Hackerone got hacked! How can I steal your POC?

Story of my experience how to get critical bugs directly upstream (Hackerone) as a bug bounty platform.

“Alhamdulillahi rabbil alamin” is certainly the first thing I say here!

How do I find those critical vulnerabilities? Let’s talk about the basics first. Do you have prior experience in web/app programming? Of course you are familiar with CRUD! But if you’re new to it, CRUD is used to process data into a database [1]. CRUD stands for Create, Read, Update, and Delete which is essential for implementing robust applications with relational databases [2]. However, if the application is too complex, the system behind it is no longer CRUD.

What does CRUD have to do with me finding bugs? Take a look at how I mapped out one menu/feature by relying on CRUD basics. Here, I’m focusing on the “Reports” menu, take a look at what it includes:

Creating a reportEditing the reportClosing a reportCreating a commentEditing a commentCreating a summaryDelete summaryEditing summaryAnd there’s more, you can map it out yourself.

Am I being consistent? Should I test vulnerabilities in one menu on various actions? Yes, that’s what made me a few days ago often lurk HackerOne (Reconnaissance) day after day just to focus on one menu. I wanted to find IDOR! Here are my assumptions about possible IDORs that could occur (these are assumptions!):

IDOR edit victim reportIDOR close the victim’s reportIDO Create comment to victim reportIDOR delete commentand until IDOR Edit victim report summary.

Now you’ve just seen how the attack scenario I’ve created for the IDOR Attack looks like (key: perform the same action on the victim’s account without the victim knowing, right?). When referring to VAPT, this stage falls under “Information Analysis and Planning”. In the information analysis and planning phase, the tester analyzes the risks identified during the scan to determine the causes and consequences of the risks that will occur once the victim is exploited. The penetration (exploitation) phase focuses on external real risks [3]. However, in the context of bugfinding, I analyzed the features of the report and made a plan for a direct attack (sorry if the context is far away).

Attack and Penetration, at this stage I started testing directly on the target with pre-made scenarios, for example “IDOR editing a report” to “IDOR Editing a comment while including a file” with an attempt to bypass as well! However, it was not as expected (I thought it was safe enough!) as I always got the response “was_successful”: false.

It’s getting late, eyes are tired, tomorrow again, time to rest! 🛌🏻💤 The next day, weekend, spent a longer night to finish all the scenarios, yes, but I still haven’t found the vulnerability until finally in the last scenario “Edit summary”, I didn’t expect that I could use files from other accounts to attach to the attacker’s summary report, both on draft and submitted reports.

right attacker 👨🏻‍💻 & left victim

I immediately wrote a full report and sent it to HackerOne — Bug Bounty Program!

What happens after that? Praying, while convincing myself “this is a valid report!”. But, what, I didn’t believe it considering the hacktivity there is very high, even accounts that are top thanks can report vulnerabilities multiple times per account, are you sure my findings have not been reported by them? Are you sure there are no duplicates? Yes, 3 days passed, I asked “Any update?” considering the promised time for Triaged was 3 days. The fourth day, my report got a comment from the staff, I’m still not sure! Usually if it’s a duplicate, it’s closed immediately, lucky my report was valid!

The next day they dropped an amazing bounty!

Since when does the Summary feature exist? I feel very lucky to be able to find it there. Sorry for rambling this is just a story, the technical remains in the hackerone report. see you again in the next findings!

Reference:

[1] Yayuk Ike Meilani and J. Purnama, “Object Oriented Programming of Application Admission of New High School Students”, SinkrOn, vol. 7, no. 1, pp. 461–469, Jan. 2023.
[2] M, Kanniga & K, Selvi & M, Rekha & R, Karthiga. (2024). CRUD Application Using ReactJS Hooks. EAI Endorsed Transactions on Internet of Things. 10. 10.4108/eetiot.5298.
[3] Alhamed, M.; Rahman, M.M.H. A Systematic Literature Review on Penetration Testing in Networks: Future Research Directions. Appl. Sci. 2023, 13, 6986.
[crud image] https://medium.com/geekculture/crud-operations-explained-2a44096e9c88
[vapt image] https://aristininja.com/vulnerability-assessment-penetration-testing-basics/