When PullRequest was acquired, these issues grew to become HackerOne’s challenges. After we finalized the acquisition, we instantly added PullRequest’s belongings to the scope of HackerOne’s personal bug bounty program to permit moral hackers to check these new assault surfaces.
The outcomes exceeded our expectations. Inside 48 hours, we obtained nearly two dozen submissions.
On this submit, we’ll concentrate on a report Chris talked about in his submit—a excessive severity, blind Cross-Web site Scripting (XSS) vulnerability that existed within the PullRequest codebase for 5 years.
An XSS Bug Hiding for five Years
A vulnerability was current in a ranking function the place clients offered suggestions on their expertise with PullRequest. After code evaluation completion, a singular ranking hyperlink is created and despatched to the shopper.
The hacker discovered an previous ranking hyperlink archived by the Web Archive’s Wayback Machine and submitted a JavaScript payload by way of the ranking type. This allowed a blind XSS assault to be executed if a PullRequest worker considered the ranking by way of our backend admin console.
A blind XSS vulnerability happens when a malicious actor can submit a payload by way of a type or different subject and is triggered by one other consumer viewing the submitted information. These are known as ‘blind’ vulnerabilities as a result of the attacker usually has little or no visibility into what occurs after the payload is submitted, making it troublesome to find out if the assault shall be profitable. When testing for blind XSS, it is common to make use of a payload that pings again to a server managed by the hacker to substantiate their injection labored and decide how it’s saved.
It may be arduous to estimate the precise hurt a blind XSS vulnerability could cause. This vulnerability may have uncovered information or admin performance reserved for workers if exploited. Payloads could make extra injections or calls to different internet pages to chain along with different recognized vulnerabilities. Due to these dangers, this report scored an 8.8 out of 10—a excessive severity.
Remediating and Retesting
To resolve this vulnerability, we made 4 modifications:
- Take away the affected code. After investigation, we discovered the susceptible code within the ranking submission type belonged to performance on the web page that was not in use. Our main mitigation was to take away this unneeded code altogether.
- Enhance our total Content material Safety Coverage (CSP) to cut back XSS danger. A restrictive CSP protects in opposition to unsafe-inline scripts just like the one used on this vulnerability. This provides one other layer of protection in opposition to many XSS vulnerabilities.
- Migrate legacy code to newer frameworks. The remaining legacy parts of the PullRequest utility are being migrated from JQuery to React. Many more moderen frameworks, together with React, higher shield in opposition to XSS HTML injection points by default.
- Expire ranking hyperlinks. Unhealthy actors may have exploited the vulnerability with any ranking hyperlink, however it was simpler for the hacker to find as a result of the distinctive hyperlinks we generated have been legitimate indefinitely. Expiring distinctive hyperlinks like these is usually thought-about a greatest observe, so we added an expiration after 30 days.
The PullRequest staff carried out our fixes after which requested a retest—a function of the HackerOne platform that permits the unique hacker to substantiate appropriate vulnerability remediation. We obtained a response from the hacker in just a few hours that our repair labored, and so they have been not receiving a pingback to their server. Whereas our staff had carried out its personal testing, receiving affirmation from the reporter offered extra reassurance.
We additionally appeared for proof of previous exploitation to substantiate our system or buyer information had by no means been affected, which was particularly necessary given how lengthy this vulnerability existed. PullRequest maintains logs of all earlier scores. We reviewed the logs for code injection makes an attempt and confirmed no prior exploitation of this vulnerability.
The Worth of Hackers
This excessive severity XSS vulnerability was a part of our utility written in legacy code utilizing an older framework from which we have been migrating away. It was launched 5 years earlier and by no means found by anybody, together with a peer evaluation when it was initially dedicated, or in a business pentest carried out just a few years later.
But, fewer than 48 hours after including PullRequest’s belongings to HackerOne’s bug bounty program, we obtained almost two dozen submissions, together with this blind XSS.
This expertise was PullRequest’s first with an incentivized bug bounty program. Earlier than the acquisition, PullRequest had a safety coverage and speak to e-mail however had solely obtained a handful of studies over just a few years. As a startup, PullRequest was too small to draw important consideration with none incentives.
As HackerOne’s expertise with PullRequest reveals, inviting the hacker group to check your group’s belongings will get visibility into each a part of your codebase. Hackers usually are not solely taking a look at new performance or the code you need them to see. They’re enhancing protection of all of your code and belongings, together with what your group might have forgotten or doesn’t learn about.
HackerOne has at all times promoted the advantages of transparency. Transparency is the important thing to constructing belief in all {our relationships}—with clients, the hacker group, our staff, and companions.
Transparency can also be crucial in cybersecurity. Quite a lot of the trade was constructed on a mannequin of safety by way of obscurity—the concept you might construct safe software program and techniques by hiding how they work. This mannequin doesn’t work and, in its worst type, results in instances the place recognized weaknesses and breaches are hidden.
For transparency, now we have at all times run a public program and highlighted the significance of public disclosure as a method of constructing belief along with your clients by being clear about your errors.
Public disclosure may have a significant impression on the success of your bug bounty program. We publicly disclosed this report back to the worldwide Hacktivity page on Might twenty fifth. We instantly noticed an inflow of hacker participation. This enhance continued for over per week after public disclosure and the discharge of the report. We hope to see related outcomes from this weblog submit.
HackerOne Response is one element of HackerOne’s Attack Resistance Management Platform that helps your group discover and shut gaps in its assault floor. For extra data on enhancing your assault resistance, contact us.
Author: Tyler Mann
Date: 2022-06-16 07:00:00
