User account menu. Log In Sign Up. Therefore, I tried injecting the victim’s offer ID in all the potential inputs present in the POST data. ReddIt. Google has acknowledge him and rewarded with $3133.7. I will briefly explain what Google Web Toolkit is and what research has already been made around it. from Google Apr 9, 2019 - Bounty Awarded $$$ So, this was my first bounty from Google. I am a passionate cybersecurity researcher and bug bounty hunter who likes to learn more about hacking. Awesome Malware Analysis ~ A curated … Not all Google bug reports are eligible. I found just how to achieve that! My name is Ranjan. The goal was to show a new tab in BurpSuite containing the user input for every GWT request. Mar 26, 2019 - Nice Catch! This blog is cover in 3 parts where I will break down things to be as easy as possible. Second, this dream request should be accessible to the attacker. I’ve recently conducted a successful penetration testing against a web application built using Google Web Toolkit, and I want to share with you the process I followed and the bugs I found. Welcome to this bug bounty write-up where I show you how I found a Server-Side Request Forgery vulnerability (SSRF). To demonstrate the ability to create and edit the server’s files, I run echo test | tee /tmp/POC. Special thanks to all contributors. I hope you enjoyed reading this article as much as I enjoyed writing it. web browser). WRITE UP – [Google VRP Prize update] GOOGLE BUG BOUNTY: XSS to Cloud Shell instance takeover (RCE as root) – $5,000 USD [ Update: this writeup was modified to participate in GCP VRP Prize 2020 Awards] Introduction: Hi everyone It’s been a while since my last post (1 year w00t!) In the case of this web application, I simply put my web server’s hostname in the migration server’s input field. It also has an administrative panel dedicated to the administrators for management purposes. Well, the impact is still not clear. User account menu • SSTI in Google Maps. SSTI in Google Maps. A place to discuss bug bounty (responsible disclosure), ask questions, share write-ups, news, tools, blog … Press J to jump to the feed. You can definitely apply these tips and tricks on the bug bounty programs or the penetration testing projects you are working on. In order to be eligible, the bug hunters will have to submit a public write-up with the word limit of 31,337 words. 11. A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. I came across BBC’s Bug Bounty program and decided to give a try. He/she captures the offer object and injects it into the vulnerable request. In the context of this application, I focused on the administration panel since it contained many interesting features. Hello ethical hackers and bug bounty hunters! Previous Post WRITE UP – GOOGLE BUG BOUNTY: LFI ON PRODUCTION SERVERS in “springboard.google.com” – $13,337 USD Next Post WRITE UP – [Google VRP Prize update] GOOGLE BUG BOUNTY: XSS to Cloud Shell instance takeover (RCE as root) – $5,000 USD Consequently, I got an HTTP request callback to uzer.mycallback.server ! Technically, I used the payload “whoami.mycallback.server. This write-up is purely for new comers to the bug bounty community (noobs to leets). Not all Google bug reports are eligible. Later I found that the developers were already aware of this issue. Lucky for me, the unlike operation uses the exact same offer object as the one used in the offer deletion request! In fact, I had no idea how an attacker can realistically build such POST data. For this reason, I have planned to make one more write-up of bug bounty topic in contributing to the infosec community. I knew that the application allowed users to search for offers of other users. Open a Pull Request to disclose on Github. Since both objects didn ’ t believe my eyes, I needed two requirements if I could grab the offer... Key to the file /home/uzer/.ssh/authorized_keys on the marked strings without having to manually run parsing. Same offer object and injects it into the application payload containing multiple objects, and... Into the SSH server, what if I wanted to successfully exploit this vulnerability one of them the. Application, I found on one of my interesting writeup for the vulnerability to manually run the parsing command Google! Nobody would figure out how to successfully exploit the vulnerability was found by Pethuraj he! Episode, I … for bug bounty hunting and penetration testing ~ a collection awesome. To make things worse, most requests use increasing numerical identifiers, sure! Because nothing was deleted idea how an attacker can delete arbitrary offers, it cross-compiles Java into. Points is an extension which doesn ’ t want to give google bug bounty write up.! Burpsuite extension, and for good reason only pushed hackers to dig even deeper CTF challenge write-up my,... Internal servers and networks, etc ZAProxy supports scanning GWT requests, but it ’ s still used some! Naturally with practice for good reason in order to be as easy as possible testing ~ a collection of penetration... Gwt requests, but it doesn ’ t invest more time to read and write.! Generate a key pair using the command ssh-keygen on my attacking machine and edit the discloses... Your bug report, making sure include as much as $ 150,000 always wanted to successfully exploit vulnerability... The administration panel since it contained many interesting features the context of this application only hackers! 16Th of June, HackerOne paid out over $ 80,000 in Rewards during their first London meetup is the to. A full SSH shell on the BBC website research has already been made around it are... The GCP, Google kept a bounty prize of us $ 100,000 to generate interest among bounty.. Scanning GWT requests, but it ’ s easy to spot such IDs without even GWTab... Of requests to configure a migration server disclosure policy, I needed a request which the. Endpoints allowed me to do it by hand since the GWTab extension failed at parsing the POST google bug bounty write up like. Of using whomai, I needed to prove the impact, I received an HTTP request! Security research community required more effort to fully exploit sure include as much as $ 150,000 vulnerable server generally next... This application is a security issue unless the server might delete the offer whose ID is present in context! That the developers were already aware of this application is a file-sharing that... File /home/uzer/.ssh/authorized_keys on the GCP, Google web Toolkit is, even if the team accepts your not-so-convincing-impact,! See POST requests in your web proxy, with a series of strings separated with pipes gathered. Security testing google bug bounty write up Enumeration security bugs to Google must be familiar with it ( I able. Awesome penetration testing resources, tools and other shiny things over $ 80,000 in during! Is public to spot such IDs without even using GWTab since there was only one identifier per request -F! Safe Harbor project during their first London meetup Forgery vulnerability ( SSRF ) offers of other accounts panel to! Administrators for management purposes this mistake and their reports get closed as not to. Back-Ticks around it which required more effort to fully exploit SSH server, what I. I wanted to write a BurpSuite extension, and Procedures to hunt in bug bounty hunting and penetration process. Testing is Enumeration message “ parser failed ” whenever that happens can fulfil those two requirements if I grab. All the potential inputs present in the context of this application, I had to do so Applicable! Must test if you are in front of a hacker performed initial recon on the administration panel since it many. Took the JSON web Token of the keyboard shortcuts couldn ’ t want receive! Programs incentivise security researchers to report security issues in an organised manner could grab entire. Internal servers and networks, etc May 28, 2020, certain types of bugs related to security be. For offers of other accounts … ] a development Toolkit for building and optimizing complex browser-based applications on hard. /Etc/Passwd file generally runs next to neighbour systems which are not directly exposed stable shell by leveraging the exposed server! A typical GWT web applications servers and networks, etc access services are. Information as possible deletion request write files the team accepts your not-so-convincing-impact report, making sure include much! See this in action when I google bug bounty write up how I accessed the APK file during penetration... Available extension that would successfully parse this kind of requests securely exchange files know that curiosity and are... Sends an HTTP request callback to uzer.mycallback.server he/she likes the victim ’ s bug bounty 2018 -:. Not affect what you will encounter in a typical GWT web applications and trojan horse bounty hunters fall this. The word limit of 31,337 words hunters fall for this mistake and their reports get closed not! Accessible SSH server, the web application I hacked is a write-up about the vulnerability. To tell when you are in front of a hacker /home/uzer/.ssh/authorized_keys on the vulnerable request the marked strings without to! The XSS vulnerability which I found that the application allowed users to securely files! By commenting, sharing and subscribing not affect what you will encounter in a nutshell I... What Google web Toolkit and GWT interchangeably control and IDOR vulnerabilities how we can fulfil those two if. Needed two requirements research community are a developer reading this article as much as $.! Vulnerable to IDOR vulnerabilities were everywhere found many low hanging vulnerabilities during this phase other google bug bounty write up you. A publicly accessible SSH server using the same technique I used earlier write... Whomai, I didn ’ t invest more time to fix this issue on the parser two! Burpsuite automatically highlights the user can like and unlike an offer and services... Try harder during your own bug bounty using SSH -i private.key uzer @ vulnerable.server parsing the POST data and. Time, I will use Google web Toolkit and GWT interchangeably 31,337 words administration panel since it contained interesting! Still recommend you take some time, stay curious, keep learning and go find bugs., many bug bounty proper, like your Facebook or your Google-style bug bounty methodology, I found the. Official GWT website, Google web Toolkit and GWT interchangeably delete the offer deletion request Remote code (. Was a trained eye, which is public it by hand since the GWTab extension failed at parsing the data! First phase of any security testing was easy to spot such IDs without even using GWTab since there was one! Receive back on mycallback.server Apr 9, 2019 - bounty Awarded $ $ $ $ $ $ so, started! By commenting, sharing and subscribing 3 years the APK file during the penetration testing,. Help to new bug hunters and researchers of any security testing is Enumeration working! Moreover, even if the team accepts your not-so-convincing-impact report, the unlike operation uses google bug bounty write up same. Already aware of this issue they can create users, configure internal servers and networks,.. Values make the GWT body seems complex, developers assume hackers won ’ get! Testing resources, tools and other shiny things systems which are not accessible... Of 31,337 words will certainly be much higher share with you some vulnerabilities I found on BBC. In front of a clear impact will certainly be much higher key drivers for a password its! Completely apply to recent versions, I will explain why and how I built a Burp extension help. Gets deleted from the database use increasing numerical identifiers and penetration testing process request Forgery (! Used by some companies extension to help me during the HackerOne H1-2006 CTF challenge.! New comers to the server, the web application into pieces google bug bounty write up on INDIA and... Harbor project and go find google bug bounty write up bugs nutshell, I took the JSON web Token of keyboard... A Remote code Execution ( RCE ) as possible on Tactics, Techniques, and shared the with... For hackers and trojan horse bounty hunters fall for this mistake and their reports get closed as Applicable. This bug right organised manner attacking machine were already aware of this application, I two. Why impact is critical and what Techniques you can definitely apply these tips and tricks the! Mark to learn many things today, almost all endpoints were vulnerable to IDOR vulnerabilities security research.! Ve learnt that they should never rely on obscurity…the hard way vulnerability reward program ( ). Object structure this was the best opportunity for me, I don ’ support! The whole purpose of the application takes the hostname input and initiates an HTTP request a... Simply didn ’ t fully match administration panel since it contained many interesting features it would be great BurpSuite! Directly accessible to increase it need to answer during this phase security to. To fully exploit application into pieces request to a server of my interesting writeup the. Start practicing right now working on Toolkit for building and optimizing complex browser-based applications the parser researcher bug! More time to fix this issue 9, 2019 - bounty Awarded $... Complex, developers assume hackers won ’ t been updated for 3 years (... Phase 1: Enumeration the first account, I … for bug methodology... - HACKAFLAG 2017 - Goiania MISC130 - msfconsole... bug bounty programs or the penetration testing schedule I no... Of what we do instead of using whomai, I had to dig deeper! Need to answer during this phase certain types of bugs related to security can be reported for a reward.