4,419 Bug Reports - $2,030,173 Paid Out Last Updated: 12th September, 2017 ★ 1st Place: shopify-scripts ($441,600 Paid Out). Speaking of powerful reporting, did we mention that each XSS payload report comes with a pre-generated markdown submission for HackerOne? Collecting your bounty has never been easier. These generated reports are also compatible with other markdown-supporting platforms such as Phabricator for easy bug reporting on company ticketing systems. Editor plugin for Vanilla using the Bootstrap Markdown jQuery plugin. For use with Bootstrap for Vanilla and other Bootstrap-based themes. If you come across any bugs or if you have a feature request, please file an issue using the GitHub Issue tracker.
In February 2015, I found and reported the first severe XSSvulnerability in HackerOneitself. At the request of HackerOne, the report was publiclydisclosed today.
Sure, it's righthere
In October 2014, Michael Pryor (the CEO of Trello Inc, where I work as a softwaredeveloper) asked 'Can we/do we have a bug bounty page and can weadd it to hackerone?'
We didn't have a bug bounty program at the time, and I hadn'theard of HackerOne… but we hadreceived some security related inquiries, and I'd had a bit of ahistory finding and reporting security vulnerabilities in otherservices, so I was intrigued.
The concept was a simple one; researchers have to do real workto find and submit security issues, so why not motivate them tosubmit issues responsibly by rewarding them for their efforts?
Before signing Trello up, I wanted to get a sense for howHackerOne worked, so I found a service we used that was running aprogram on HackerOne (Slack, a chatapplication), and spent a month finding and submittingvulnerabilities. (I was briefly in the top 10 on Slack vulnerabilitiesalone!)
Satisfied that having a HackerOne program was a worthwhilething, we launched a private program for Trello. A few days ago, aswe were getting ready to make our program public I thought it'd beinteresting to see if HackerOne itself had any securityvulnerabilities that I should be … concerned about.
Hackerone Markdown Xss
Not surprisingly, HackerOne runs a bug bounty program for their ownsite and offers a minimum bounty of $5000 for 'any bug thatmight grant unauthorized access to confidential bug descriptions' Ifigured I'd start by looking for something severe, and I guessedthat if I could find a bug in the way HackerOne rendered markdown,that might lead to one of these 'severe' vulnerabilities.
I spent a couple hours trying some odd markdown inputs, and atone point found an actual bug … but I couldn't quite get it to doanything bad. However, while trying to build that bug into avulnerability, I stumbled on the fact that
… was being rendered as
and quickly realized that I could use that bug to insertarbitrary HTML into a bug report (and also other places wheremarkdown is rendered, e.g. a program description page)
While being able to insert persistent, arbitrary HTML is oftengame over, HackerOne uses ContentSecurity Policy (CSP) headers that made a lot of the fun stuffineffective; e.g. I could insert a
<script> tagor an element with an event handler, but it wouldn't run becausethese unsafe inline scripts were blocked by their CSP.
Fortunately (for me) not all browsers have full support for CSPheaders (e.g. Internet Explorer 11), so it wasn't hard to make acase that being able to run arbitrary script when someone attemptedto view a bug that I'd submitted qualified as something that 'mightgrant unauthorized access to confidential bug descriptions'
Hacker One Markdown 2
Even without the ability to run arbitrary script, I identifiedseveral bad things you could do:
- Their CSP did allow inline styles, so I could restyleaspects of the page (When you viewed the bug I submitted, all thelinks on the page turned red)
- I was able to insert other arbitrary elements (e.g. images,textarea, etc) (I put a red banner at the top of my submission thatsaid 'Oh No!')
- Normally, when you click a link in a HackerOne bug report,you're first sent to a redirect page that warns you that you'releaving HackerOne and the place you're going might not be safe. Iwas able to bypass that redirect completely; I could for examplesend the victim to a dummy version of the redirect page, or a dummyHackerOne login page.
- Things like a
<meta http-equiv='refresh'>aren't blocked, so I could have the page immediately redirect to adifferent page (again, potentially a fake page telling them thattheir session expired and that they needed to log in again)
This was a fun bug to submit, because the submission itself was theproof of concept; before the bug was fixed, my report lookedvery differrent than most. (Now that it's fixed, it's notas impressive looking, but they attached a screenshot of how thingswhen they originally viewed the report)
Not surprisingly, HackerOne fixed the issue very quickly. OnceI'd verified their fix, they congratulated me and let me know thatthis was their first XSS and the first report they'd categorized asSevere. They also requested public disclosure, which is why you'rereading about this now :)
About the author:
I'm Daniel LeCheminant, a developer atTrello Inc.
Hacker One Markdown Download
You can follow me onTwitter or e-mail me.
Hacker One Markdown Game
Most recent post:
The most popular things I've written: