Response Generator™

By @EdOverflow

Triager's username is stored in localStorage for future use.



Hi {{username}},

Thank you for reporting this potential issue.



On a side note, we highly recommend you take a look at _["Web Hacking 101"](https://leanpub.com/web-hacking-101)_ by Peter Yaworski and _["Breaking into Information Security: Learning the Ropes 101"](https://leanpub.com/ltr101-breaking-into-infosec)_ by Andy Gill to get a better idea of the type of issues that we are looking for.

Keep up the good work and we look forward to more reports from you in the future.
\- {{triager}}

⚠ Delete your username from localStorage

Initial response

Acknowledgement of receipt

Thank you for reporting this potential issue. I am currently looking into your report and will get back to you with my results and maybe even some questions if I need help reproducing the issue.

Responses for invalid reports

Ability to create external links

Currently, we do not plan on changing this behaviour. The ability to create external links is a fundamental part of the web and users are educated to be wary of what they click on while browsing.

Brute-force attack

We generally do not accept these type of reports. We are aware that other bug bounty programs might interpret this issue differently, but we have accepted the low risk that brute-force attacks pose.

Clickjacking on static website

The page in question is static, therefore clickjacking does not pose any risk. Clickjacking becomes an issue whenever the page is dynamic and enable a user/attacker to perform sensitive actions such as deleting one's account.

One good way of finding valid clickjacking vulnerabilities is to create a map of the various functionality and then checking the actions that could have a significant impact on the user.

For more on clickjacking vulnerabilities, please refer to Hacker101: https://www.hacker101.com/vulnerabilities/clickjacking.

Content injection

We generally do not accept content injection reports. The severity of this issue is so low that it does not warrant an immediate fix. We are aware that other bug bounty programs might interpret this issue differently, but we have accepted the low risk that content injection poses.

Cross-site tracing

In order for Cross-Site Tracing (XST) to really be a significant issue you would need to find an endpoint vulnerable to Cross-site Scripting (XSS). If you do find XSS, please notify us, and we will accept this report.

CSP uses unsafe-inline

The fact that our CSP includes `unsafe-inline` is not an issue in itself. In order for you to demonstrate the actual impact of this value, I highly recommend you look for an XSS vulnerability. Try to trigger `alert(document.domain)`. We will accept this report if you can find a way of actually exploiting this potential issue with XSS.

CSRF with minimal security implications

In order for CSRF to be a valid issue it must affect some important action such as deleting one's account. The CSRF that you have reported to us does not affect anything important, therefore we do not believe that this requires an immediate fix.

One good way of finding valid CSRF vulnerabilities is to create a map of the various functionality and then checking the actions that could have a significant impact on the user.

When constructing the proof of concept always make sure the code is clear and well formatted. Something along these lines allows the team to easily verify the impact of the issue:

~~~html
<form action="http://example.com/settings" method="POST">

 <!-- Victim's username -->
 <input type="hidden" name="username" value="example"/>

 <!-- Victim's password -->
 <input type="hidden" name="password" value="password1234"/>

 <!-- Click this button to perform the action -->   
 <input type="submit" value="Click me"/>

</form>
~~~

Then when designing a real-world example, either hide the form (`style="display:none;"`) and make it auto submit, or design it so that it resembles a component from the target's page.

For more on CSRF, please refer to Hacker101: https://www.hacker101.com/vulnerabilities/csrf.

CSV injection

We do not believe that this issue has a sufficient impact on our users. In our view, this is an issue that products such as Excel should take care of. We are aware that other bug bounty programs might interpret this issue differently, but we have accepted the low risk that CSV injection poses.

Disclosure of robots.txt file

We are aware that in some cases robots.txt files have been known to disclose sensitive information. In our case we have determined that our robots.txt file does not contain any information that poses a potential security risk. That being said, 

Email spoofing

We have accepted the risk that this issue poses and do not believe that it warrants an immediate fix.

Error message

We have determined that the error message does not contain information that poses a potential security risk. We really appreciate you taking the time to report something to us and we highly recommend to always verify the contents of an error message to ensure that it really is a security issue. If you are not very familiar with the error message or the technology being used, a quick Google search can usually help.

IDN homograph attack

While this is a classis phishing technique, we do not consider IDN homograph attacks to be a significant threat and do not plan on addressing this concern at the moment.

JavaScript error

The JavaScript error does not disclose any sensitive information, therefore we do not plan on fixing this anytime soon. Always make sure that when you believe you have encountered some form of information disclosure to double-check that the information is in fact sensitive. If you are not very familiar with the error message or the technology being used, a quick Google search can usually help.

Leaking non-sensitive information on search engine results

The result does not appear to disclose any sensitive information that could potentially affect us or our customers. That being said, we really appreciate you taking the time to report something to us and we highly recommend to always verify the contents of what you find to ensure that it really is a security issue.

Missing security headers

The missing header in question does not pose a significant risk, therefore we do not plan on addressing this issue at the moment.

No notification on event

We have determined that this event does not require any notifications and that the risk of having no notification is not significant enough to warrant an immediate fix.

Non-sensitive file disclosure

The file that you listed above does not appear to disclose any sensitive information that could potentially affect us or our customers. That being said, we really appreciate you taking the time to report something to us and we highly recommend to always verify the contents of a file to ensure that it really is a security issue.

No proof of concept

Would it be possible to provide us with a detailed proof of concept (preferably code) that demonstrates the issue? Unfortunately, without a proof of concept it is very difficult for us to determine what the actual issue is.

No rate limiting

We have accepted the risk that this issue poses and do not believe that it warrants an immediate fix.

Open redirect using Host header

Open redirects in the `Host` header are not exploitable therefore currently we do not see a reason to change this behaviour. That being, said if you do find a way to really exploit this in a way that could affect us and/or our users, please do report back to us.

Outdated library

Would it be possible to provide us a proof of concept (preferably code) that exploits the issue(s) found in this library? We are struggling to determine the severity of this issue and a proof of concept would be a big help.

Reverse tabnabbing

We have accepted the risk that this issue poses, since the attack you described does not affect most modern browsers. Therefore, we do not plan on changing this behaviour at the moment.

Server version disclosure

We do not plan on changing this behaviour since we are perfectly happy with disclosing details about what web server we are running.

Specific HTTP method enabled

Based on our assessment of your finding, we believe that the severity of this issue does not warrant an immediate fix.

SPF misconfiguration

We have accepted the risk that the SPF misconfiguration poses and do not believe that it warrants an immediate fix.

Subdomain takeover false positive

Unfortunately, this appears to be a false positive. We are currently unable to find a way of claiming this subdomain. You have our permission to attempt to take over the subdomain. To verify the issue, simply upload the following proof of concept: https://github.com/EdOverflow/bugbountyguide/blob/master/files/sub-domain_takeover.html. If you are able to find a way, please report back and we will accept your report.

  For more on subdomain takeovers, please refer to Hacker101: https://www.hacker101.com/vulnerabilities/subdomain_takeover.

Target does not belong to bug bounty program

It appears that you have found a potential issue on an endpoint that does not belong to us. We highly recommend trying to get in touch with {{vendor}}'s security team about your finding. Their security policy can be found here: {{security_page}}.

Weak password policy

We have accepted the risk that this issue poses and do not believe that it warrants an immediate fix.

Responses for valid reports

Basic response

This appears to be a valid issue. I will forward this report onto the team and keep you updated with any progress.

Appreciative response

Wow, nice catch and what a beautifully-written report! I will forward this report onto the team and keep you updated with any progress.

Valid issue, but could be better ;)

I will accept this report as is and if you manage to bypass all the protections and hurdles in place, please let us know. I will forward all the information you have provided here onto the team and keep you updated with any progress.

Bypassing CSP

I will accept this report as is and if you manage to bypass the CSP, please let us know. You might have some luck analysing the CSP using https://csp-evaluator.withgoogle.com/ and double-checking to see if there are any white-listed JSONP endpoints [1]. The following Google dork might help you find JSONP endpoints:

~~~
site:http://example.com  inurl:callback
~~~

I will forward all the information you have provided here onto the team and keep you updated with any progress.

[1]: https://stamone-bug-bounty.blogspot.ch/2017/10/dom-xss-auth_14.html

AngularJS XSS — math expression only

I will accept this report as is and if you manage to exploit the XSS, please let us know. The reason why I am accepting this report is mainly because one should not rely on the fact that nobody has discovered a bypass yet. It is only a matter of time before someone publishes a new AngularJS XSS bypass. Here is a list of AngularJS XSS payloads that might help you pop an alert: https://raw.githubusercontent.com/bugbountyforum/XSS-Radar/master/extension/src/payloads/angular.js. In the mean time, I will forward all the information you have provided here onto the team and keep you updated with any progress.