DEV Community

Cover image for Bug Bounty: Not always an ideal
Nathan
Nathan

Posted on • Updated on

Bug Bounty: Not always an ideal

I want to share with you my bug bounty experience this week and the points to remember.
(Hahaha I Know that ... my picure has nothing to do here 😂)
So what's happen to me this week?
I joined a public bug bounty program on Intigriti, read the rules of engagement quickly, and start hacking.
Did the recon then try to find some interesting vulnerabilities.
In the target website I remarked a chat between the freelancers and the client.

Image description

I tried to submit some payload but the client side URL encode my payload, so I intercept my request with Burp and insert my payload.
Finally at the first time I trigger a XSS with this payload:<script>onerror=alert;throw 1</script>
(with no bracket).

Image description

The POC of XSS:
Image description

Before I submited my xss, I read again the rules of engagement and guess WHAT??

Image description

I can not imagine that XSS can be out of scope, even an stored XSS. So I texted intgriti team to discuss about the Stored XSS and told them to take into consideration that the severity of the XSS is HIGH, after few days a member of Intigriti team respond that: "All forms of XSS are considered as OOS for this program".

Image description

In conclusion few things that I need to learn from the next time:

  1. Take time and read carefully the program's rules.

  2. Chose a Bug bounty adapted to my skills.

Hope you will not fall into this trap.

Top comments (4)

Collapse
 
webbureaucrat profile image
webbureaucrat

Honestly: I don't think it would be out of line to publish the name of the website. Part of the social contract of coordinated disclosure of vulnerabilities an understanding that companies will take steps to fix--at least--very serious and immediately exploitable vulnerabilities. If they're refusing, I think ethical researchers have a responsibility to the users.

Granted, I have to imagine it would put you crossways with an NDA, but I hope you find a way to dump the information.

Collapse
 
dertee profile image
DerTee

I disagree: It's out of line to disclose the name of the site.
If there is a good reason to believe that a disclosure would help and not endanger users, then I'd agree with you.
But in reality the readers of the disclosure will be way more malicious hackers than end users. So you are, in the majority of cases, damaging users, not helping them, which is unethical.
Also in this case the website owners wrote that they are aware of XSS problems and implicitly they say that they are fixing them, because they plan to have them in scope at a later date. At least give them a chance to fix it.

Collapse
 
webbureaucrat profile image
webbureaucrat

I agree they should be given a chance to fix it for sure, but I disagree that a disclosure would do more to endanger users than help them. XSS is so easy to detect that I would honestly operate under the assumption that it's already being exploited.

Collapse
 
dertee profile image
DerTee

Yes, it's pretty standard that XSS exploits are excluded from bug bountys. I think it's because it's low hanging fruit and a pain in the butt to fix if you never paid attention to it while building your website.
That doesn't mean XSS is not a problem, just that it's one that is ignored a lot :/