Trial or License – thoughts of the Bounty Hunter

2017.07.04

Hi Folks.
Today I want to share with you some thoughts, that I figured out during my journey as hobbyist Bug Bounty hunter.
This is not tech blog, but it can be useful to those who look for new attack surface 🙂

If you ever participated in Bug Bounty program, you should be familiar with the concept of working with Trial\Dev\Sandbox\Test accounts. In a nutshell, company that run Bug Bounty Program, enforce you to cause minimal to none impact on it’s production system and it’s customers. Some companies prefer to use separate servers for bug hunters, specific time frame, or Trial\Dev accounts. More than that, your obligations are to use only accounts that belong to you. To comply with Bug Bounty rules, you have to stay in those terms [and it’s good].
But.

There is always “but” 🙂

Trial accounts are limited in many ways. For example, Trial account have access to initial payment form, where protections are pretty robust [because of multiple standards and certifications applied to commercial organisation, and because many Bounty Hunters before you already been here]. But what about all those features, that available during and after you buy a license and became valid application customer?

In other words, with Trial accounts very important parts of the commercial applications remain not tested:
– Payment\licensing system
– Customer data management after payment process – invoices, license levels, restrictions of licensing period extension etc, renewals etc.

What can be done? Well, you always can ask the Company for this type of account[ha-ha-ha]… or turn your Trial account into Licensed one. And perform initial data collection during this process. Of course, when application\service license prices are about hundreds\thousands of USD\EU, you should be pretty sure about your skills to do this step. But average licences are under 50 USD and this is affordable price.
Many platforms we test accept the same payment methods to receive payments and pay bounties: Paypal, Bitcoin, Credit Cards. So I prefer to look at it as an investment. 🙂

Here is some real world example to prove my point:
Shopify have a very nice program on HackerOne: https://hackerone.com/shopify
They provide Developer account for Bounty Hunters, where you can create multiple Shop accounts and test them. They even provide you with the test payment system, where you can actually emulate the payment process and analyse it’s flow. Back in the days i spent plenty of time and effort working on their Web Application.

But – again, some features were locked for the Dev\Trial account, so one rainy night [not sure, but sounds good, no?] i was testing the payment system and had to enter my credit card details into some payment form. 19.9 USD or so, per month of the lowest license type. I was looking on the button that send the data to Shopify servers and thinking: is there something that I can find, or just spend 20 bucks for nothing. But, curiosity killed the cat, they say. Data sent, server response with status update. All look the same as within emulator. 20 Bucks spent for nothing.
I browse the profile page and see another detail unlocked: Invoices. Interesting, this part of the page was not available for Trial users…

I go there and download my invoice, to keep it as a reminder for me not to do this stupid thing anymore.
And link to download the invoice is:

myshop.myshopify.com/admin/invoices/1746632.pdf

I bet many of you see the opportunity here already 🙂
Yep, change pdf file name in URI to see, if something can go wrong here. After a few unsuccessful attempts, another invoice PDF downloaded.
And another.
And another.
Different ones. From other customers.

What next?
Report > Escalation > Fix > Bounty payment.
https://hackerone.com/reports/94899

Yes, after this success, were other attempt with varying degrees of success. So no promises from my side, only hints. But for sure, there were some interesting findings and new features, unlocked with license purchase since then 🙂

Don’t be afraid to invest in yourself.
Good luck and happy hunting
Stay safe,
D.L.

Leave a comment