Bug Hunting Year in Review - 2019
As I come to the end of my first year of full-time Bug Bounty Hunting in this post I share some statistics of the bug reports I’ve submitted during 2019.
GitLab - GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery
HackerOne bug report to GitLab: The GitLab::UrlBlocker IP address validation methods suffer from a Time of Check to Time of Use (ToCToU) vulnerability. The vulnerability occurs due to multiple DNS resolution requests performed before and after the checks. This issue allows a malicious authenticated user to send GET and POST HTTP requests to arbitrary hosts, including the localhost, cloud metadata services and the local network, and read the HTTP response.
GitLab - Importing GitLab project archives can replace uploads of other users
HackerOne bug report to GitLab: Importing a modified exported GitLab project archive can overwrite uploads for other users. If the secret and file name of an upload are known (these can be easily identified for any uploads to public repositories), any user can import a new project which overwrites the served content of the upload with arbitrary content.
HackerOne Hacker Interviews
44Con 2019 - Continuous Integration Continuous Bounties
CI/CD pipelines are the perfect, bug-rich target for new and experienced bug hunters. As complex, user-controlled automated processes with access to authentication secrets, source code, and application servers in multi-system, multi-user environments, they combine all the things that make bugs likely. In the presentation, I will outline a methodology for hunting for bugs in CI/CD pipelines and walk through actual bugs which have resulted in tens of thousands of dollars in bounty payments.
GitLab - Arbitrary File Upload via Import Project Archive
An IDOR vulnerability exists in GitLab <v12.1.2, <v12.0.4, and <v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets.
New Relic - Blind SSRF in Ticketing Integrations Jira webhooks leading to internal network enumeration and blind HTTP requests
HackerOne bug report to New Relic: The Ticketing Integrations Jira webhooks for Jira 5/6 and Jira 4 are vulnerable to Blind SSRF issues. These endpoints can be abused to map internal NewRelic network services and send blind HTTP GET and POST requests to identified services.
Perforce - Helix Command-Line Client P4CLIENTPATH Leading to Arbitrary File Read / Write
The p4 Helix Command-Line Client uses the optional P4CLIENTPATH environment variable to restrict directories to which the application permitted to read or write files. This configuration can be trivially bypassed allowing a malicious Perforce server to read or write arbitrary files on the client system.
Lob - Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE
HackerOne bug report to Lob: The Template Preview function allows users to render arbitrary HTML to a PDF document, this includes the ability to execute arbitrary Javascript. The HTML agent used to render the HTML is based on an old version of WebKit which has known security issues, for which public exploits and Proof of Concepts (PoCs) are available.
Perforce - Helix Command-Line Client Arbitrary File Read / Write
The p4 Helix Command-Line Client accepts and responds to Perforce protocol commands supplied by a connected server without any validation. A malicious Perforce server can send arbitrary Perforce protocol commands to connecting clients in order to expose the contents of client system files or write arbitrary files on the client system.