How we broke docshell.ru

Hi, Habr!

BugHunt is a service to publish reward programs for found vulnerabilities. We help various organizations to launch their own bug bounty programs and take on the whole routine: we develop the conditions of the program, engage researchers, process reports and give recommendations on how to fix holes.
It turns out almost like pentest, but cheaper, better, and here you pay not for a beautiful report, but for real holes.


The first savings on bug bounty programs were noticed by Google, Yandex, Qiwi and other IT giants ( here is a complete list), which, of course, is easy to explain: you need personnel and a budget to organize your company in catching holes.
We will try to make sure that any company can afford a reward program for the found vulnerabilities.

The reward program for the found vulnerabilities docshell.ru

Our first client was the DocShell service.
Over 3 weeks of the existence of the BugHunt service and the DocShell reward program, we received almost 40 reports with information about various holes.

Of these, about 10 reports (25%) were rejected, since they duplicated information about the hole found (according to the rules of the service, who first reported the vulnerability, he gets a reward).
The most serious hole, which so far dug up on the DocShell service, was the ability to read chat rooms with technical support from other users. For this, it was enough to insert the arbitrary UserId parameter in the URL www.docshell.ru/Chat/LoadHistory?destinationUserId=XXXX. For this hole, we immediately paid 30 thousand rubles (thanks to the researcher with the nickname sm!).
Other researchers were less fortunate, and the average amount of remuneration paid for one hole was 5 thousand rubles. However, many sent us several reports at once, and as a result earned no less.
Different types of CRSF attacks became the most popular vulnerability, but they all required any active actions on foreign sites on behalf of an authorized user, so we assigned a low risk category to such vulnerabilities. As a defense against such attacks, the service developers promptly implemented anti-csrf tokens and reports diminished.
The weak point in the security of the site was the same mechanism for authorization and password recovery. Relevant forms allowed brute force users and were not protected from automatic password guessing.
As an exception, we also paid for the found vulnerability in the Postfix mail server (CVE-2011-1720), although it was not part of the docshell service but just hung with it on the same ip address.
By the way, the reward program for the found vulnerabilities on the site docshell.ru is still valid , although the prize fund has already lost much weight. The first to learn about new programs is through our @bughuntru twitter.
You can also check your site through our service! Now we are developing and publishing reward programs for free, so if you don’t find vulnerabilities on your site, you won’t pay a penny.