HackerOne Pen e

EC RI
A E MEN
__________
No ember 6, 2019 CONF DENT AL

De crip ion
Thi d c e de ai he ce a d e f a PC e e ai e e f ed b
Hac e O e beha f f E C be ee Oc be 23 2019 a d N e be 6, 2019.

Prepared for E Com

A hor
Sh ie Libe , C SSP, OSCP (Tech ica P g a Ma age , Hac e O e)
h ie@hac e e.c
Ab Hac e O e
Hacke O e i ed b e 1,350 ga i a i ld ide da d ec i
l e abili ie i g he la ge ea f ec i e ea che he la e .

O c i f e 500,000 e ea che ha f d e 120,000 alid l e abili ie

f ga i a i i cl di g S a b ck , G gle, L f ha a, T a, H a , a d G ld a
Sach , a ell a f high- le g a f he U.S. De a e f Defe e ch a
Hack he Pe ag , Hack he A , Hack he Ai F ce, a d Hack he Ma i e .

Hacke O e c e ld ide de e d e e ai e i g d c a d e ice

ec e hei a lica i , da a, a d e le, a d ake he i e e a afe lace f
e e e.

1
Table of contents
1. Executive summar 3
S a e f ec i 4
Rec e da i 5

2. Methodolog 7
2.1 P e a a i ha e 7
2.1.1 Sc e 8
2.1.2 Te a 8
2.2 Te i g ha e 9
2.2.1 f ai ga he i g & ec ai a ce 9
2.2.2 Pe e a i e i g&e iai 9
2.3 Re e i g ha e 10
2.4 Re ha e 10
2.5 V e abi i c a i ca i a d e e i 10
2.6 Hac e O e e i g e gage e eade 11
2.7 Hac e O e Pe e ea 12

3. Findings 14
3.1 Fi di g e ie 14
3.2 A e : e c .c 16
3.2.1 A e a 16
3.2.2 V e abi i a 16
3.3 A e : a i.e c .c 17
3.3.1 A e a 17
3.3.2 V e abi i a 17
3.4 A e : a e .e c .c 17
3.4.1 A e a 17
3.4.2 V e abi i a 18

4. Remediation status 19

2
1. Executive summary
______

E C (E a C a , .) a Ha O a Ha O a
, O b 23, 2019 N b 6, 2019. D a ,9 ab
b 8 a .

T a a a a a b a a
ab a b OWASP (O W b
A a S P )T 10. a a , a a
ab a (P ) .B a a a a a
,E C 80 a a
b .

D a ,3 ab a a a CVSS a 7.0 ,
a a.T ab a a
E C a b a . Tab 1 a a
b a b a .S 2.5 a a
a a .

C a H M L N

. 0 1 3 2 0 6

a . . 1 1 1 0 0 3

a . . 0 0 0 0 0 0

1 2 4 2 0 9

Table 1: ndings per asset

3
F mi c mm ni f en e e , Hacke One c a ed a eam f h ee en e e h e
kill and in e e align be i h he na e fE C m b ine and he e fa e
in c ef hi ene a i n e . The eam f h ee - led b a lead en e e - f c ed n
iden if ing lne abili ie in E C m c ed ing he ag eed- n e ing ind .
Cha e 2 c n ain m e inf ma i n ab he ene a i n e ing me h d l g ha a
ed in hi engagemen .

The m c mm n lne abili e a C -Si e Sc i ing (XSS). The m e e e

lne abili f nd a a i ilege e cala i n in e c m.c m. Thi lne abili c ld ha e
been ed e l a e all f E C m c me da a, incl ding a ed c edi ca d n mbe ,
f ll name , da e f bi h, cial ec i n mbe , h ne n mbe , and h me add e e .

S a e of ec i
Main aining a heal h ec i e e i e c n an e ie and e nemen f e i ing
ec i ce e . R nning a Hacke One Pen e all E C m in e nal ec i eam
n nl nc e eci c lne abili ie b gain a be e nde anding f he c en
ec i h ea land ca e.

The e all nding indica ed b h a lack f gene al da a ani i a i n ac m l i le

end in al ng ih eakne e in acce c n l.

The e ed ani i a i n i e e e emedia ed and e e ed b he hacke e n ible

f he nding, en e i ha been a ched.

F m c n e ai n i h E C m lead a chi ec , e nde and ha he highligh ed

acce c n li e led af mal deci i n e ha l he acce c n l f ame k.
The e ha l ill hel e en he f e in d c i n f ne acce c n l eakne e .

Re ie ing he emaining e l ed e f a ca e anal i can f he ed ca e

E C m in e nal de el men and ec i eam and all man al a ma ed
ced e be in lace eed en i e cla e f lne abili ie in he f e. Thi

4
 ac i e a ach he c ib e f e g he ec i e fE C
a e .

Rec mme da i
Ba ed he e f hi a e e , Hac e O e ha he f i g high- e e e
ec e da i .

KEY RECOMMENDAT ON 1

K E c ha i e i jec i e abi i ie e e ac i e ie .
The e e abi i ie c d a a a ac e e a ea c de ia
da a, eadi g e a i a da age, a e a e ia eg a e .

R c a e e ac i e a ach i a ida i ac he a f
a d c ea e QA a d c di g a da d g ide i e e e ha i i
adhe ed . ac ice, hi h d i c de a da ai i g i h he
de e e ea . Thi ai i g h d f c he i e e f
i jec i e abi i ie a d c i iga i a ai ab e.

F he e, he e a e a i addi i a c ch a C e
Sec i P ic (CSP), ha ca a a i e c ie - ide i jec i
e abi i ie if he a e accide a i d ced.

R c M ei f a i ca be f d i hi G g e-de e ed g ide, hich

i e i e e ai i a dc i fa f CSP:
h ://de e e .g g e.c / eb/f da e a / ec i /c /.

G g e CSP E a a ca be ed e ie c e ec i icie
e e i e ec i e e : h ://c -e a a . i hg g e.c /.

KEY RECOMMENDAT ON 2

K E c AP d e ha e a acce c de ha i c i e ih
i eb i e face. Thi ea ha e c d e ec e a h i ed
ac i i he AP , ca i g da age da a a d e i eg i . Thi c d
c E c b h e a da age i a e ce e i ed
e edia e he e i f ac i ,a e a e a i a da age if he i e
e e bec e b ic.

5
 Rec mme da i Use a consistent permissions model for all areas of the application, and
ens re that there is a single area that contains the a thoritati e
permissions model that can be referred to b the component
applications.

Re ce The OWASP Cheatsheet on Access Control pro ides actionable g idance

to de elopers maintaining access control mechanisms:
https://gith b.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/A
ccess_Control_Cheat_Sheet.md.

6
2. Me hodolog
______

E C m (E am le C m a , c.) e gaged Hacke O e e f m a Hacke O e Pe e . The

f ll i g ec i c e h he e gageme a ge he a d e f med.

2.1 P epa a ion pha e

Hacke O e ked i hE C m ide if he e f l e abili ie m im a
hem a d de a d he g al f hi a e me . Thi c llab ai e ce a ed :

● gai a e ie f he A lica i a d e k c m e i g he
Ca dh lde Da a E i me (CDE);
● de el a c ef he e gageme ;
● de e mi e ha e e mi i le el e i a d hich e a ei c e;
● de e mi e a cie e i g i d ;
● de e mi e he i k le el a cia ed i h each a e ;
● ga he ha eable d c me a i c e i g E C m AP a d e ice ;
● ide if he a ea fE C m c e ha e ea che h ld a ecial a e i ;
● a d ha e f l e abili ie E C m i m i e e ed i e i gf .

Thi i f ma i a he laced i a Sec i Page , al k a he le f

e gageme . F mi c mm i f e e e , Hacke O e c a ed a eam f h ee
e e e f c ide if i g l e abili ie i E C m c ed i g he ag eed-
e i g i d hile f ll i g he g ideli e a d i ci f m he Sec i Page. The
ha d- icked eam - led b a lead e e e - a ail ed ba ed he i e f he c e
a d he e fa e ha e ei c e e eb ad c e age f kill a d
e e ie ce.

7
D i g he e a ai ha e a e i g i d f m Oc be 23, 2019 N embe 6,
2019 a ag eed . The c e f he Sec i Page e ea ed b E C m bef e
m i g he e i g ha e.

2.1.1 Sc e
D i g he e a ai ha e he f ll i g c ef he e gageme a ag eed :

A E N COPE

e c m.c m

a i.e c m.c m

a me .e c m.c m

Table 2: asse s in scope

The f ll i ga e e e eci call decla ed a f c ef he e gageme :

A E O OF COPE

.e c m.c m

Table 3: asse s o of scope

2.1.2 Te la
The e ea che i he ec i e i g eam e e able c ea e a d e hei
acc i de e f l e abili ie i hi he ag eed- c e. The e a
e i ge i me e f he hacke , all e i g a e f med a d ci
e i me .

8
2.2 Te g ha e

2.2.1 a a e & ec a a ce
T e a a e a d ec a a ce e ec ca a e e
e ea c e . T e ed e e eb da e e a e c e a d de e
a a a ac . Eac e be e ec e ea c ea ce ed be c ea e
c e a a a e bee ed c e a ec a a ce e a d ,
e e d e a d ec e .T c de b ed :

● C e a a d ba e ca c a a a d a ca
● DNS d c e a d bd a e e a
● Re e ce ca e a a e c ec d
● E a S da a d Ce b c da a
● E e a be dde eb d ec e
● C e de a dc a c a B S e

Hac e O e e ac ae e b d e e e ea e
d c e a a d de a ac e c e e e ce e a e a e
ed b a ca c e .

2.2.2 Pe e a e &e a
T e e e a e e d a Oc be 23, 2019 N e be 6, 2019 a d a
eb ed a 100 .

Hac e O e e e a e e d a e ec c ca e e e ab e ,
c a e OWASP (O e Web A ca Sec P ec ) T 10. O e
e d e e d e e , ea ca ae ea - d a ac ,
e a e ed c e e ab e, ac , e ab e ,a d e e e
e de e a d ec e .

Add a , Hac e O e ea ec a a a da ed eac e ab a e

e e e ed e e a e. T e a ca e ed a de ed

9
 lne abili ie again he CWE (C mm n Weakne En me a i n) anda d, a ell a
a ign a e e i a ing ba ed n he CVSS 3.0 (C mm n V lne abili Sc ing S em)
anda d, iding c n i en , ea nde and g ideline n he e e i f each
nding. Each nding a made a ailable immedia el E C m h gh Hacke One
lne abili managemen la f m.

2.3 Re e i g ha e
While E C m ked e l e an iden i ed lne abili ie , Hacke One kicked a ee
f h e nding en e he a e n l nge e d cible. Each nding a alida ed b
he iginal nde en e he lne abili a mi iga ed e l . The e l f he
e e ing ha e a e lined in cha e 4.

2.4 Re ha e
A he c ncl i n f he engagemen , Hacke One ked i hE C m anal e he e l
f he e ing ha e and iden if an en ial end in lne abili ie f nd ac
E C m a e and ke ec mmenda i n . The e l f he engagemen and
-engagemen anal i e e hen mma i ed in hi e . The nal e a
di c ed i h and a ed b E C m d ing an engagemen a - mee ing.

An iden i ed lne abili ie e e made a ailable immedia el h gh Hacke One

lne abili managemen la f m en e ick ac i n can be aken b E C m.

2.5 V e abi i c a i ca i a d e e i
T ca eg i e lne abili ie acc ding a c mm nl nde d lne abili a n m ,
Hacke One e he ind anda d C mm n Weakne En me a i n (CWE). CWE i a
c mm ni -de el ed a n m f c mm n f a e ec i eakne e . e e a a
c mm n lang age, a mea ing ick f f a e ec i l , and a a ba eline f
eakne iden i ca i n, mi iga i n, and e en i n e .

10
T a a , Ha O a a C
V a S S (CVSS) a a a
a . CVSS a a a a a a a a ,
a a a ,a a a a a
a .

T a a a a a a ,
Ha O a a a CVSS a a a a a ( a
, , a a ):

● C ca : CVSS a 9.0 - 10
● H : CVSS a 7.0 - 8.9
● M d : CVSS a 4.0 - 6.9
● L : CVSS a 0.1 - 3.9
● N : CVSS a 0.0

M a a CWE a M TRE : :// . . /.

M a a CVSS a F R a
S T a (F RST) : :// . . / .

2.6 Hacke One e ing engagemen leade

T a a Ha O a a a a
:

● S Lb , C SSP, OSCP, T a P a Ma a
@ a .

D a a a :
● Zac a Da d , S A a Ma a
a @ a .
● J B a ,T a P a Ma a

11
 @ a .
● J a in Sil a J ., T a P a Ma a
a @ a .

P a a a a ab a
.

2.7 HackerOne Pentest team 

3  52  2,056 
Ha O P T a Ha O C T a V ab F
E a W O Ha O C

T a b a a - a 3 a a b
12 a a 52 Ha O a .

T , a a a a 2,056 ab , 4069
a , a a Sa b ,G a M ,G a Sa ,
H a ,a U.S. D a D .

Pete Yaworski (@yaworsk)

3 a a 3
Ha O
 
252 ab 49 Ha O
A b b, Sa a V M a
 

Eric Head (@todayisnew)

4 a Ha O
 
2,527 ab 255 Ha O
A b ,R Ga ,V M a
 

12
 @ _ o_hack
3 ears and 10 mon hs of sec ri es ing e perience ih
HackerOne

1,682 lnerabili ies fo nd for 15 HackerOne c s omers

incl ding T i er, Salesforce and Veri on Media

13
3. Findings
______

T c a c a c a .F a b
a b a a CWE c a ca . Eac a c c a a
a . Tab 1 c a c a a b
c ab a ca .A
Hac O a , c a a c a
ab a ca b a ab ac a
c b a ab a .

3.1 Findings overview   

D a ,9 ab ac 6 ab
ca (CWE). T c ab a C -S Sc (XSS) 3
ab .V ab :

● C -S Sc (XSS)
● S -S R F (SSRF)
● C -S R F (CSRF)
● a D c
● S c M c a
● P E ca a

Tab 4 a a a E C a a a c
ab a b OWASP T 10.

14
 
 

E
O A O 10 CA EGO F ND NG
E L

A1 – njection     

A2 – Broken Authentication     

A3 – Sensitive Data Exposure    1 nding 

A4 – XML External Entities (XXE)     

A5 – Broken Access Control    1 nding 

A6 – Security Miscon guration    1 nding 

A7 – Cross-Site Scripting (XSS)    4 ndings 

A8 – nsecure Deserialization     

A9 – Using Components with Known 

   
Vulnerabilities 

A10 – nsu cient Logging & Monitoring     

Tab e 4: e ab e b OWASP T 10 ca eg

Exploring the ndings further by their actual vulnerability type as de ned by CWE, Table 5 
shows the number of individual ndings and its distribution of severity. 
 

Critical  High  Medium  Low  Σ 

Cross-Site Scripting (XSS)  0  1 3 0  4

Server-Side Request Forgery (SSRF)  0  1 0  0  1
Cross-Site Request Forgery (CSRF)  0  0  0  1 1
nformation Disclosure  0  0  1 0  1
Security Miscon guration  0  0  0  1 1
Privilege Escalation  1 0  0  0  1
  1 2 4 2 9

 
15 
 Table 5: se eri dis rib ion across lnerabili pes

:
● E .
● . .

T :
● . .

3.2 A e : e c .c

3.2.1 A
. E C .

E C .

3.2.2
D ,6 .

VULNERABILITY TITLE  SEVERITY  CWE 

#171870 S SS
H (8.0) C -S S ( SS)

#171872 R SS M (4.3) C -S S ( SS)

#171873 R SS M (4.3) C -S S ( SS)

#171875 R SS (POST) M (4.3) C -S S ( SS)

C -S R
#198328 CSRF L (2.1)
F (CSRF)

S
#168325 A U L (2.1)
M

16
 Table 6: nding in e c m.c m

3.3 Asset: api.e com.com

3.3.1 A a
a . . a a AP b E .U a
AP a a a a a b
a . .T AP a a a E
.

3.3.2 V ab a
D a ,3 ab a .

VULNERABILITY TITLE  SEVERITY  CWE 

#197248 P aa G >A C a (9.9) P E aa

S -S R
#189172 SSRF E a H (7.5)
F (SSRF)

#178822 AP a a G H b M (4.3) a D

Table 7: nding in a i.e c m.c m

3.4 Asset: pa ments.e com.com

3.4.1 A a
a . . E C a a a
b .

17
3.4.2 V e ab a
D g e e gage e , e ab e e ef d a e.

18
4. Re edia i a

E C H O
.E
.T 8
.

LNERAB L LE SE ER S A S

#197248 P G >A C (9.9) F (M 11, 2019)

#171870 S SS H (7.5) F (M 11, 2019)

#189172 SSRF E H (7.5) F (M 11, 2019)

#171872 R SS M (4.3) F (M 14, 2019)

#171873 R SS M (4.3) F (M 13, 2019)

#171875 R SS (POST) M (4.3) F (M 11, 2019)

#178822 AP G H M (4.3) F (M 12, 2019)

#198328 CSRF L (2.1) F (M 14, 2019)

#168325 A U L (2.1) N

Table 8: mmar of nding and a of remedia ion

19
 End of Sec i A e men Repo  

20