This was NOT the first time I’m trying to participate Bitdefender bug bounty. The previous one was also in pain. I felt like they don’t want to pay for the submissions although it is a bug bounty program. I think this one is a proof that I’m right.
On August 1th, I’ve determined a sub-domain of bitdefender;
which is Partner Advantage Network and has a login side already.
After looking a while, I found there is a registration page here:
So, I played with the requests. Figured out data[Partner][country] parameter isn’t sanitizing the user input properly.
Then, checked out to be sure that pan.bitdefender.com sub-domain is in scope.
And it wasn’t in OUT of scope of their program. Till this post, it wasn’t. You can check either.
So, prepared my report and sent them in the same day.
I’ve included the vulnerable URL, PoC screenshots () and HTTP requests.
After 2 hours, got a response!
They were asking a valid/working attacking scenario! Focus on the sentence in parentheses:
link to click on that gets the xss triggered!
I was surprised! Couldn’t understand what they meant! Thought to myself whether these guys know what is the XSS in the first place. And although there wasn’t anything related to burp suite, they said:
that works without forcing the user to go burp suite and make the request
I tried to understand them. So, tried another way to make them believe me “HEY look, yes, there is XSS!, Really.”
It worked! Afterwards created my own HTML example with the following content:
<html> <body> <form action="https://pan.bitdefender.com/partners/save/overlay:true/step:2" method="POST"> <input name=data[Partner][country] value=af_9479";alert(document.domain);//> <input type=submit value=submit> </form> </body></html>
Please note that, I just used the vulnerable parameter as a working PoC, and this worked too, which has to prove that there is XSS to bitdefender.
I wrote two of these working PoC’s to bitdefender bug bounty guys, and added that; “Hey guys, look at this:”
bitdefender.com/partners/save/ overlay:true/step:2" novalidate="novalidate" id="PartnerSaveForm" method="post" accept-charset="utf-8"><div style="display:none;"><input type="hidden" name="_method" value="POST"/><input type="hidden" name="data[_Token][key]" value="c4d6e6415c5d76235b61a49 8c23020af54e6428c" id="Token5098561"/>
YOU HAVE A data[_Token][key] value which has to be checked in the back-end!
But you didn’t check it! So, my HTML worked as CSRF bypass as well which you asked me in the previous email!!
I thought this must be enough to make them believe, but wait, no! After 4 hours, got the response like this:
“indeed the bug is valid but notrewardable.” Is this a SECURITY guy writing: “The bug doesn’t impact in any way the security of the website because of the way it is implemented in our back-end” Can you believe it? I couldn’t…
Also they say “they will fix it, but unfortunately it doesn’t qualify for bounty.”
… (No Comment!)
After sharing my thoughts with them got another response.
while a valid bug, does not lead to compromise
Are they totally wrong, or it is me?! Do they know what is an OWASP TOP-10? As a friend said on twitter: RIP OWASP TOP-10! :) Let me explain: XSS was the 2nd vulnerability on OWASP 2010 TOP-10, and was 3rd on OWASP 2013 TOP-10.
OWASP Top 10
The OWASP Top Ten is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
Owasp Top Ten is a powerful awareness, while somebody is NOT!
If I would send them the same report with document.cookie instead of document.domain maybe they would accept it, but i don’t mess with them again.
First, I decided to wait for them to fix the xss I reported to publish this article. They said if i make this vulnerability public, they will BAN me from the bug bounty :) But, second I thought why I care? Now, It is public.
Enjoy! Comments are welcome.
Thanks for reading!
Edit: Thanks to @stamparm for helping me fix some grammatical errors.