YesWeHack and OTTO stage Live Bug Bounty Hunting event

At this year’s Nullcon Berlin, the international IT security conference that brings hundreds of top experts together, we staged a live Bug Bounty Hunt together with YesWeHack, a leading provider of bug bounty services. Around 40 crack security researchers pitched in to subject OTTO’s infrastructure security to a hardcore test. This was a welcome chance for us to check our Web applications for security loopholes and learn from a personal exchange with leading-edge researchers at the same time.

Bug Bounty Hunting lets IT security researchers pinpoint and report vulnerabilities in systems in a fully legal way. What’s more, the Bounty Hunters can look forward to a financial reward for their efforts. This concept is an officially sanctioned, industry-recognised approach to improving systems’ IT security.

Through our collaboration with YesWeHack and our direct interaction with top security researchers we were able to identify and eliminate potential vulnerabilities in real time. For instance, OTTO’s own systems were tested for the OWASP Top 10 using the latest tools and methodologies, but also for other vulnerabilities such as a subdomain takeover, in which an attacker gains control over an expired subdomain and misuses it for malicious purposes. Alongside www.otto.de, the security researchers tested numerous other web applications as well as the OTTO mobile app.

At Nullcon the researchers praised the high security level of the OTTO systems, as it turned out to be tough for them to find chinks in our armour. Nevertheless, they did highlight some interesting vulnerabilities, enabling us to act quickly to maximise our infrastructure security. Some of the attack vectors were extremely specialised, requiring the full creativity and depth of experience of the Bug Bounty Hunters to produce validated findings. Our own OTTO security analysts reviewed and evaluated all vulnerability reports.

The security researchers selected very individual toolset spectrums which ranged from ‘standards’ such as curl and dig — already installed in our current operating systems — to fully automated, cloud-based tools that can be scaled as necessary. All participants opted to include the Portswigger Burp Suite. However, it was also evident that many of them were applying self-developed tools scripted in Python or Bash, for example, to validate potential attack vectors rapidly. Expertise in prototyping was a clear advantage, because speed played a decisive role if you wanted to be first to report a vulnerability in order to cash in for it!

This short YouTube clip summarises the highlights of the event and communicates the lively atmosphere at Nullcon.

The two days came to a close with the selection of the Most Valuable Hacker — and confirmation of the thesis that security is not an achievable ‘fixed state’ but rather an ongoing objective that requires continuous work. As a company, we used this year’s Nullcon to further improve our internal processes and tools to enable us to respond quickly to potential threats. In parallel we will use the findings from the event to support our own Developers in continuing to build secure applications and the resilient IT infrastructure these require.

If you have a question for the team, feel free to comment below this article Andreas will get back in touch asap.

Find this one and lots of more interesting articles on our Techblog!