How we broke docshell.ru

Hello, Habr!

BugHunt is a service for publishing rewards for vulnerabilities found. We help various organizations to launch their own bug bounty programs and take on the whole routine: we develop the conditions of the program, attract researchers to participate, process reports and give recommendations for eliminating holes.
It turns out almost like a pentest, but cheaper, better, and you pay here not for a beautiful report, but for real holes.


The first savings on bug bounty programs were noticed by Google, Yandex, Qiwi and other IT giants ( here is the full list), which, of course, is easy to explain: in order to organize your own company for catching holes, you need staff and a budget.
We will try to ensure that any company can afford a reward program for vulnerabilities found.

Remuneration program for found vulnerabilities docshell.ru

Our first client was the DocShell service.
Over the 3 weeks of the BugHunt service and the DocShell reward program, we received nearly 40 reports with information about various holes.

Of these, approximately 10 reports (25%) were rejected, as they duplicated information about the hole found (according to the rules of the service, the first to report a vulnerability receives a reward).
The most serious hole that was dug up on the DocShell service so far was the ability to read chats with technical support from other users. To do this, it was enough in the URL www.docshell.ru/Chat/LoadHistory?destinationUserId=XXXX to insert an arbitrary parameter UserId. For this hole, we immediately paid 30 thousand rubles (thanks to the researcher with the nickname sm!).
Other researchers were less fortunate, and the average amount of remuneration paid per hole was 5 thousand rubles. However, many sent us several reports at once and as a result earned no less.
Various types of CRSF attacks became the most popular vulnerability, but all of them required some kind of active action on other sites on behalf of an authorized user, therefore we assigned a low category of danger to such vulnerabilities. As a defense against such attacks, the service developers quickly implemented anti-csrf tokens and reports were reduced.
The weak point in the site’s security was the authentication and password recovery mechanism. The corresponding forms allowed users to be enumerated and were not protected from automatic password guessing.
As an exception, we also paid for the vulnerability found in the Postfix mail server (CVE-2011-1720), although it was not part of the docshell service but simply hung with it on the same ip address.
By the way, the reward program for vulnerabilities found on the docshell.ru website is still operational , although the prize pool has already lost a lot of weight. Be the first to know about new programs through our @bughuntru twitter .
You can also check your site through our service! Now we are developing and publishing reward programs for free, so if you do not find vulnerabilities on your site, you will not pay a dime.