cookie stealing | $1,000.00 |
| 2016-10-13 17:24:47 UTC | Subdomain takeover of [redacted] due to expired Auzre traffic manager endpoint | $1,000.00 |
| 2016-10-13 17:22:22 UTC | Dangling DNS CNAME record for the domain [redacted] pointing to [redacted] | $2,000.00 |
| 2016-10-13 17:03:25 UTC | Symfony app_dev.php found on [redacted] – Profiler is enabled and accessible by anyone | $1,000.00 |
| 2016-10-10 23:49:06 UTC | Exposed administration interfaces for [redacted] infrastructure/third party applications | $100.00 |
| 2016-09-19 19:35:18 UTC | Sensitive information leaked via X-Forwarded-For header spoofing on [redacted] | $500.00 |
| 2016-09-13 20:44:44 UTC | Subdomain takeover of [redacted] via Amazon S3 buckets | $100.00 |
| 2016-09-07 18:03:11 UTC | Subdomain takeover of [redacted] due to expired Auzre traffic manager endpoint | $1,000.00 |
| 2016-09-04 00:38:19 UTC | Insecure S3 bucket [redacted] leading to the takeover of critical assets [redacted] | $1,000.00 |
| 2016-09-01 21:21:44 UTC | Subdomain hijack of [redacted] through Unbounce Pages | $100.00 |
| 2016-08-31 20:32:42 UTC | Subdomain takeover of [redacted] leading to [redacted] account takeovers via cookie stealing | $1,000.00 |
| 2016-08-31 12:56:29 UTC | [Critical] Blind XSS in the [redacted] administration panel leading to full access of administration panel | $250.00 |
| 2016-08-31 01:33:12 UTC | Multiple critical risk vulnerabilities affecting Accellion Kiteworks on [redacted] | $3,000.00 |
| 2016-08-30 18:00:10 UTC | Reflected Cross-site Scripting on [redacted] due to unpatched Confluence | $50.00 |
| 2016-08-29 16:15:09 UTC | Subdomain takeover possible on [redacted] through Uservoice Feedback SaaS | $25.00 |
| 2016-08-23 17:06:26 UTC | Subdomain takeover of [redacted] through Heroku | $50.00 |
| 2016-08-23 15:43:27 UTC | Persistent cross-site scripting on event pages created on [redacted] | $75.00 |
| 2016-08-17 19:20:34 UTC | Subdomain takeover of [redacted] | $200.00 |
| 2016-07-30 13:56:21 UTC | Subdomain hijack of [redacted] due to expired S3 bucket [redacted] | $25.00 |
| 2016-07-26 20:35:16 UTC | Multiple source code repositories, private internal documents and config from [redacted] | $350.00 |
| 2016-07-25 21:01:07 UTC | Server-side request forgery allowing for the ability to contact internal [redacted] AWS hosts such as ElasticSearch and Staging instances | $3,000.00 |
| 2016-07-14 01:27:21 UTC | Subdomain Takeover [redacted] via Heroku | $100.00 |
| 2016-07-14 00:40:57 UTC | Subdomain no longer controlled by [redacted] | $100.00 |
| 2016-07-14 00:29:42 UTC | Subdomain no longer controlled by [redacted] | $100.00 |
| 2016-07-11 14:18:03 UTC | Subdomain hijack of [redacted] (WP-Engine) | $1,000.00 |
| 2016-07-04 02:15:08 UTC | Subdomain hijack of [redacted] via Vagrant Share | $100.00 |
| 2016-07-04 02:13:59 UTC | 3rd party subdomain hijack – EC2 IP of [redacted] is no longer controlled by [redacted] | $100.00 |
| 2016-07-01 09:29:53 UTC | Open administration panel with no authentication (full access) – [redacted] | $500.00 |
| 2016-06-24 19:06:43 UTC | Subdomain hijack of [redacted] (WPEngine #2) | $1,000.00 |
| 2016-06-17 10:15:30 UTC | Open Remote bruteforcable MySQL login on [redacted] | $750.00 |
| 2016-06-13 15:22:23 UTC | Password based bruteforcable SSH server on [redacted] | $250.00 |
| 2016-06-03 10:22:34 UTC | Administration Panel Access (no auth required) to the [redacted] | $3,000.00 |
| 2016-06-03 10:21:53 UTC | Multiple issues on [redacted] with the Django Rest API [Info disc, Priv Esc, IDOR] | $500.00 |
| 2016-05-20 12:43:21 UTC | Minor information disclosure on [redacted] (project details and gitignore) | $250.00 |
| 2016-05-20 12:41:34 UTC | Partial page takeover again on [redacted] | $1,000.00 |
| 2016-05-18 18:18:11 UTC | Leaked FTP credentials for [redacted] => persistent XSS, uploading of files, SOP bypass | $800.00 |
| 2016-05-13 10:10:21 UTC | Nine open administrator panels exposed on [redacted] | $1,500.00 |
| 2016-05-13 10:09:19 UTC | Subdomain takeover of [redacted] leading to the takeover of multiple pages on [redacted] | $2,500.00 |
| 2016-05-13 10:08:42 UTC | CSRF & Arbitrary file upload vulnerability to a [redacted] owned s3 bucket | $500.00 |
| 2016-05-06 10:00:26 UTC | Open Joomla administration panel for the [redacted] application on [redacted] | $500.00 |
| 2016-05-06 09:58:21 UTC | Three instances of reflected XSS on https://[redacted] | $2,000.00 |
| 2016-04-26 09:47:31 UTC | Reflected XSS on [redacted] via ZeroClipboard | $1,750.00 |
I can tell you that the exact amount made, after calculating all of the payouts in the table above, is $635,387.47 made in 1590 days (4 years, 4 months). This is not the total amount I have made all-time in bounties. This figure is only inclusive of the HackerOne platform, no other platforms that I have submitted bugs to have been counted in this blog post. I report the vast majority of my bugs to programs on HackerOne.
I know hackers in the bug bounty community that are capable of making hundreds of thousands within weeks or months. Sadly, that’s not me, but I do find them inspiring. As I said earlier in this blog post, I came to terms with the fact that there are better hackers out there, and these days, I am proud to sit at rank 43rd on HackerOne at the time of writing this.
If you divide the amount of money by the number of days, you will quickly work out that it averages out to roughly $400 USD a day. I could have been earning this amount or more by working as a consultant with a high day rate, but the difference is, I made all of the ~635k on my own terms.
I worked when and where I wanted to and didn’t touch a bounty program for weeks if I wasn’t feeling up to it.
There were at least 62 bugs in the table above that were the direct result of automation. This accounts for 18% of the total number of bugs I reported in the last 4 years. This is a pretty interesting takeaway, and proves to me that automation is one of the facets that leads to success in finding security issues.
These companies paid me quite a lot of money in order to lock down their attack surfaces. While earning this money and learning new techniques along the way, we built as much of the workflows, techniques, tooling and methodologies into Assetnote. We found that by translating bug bounty success, into a more digestible enterprise product, we were able to successfully establish ourselves as a key player in the attack surface management space.
Today, we have a strong customer base that uses our product to not only find exposures as they happen immediately, but also more creatively to reduce their bug bounty spend, not paying for issues that are found through automation. Assetnote’s platform has been thoroughly tested against attack surfaces in the last four years of my bug bounty hunting, and is capable of continuously finding security vulnerabilities.
A majority of the bugs were only possible due to automated asset discovery, but still required some manual inspection and exploitation. Large scale asset identification is still a key pillar of my success.
In terms of criticality, there were 24 SQLi’s, 22 SSRFs, 20 IDORs, and at least 11 RCEs.
I focused my time mainly on Uber as I simply enjoyed it more and valued the team working there – first with Matthew Bryant, Collin Greene and then with Joel Margolis after Matt and Collin had left.
For the four years of hacking on Uber, I was able to come up with a methodology when approaching their assets by having a deep understanding of their architecture, and development practices. This was absolutely key to my success, and I’m sure other successful bug bounty hunters have a specific way they approach a program. Every company is different when it comes to hacking them.
Throughout these four years, I collaborated with and learnt a lot from (in no particular order):
- Andre – we owned [redacted] together through ObjectStateFormatter deserialization
I came across a host and using all of my techniques when it comes to attacking .NET applications, I was able to find a few serious issues, but not command execution. At the time, research was released around how it is possible to achieve RCE through the VIEWSTATE parameter, via insecure deserialization, if you have the machineKey.
I enlisted Andre to help, and he was able to not only successfully leak the machineKey, but also was one of the first people to create a tool to exploit this vulnerability.
Andre’s heavy experience in CTFs were key to our success in this collaboration.
- Joel – we owned Facebook together through an XXE in a vendor product
I asked Joel for help when I was reversing a vendor product that Facebook had put up on their attack surface, under one of their corporate domains.
I was able to get the source code of this product by spinning up an AMI from Amazon’s Marketplace and then getting a shell on the deployed instance. However, when trying to debug a tricky potential XXE through XSD’s I wasn’t able to go further by just reading the source code.
I didn’t know why my exploits weren’t working.
Joel’s experience when it came to Java was key to our success here. He decompiled the jar files, he created an intelliJ project and fixed all of the errors. Then we started debugging it step by step.
It was an absolute pleasure watching Joel work this out and I look forward to collaborating with him in the future.
- Naffy – for helping me understand the best attack against Yahoo’s attack surface is persistence
I’ve known Naffy for almost a decade now, and the biggest thing I have taken away from him is that any attack surface can be broken into given enough time and effort. In the early days of bug bounties, Naffy was dominating the leaderboard for Yahoo’s bounty program – due to this he has a lot of experience with large attack surfaces.
Yahoo, now owned by Verizon, have an incredible amount of infrastructure and assets deployed on the internet. However, the noise on the attack surface is ridiculous to deal with.
What Naffy showed me was that with enough persistence and time, things break, and we have to be watching closely to capitalise on that.
- Sean – I’ve lost count of the number of things we have owned together
Every time I have been in a tricky situation where I struggle with exploiting an issue due to technical complexities or lack of knowledge, Sean has been the one to push through and help develop proof-of-concept exploits.
Sean has been able to translate high-risk security issues into automation very successfully and it has led to a lot of vulnerabilities that we have disclosed together.
- Oscar – I did a lot of collaboration on bounties with Oscar while I was at Bishop Fox
I used to talk with Oscar, daily, when I was at Bishop Fox. Oscar played a huge role when it came showing me how to hyper-optimise the speed at which DNS bruteforcing is possible.
While I worked with him, I found him to be incredibly switched on and most of all, a kind person. He has contributed to many bounty successes while I was working at Bishop Fox.
- Huey – we fine tuned my methodology on Uber together
JavaScript source maps are a brilliant way to better understand the internals of any client-side application. I look for source map files now every time I find JavaScript files, and that is thanks to Huey.
On Uber, we have used sourcemap files to better understand the GraphQL queries and API endpoints that are being used by Uber applications, to further exploit them. I have a better understanding of JavaScript thanks to Huey.
- Anshuman – we audited source code together for a PayPal live hacking event
For a recent live hacking event, we took apart the CMS called PencilBlue as it was being used by a particular target. Together, we had a blast auditing the source code, beating each other to different flows in the application source code and bonding over the speed at which we approach attack surfaces.
- Rhys – he helped me convert a stolen secret into an account takeover
At a live hacking event, I discovered credentials such as secret keys that were leaked through Google’s cached pages. A development asset which printed all of the environment variables and secrets in plain text was being proxied through ngrok, and Google had managed to not only index, but cache it, with all of the secrets in place.
After stealing these secrets from the cached copy, I asked Rhys to help me prove impact. He definitely delivered, by converting the tokens I stole, into an interactionless account takeover. Rhys is also very switched on. He won that live hacking event by miles.
- Mathias – read about our collaboration in a blog post from Assetnote.
We gained access to Mozilla’s internal AWS network by exploiting WebPageTest.
There are probably more people that I worked with over the years, but I cannot immediately recall. My point to you is that collaboration has been really important when it comes to growth and success in bug bounties.
Also please don’t just ask someone to hack something for you. In all of the cases above, the reason why collaboration was so successful was because the initial triage was done by either party. There was always the initial foothold or concept that was shared out of trust, which then led to actual collaboration on the issue. Don’t expect people are going to exploit things for you without presenting at least half the exploit chain or idea.
As I’ve talked about previously in this presentation, my methodology still revolves around the identification of assets belong to an organization on the internet.
The speed of asset identification and content discovery has increased tremendously. This is partially due to the fundamental shift in the security scene from writing tools in Python, to writing them in Golang or Rust, due to the speed benefits they entail.
We have also adopted this trend at Assetnote, and key components of our platform such as our in-house DNS resolver, has been re-written and optimized in Rust by Huey to take advantage of the speed it brings.
The one thing I have noticed when it comes to analysing an attack surface, is making sure that your tools output information in a way that highlight relationships. For example, the output of most fast DNS bruteforcing tools, simply sucks. Here’s how I prefer DNS data to be laid out – something that tracertea shared with me:
0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
When you are looking at thousands of assets at once, you have no idea how much of a difference this optimisation can make. I can immediately recognise the relationships between the source and destination when it comes to analysing this DNS data.
It’s surprising that something so simple has had such a profound affect on me, but the same goes for color coding when displaying content discovery results. Most tools still lack in this area, and anyone who has had to spend the time combing through thousands of content discovery results will tell you that the task gets tiring quickly. Ultimately, I spend my time finding needles in haystacks, and colors make it so much easier.
When it comes to methodology, the program that has had the most profound affect on me is Uber, due to the ever changing attack surface.
In the four years, Uber has changed how they develop their software and deploy it. It has been extremely important to keep up with this and constantly reflect on the methodology being used to pierce through an attack surface. The continuous assessment of assets on the internet has been very effective against large attack surfaces in particular.
Attack surfaces are alive, evolving and complex at times.
When I first started hacking on Uber, I would see services such as Redis and HAProxy (admin panel) being exposed directly to the internet. I considered this to be an immature attack surface at the time as it was trivial to discover these security misconfigurations. But over the years, wow have they evolved.
These days, you simply will not find exposed services like Redis on Uber’s core attack surface, and this is a direct reflection of their processes and practices maturing internally when it comes to application security, and in a wider picture, their entire attack surface.
Instead, all of Uber’s internal and sensitive assets are routed to OneLogin at the DNS level. There have been cases where sensitive assets have slipped through the cracks and did not have OneLogin protecting them, but again, this is why monitoring attack surfaces continuously is so important.
Who knows? Someone could accidentally disable OneLogin protecting their assets for a short period of time, or spin up a sensitive asset that does not enforce OneLogin. Maybe because they are trying to test some changes, maybe because they don’t realise what they are doing.
I can confirm that the continuous monitoring of assets for security exposures is a core part of my methodology, and it is also the reason for why we inherently baked it into Assetnote.
Not included in this blog post is all of the work I put into the United Airlines bug bounty, and due to the terms and conditions of their bounty program, I cannot go into much detail, but I can say that their attack surface has helped me hone my skills in .NET application security testing.
When I initially looked at an IIS server four years ago, I wouldn’t know where to start. These days, I have a methodology that has proven to be extremely successful when it comes to IIS servers in general.
Due to this and so much more that I do when I am approaching attack surfaces, I plan on releasing more videos on our YouTube channel over the next year. Please subscribe if you haven’t already 🙂
Assetnote’s Continuous Security Platform puts the power of automated reconnaissance and large scale asset identification in the hands of security teams around the world, so that they can replicate our methodologies and successes. Knowing what assets and exposures an attack surface has is key to locking it down, and we do our best to help security teams from all over the world with this.
If you work at a business that could use help with identifying and monitoring your assets, please reach out to us.
