Analysing JavaScript code for Juicy Secrets

One of my initial steps in hacking a web application involves analyzing JS files. This practice typically aids in identifying the API endpoints that the web application interacts with. To accomplish this, I utilize LinkFinder, a Python CLI tool designed to extract API endpoints from specified JS files.

The API endpoints that were identified didn't offer much functionality since the majority of them necessitated a valid session for interaction. Consequently, I returned to manually search for any hardcoded secrets within the JavaScript file.

Upon interacting with the application, I could tell that it was hosted on AWS. Thus, I initiated my search in the JS file for the pattern AKIA which serves as the initial characters for AWS Access Key ID, except those retrieved from AWS STS service, which start with ASIA. Astonishingly, I discovered several instances matching this search pattern. Consequently, I was able to uncover the AWS Secret Access Key, displayed in plain text, along with other credentials for Auth0. Enclosed below is a heavily redacted screenshot depicting the hardcoded credentials.

Exporting the AWS access keys on my terminal and running aws sts get-caller-identity command confirmed the credentials were valid.

Using the credentials to list all AWS S3 buckets in the organization.

List all IAM users in the AWS account

Listing all database instances

The exposed AWS credentials evidently possessed Administrator permissions throughout the AWS account, likely resulting from linking the AdministratorAccess AWS policy to the IAM user. This potential scenario could have empowered a malicious user to inflict significantly greater damage to the provisioned AWS resources.

I sent an email to the mentioned company, clearly outlining the issue and providing recommended steps for remediation. Due to their delayed response, I felt compelled to call them, considering the sensitivity of the issue after which they promptly resolved the vulnerability.

Conclusion

• It's crucial for developers not to assume that minifying JavaScript code hides any hardcoded sensitive information.

• A proactive approach, such as implementing basic security scans in the CI/CD pipelines, helps in identifying and resolving issues like hardcoded credentials before deploying the application. This shift-left strategy enhances security measures.

• Monitoring the usage of AWS credentials through services like CloudTrail is essential for detecting any abnormal activities or deviations from the usual pattern.

Software Bugs in Cyber Security

Bugs, in the context of cyber security, refer to flaws or weaknesses within software that malicious actors can exploit to gain unauthorized access, disrupt services, or compromise sensitive data. These vulnerabilities can range from simple coding errors to complex loopholes that can be exploited for malicious purposes.

While developers strive to create robust and secure software, the reality is that no system is entirely free of bugs. The continuous development and updates of software, often performed under tight deadlines, can inadvertently introduce security vulnerabilities. Therefore, the identification and resolution of these issues is crucial to maintaining the overall security of digital systems.

Role of Bug Bounty Programs

Bug bounty programs serve as an essential component in the fight against cyber threats. These initiatives invite ethical hackers, security researchers, and enthusiasts from around the globe to uncover vulnerabilities within software, websites, or mobile applications. Companies running these programs offer rewards, ranging from monetary compensation to recognition, for the responsible disclosure of bugs.

By crowdsourcing security testing to a diverse community of skilled individuals, bug bounty programs leverage the collective expertise and creativity of participants. This approach enables organizations to identify and address vulnerabilities before malicious actors exploit them, thereby fortifying their cyber defenses.

Some of the renowned bug bounty platforms include HackerOne, BugCrowd, Intigriti, YesWeHack, Inspectiv etc.

Advantages of Bug Bounty Programs

1. Enhanced Security Posture: Bug bounty programs act as proactive measures, allowing companies to identify and patch vulnerabilities before they are exploited, strengthening their security posture.

2. Diverse Perspectives: Engaging a global pool of ethical hackers and researchers provides a variety of perspectives and approaches to identify potential weaknesses that internal security teams might overlook.

3. Cost-Effective Security Testing: Leveraging external talent through bug bounty programs can be more cost-effective than maintaining an in-house security team dedicated solely to finding vulnerabilities.

4. Continuous Improvement: Bug bounty programs encourage continuous improvement by fostering a culture of security awareness and proactive risk mitigation within organizations.

Challenges and Ethical Considerations

While bug bounty programs offer significant benefits, they are not without challenges. Coordinating report submissions, validating reported bugs, and ensuring ethical conduct among bug bounty participants can pose logistical and managerial hurdles for organizations. Moreover, defining ethical boundaries, avoiding potential conflicts of interest, and safeguarding user data during testing are critical ethical considerations when establishing a bug bounty program.

Conclusion

In an era where cyber threats continue to evolve, bug bounty programs represent a proactive and collaborative approach to fortifying cyber security defenses. By harnessing the expertise of a global community, these initiatives contribute to the identification and resolution of software security vulnerabilities, ultimately making digital systems more secure.

As technology continues to advance, the evolution of bug bounty programs will likely play an increasingly integral role in safeguarding the digital ecosystem. Embracing these programs as a proactive measure can empower organizations to stay ahead in the ongoing battle against cyber crime, ensuring a safer and more secure online experience for all.

Career Milestones and Professional Growth

One of the defining moments of 2023 was my elevation from a Lead Security Engineer to the role of Head of Infrastructure and Security. This shift allowed me to lead a talented team of Site Reliability Engineers (SREs) and Security experts in crafting a robust, reliable, and secure platform. The focus on collaboration and innovation led to the development of extensive automation tools that streamlined processes and eliminated manual tasks, enhancing efficiency and effectiveness across the board.

Company Closure and Job Transition

However, with every peak comes the possibility of an unforeseen valley. In a surprising turn of events, the company I was part of faced bankruptcy, resulting in the unfortunate loss of my job. September marked the closure, leading to a period of uncertainty and reflection.

Resurgence in Bug Bounty Hunting

A highlight of my year was reigniting my passion for bug bounty hunting on HackerOne. With focused determination, I invested time and effort into uncovering vulnerabilities, culminating in a successful third quarter. This period was exceptionally rewarding, with numerous critical and high-severity issues discovered. Moreover, I'm thrilled to have secured the 1st place in the Kenyan leaderboard for Q3.

The HackerOne conversational AI also created a funny story about my HackerOne 2023 journey. While it's fictional, specially the intro part, most of it is based on true events that transpired during my hacking and bug bounty journey of 2023. You can read more here.

Overall, I'm quite happy with what I managed to achieve with regards to Hacking and Bug Bounty this year. I'm looking forward to more of this success in the coming year.

Embracing Change: Joining BuckHill Software

Navigating the tides of change, I seized an opportunity to embark on a new professional journey. I am thrilled to have joined BuckHill Software, embracing fresh challenges and contributing my expertise to a dynamic team.

What's New for 2024?

Exploring Smart Contract Auditing

Looking ahead to the coming year, I am eager to delve into the fascinating realm of smart contract auditing. The burgeoning field of blockchain technology and decentralized applications presents an exciting avenue to deepen my knowledge and expertise.

Building a Cybersecurity Consulting Company

Additionally, my aspirations for 2024 include establishing a cybersecurity consulting company. Leveraging my diverse experiences and insights gained over the years, I aim to offer tailored solutions, helping businesses fortify their digital infrastructure against evolving threats.

As the curtains fall on 2023, I am grateful for the opportunities, lessons, and growth this year has brought. I carry forward the learnings and experiences, poised to embrace the challenges and triumphs that await in the promising horizon of 2024.

I received an invitation to a HackerOne private program. This came after being away from the bug bounty scene for close to 5 months straight. So I decided to take a look in hopes of finding something.

The Target

The program had a small scope. It's main production and staging applications were the only ones in scope, dashboard.redacted.co and staging-dashboard.redacted.co. I created an account in the production app and started checking out the functionalities of the application.

It was day two of testing the application and still could not find anything significant worth reporting. So I decided to switch tactics and do a little bit of recon. Given that only two domains were in scope, I did'nt have much options for recon other than JavaScript analysis and GitHub recon.

GitHub Recon

The program had a GitHub org for sharing their public plugins with the developer community. I navigated all the public repositories looking at the commit history for any information that could be of interest.

After a few hours, one repo piqued my interest, due to references to apiKey parameters. I digged into the source code and managed to find working apiKeys for the staging environment.

Among other attack vectors, the program was also mostly interested in the ability of an attacker to gain access to other users' video recordings. They offered services similar to Google Meets, with the ability of recording meeting sessions which were stored in S3 buckets.

Using a valid apiKey, you could retrieve AWS S3 presigned URLS to download recordings in the S3 buckets via the API if the apiKey had the permissions to. I was lucky in that the apiKey leaked in the GithHub repo had admin permissions across the org, allowing me to retrieve download URLS for every recording in the org.

I was able to access meeting recordings of employees of the company, testing new features of the product and having private discussions. I filed a report on HackerOne and they triaged it as a High severity issue, paying a 4 digit bounty and an additional $50 for completing a retest.

Conclusions

It's common to face a target with a narrow scope. In such cases always try to widen the attack surface within limits that could still fall into scope as dictated by the bug bounty program policy.