Employing a tough line of defense in a cost-effective way
In this age of computers, micro to macro businesses across different industries on a universal scale is variedly dependent upon online operations for interconnectivity and interoperability in the efficient and effective delivery of goods, products, and services. There is nary a household or a seat of government that can function better with the help of the Internet. How much more unimaginable nowadays for an individual not to have a mobile phone or a gadget to get by with life lived today.
And along with the growth of cyberspace activities came the growth of cybercriminality.
Nearly every online user is wary that at any time, a bug, a virus, or a hacker can get through their mobile or computer, thereby compromising private data security and sensitive systems. Companies cannot be caught off-guard with all the cyberthreats lurking around as new bugs are created daily. They, too need to seek new ways of ensuring that they are protected. Thus, the response to the threat gave birth to what is now termed as Bug Bounty programs.
Bug bounty programs are put up by companies and corporations for ethical hackers to participate in to try and discover configuration errors and software malfunctions that can potentially compromise operations and breach security measures to the damage of reputations and sabotaging of private information, not to mention the loss of huge amounts of money. In other words, bug bounty programs are defensive mechanism projects to counter cybercrime. It is offered to ethical hackers and security researchers to discover vulnerabilities that exist within the company’s ecosystem. Those who are able to find vulnerabilities will be handed handsome monetary rewards and recognized for their successful disclosures. It is a far less expensive way of cracking harmful codes than running continuous tests and evaluations.
Bug Bounty was a phrase coined by Netscape Communications when they employed a bug-finding program for their Netscape Navigator 2.0 Beta, offering rewards to anybody who would discover its flaws. They were inspired by Hunter & Ready who launched the first bug bounty program in 1983 putting up a VW Beetle for anyone who can find flaws in their system, floating the motto: “Get a bug if you find a bug.”
Bug bounty hunting was not that popular during those days until Google launched their own program in 2010 that it gained traction. Companies followed through that resulted in the submission of more than a hundred thousand vulnerabilities and $42 million in payouts. Since then till now hundreds of companies and organizations of all sizes, even political entities, carry out bug bounty programs. The US Department of Defense had their program running during the past years, while the EU launched theirs in January 2019.
The “Hack the Pentagon” program launched in 2016 offered $75,000. The EU set an additional 20% to their payout for any hacker if a vulnerability solution is provided. Bug bounty programs can generate a hacker anywhere from hundreds to thousands of dollars rewards. One researcher was recorded to claim $1 million in earnings in total. Payouts do vary depending on the vulnerability, data and system exposure, and the company launching the program. It is said that the government pays the highest in rewards, with the most lucrative vulnerability being the Multifactor Authentication Bypass (MFA). Last year 2020, payouts reached 100 million dollars since more and more companies are opting for bug bounty programs.
Cross-site scripting was the most reported vulnerability. It was followed by improper authentication. Information disclosure ranks third among the top three most reported bugs.
Some vulnerabilities that require immediate attention include:
Cross-Site Scripting (XSS)
This bug leads to phishing, escalate an SSRF, bypass URL blacklists and whitelists, smuggle tokens, and is part of a bug chain that causes a dire consequence. Open redirects are triggered when an HTTP or URL parameter containing a URL value causes the web app to redirect request to a specified URL.
Insecure Direct Object References (IDOR)
Present in every web app, IDORs are triggered when access controls are poorly implemented leading to sensitive data leaks.
Cross-Site Request Forgery (CSRF)
A bug allowing hackers to represent the victim in every action including an account takeover.
Server-Side Request Forgery (SSRF)
It takes place when attackers can send requests on the server’s behalf, forging signatures, bypassing firewall controls, then gaining access to internal services, and performing info leaks and network scans. Together with other bugs like open redirects and improper access control, its power escalates by leaking confidential data and code execution on network machines.
This vulnerability is becoming common as web apps become more complex. Attackers will manipulate serials that can cause DoS, authentication bypass, or RCE.
Remote Code Execution (RCE)
This type of vulnerability allows an attacker to execute arbitrary code by taking advantage of other vulnerabilities like insecure file upload, remote file inclusion, deserialization, etc.
This attack is also called UI redressing which deceives the user by hiding his application and using an HTML manipulated page, thereby bypassing CSRF security.
This vulnerability enables the simultaneous execution of commands when they should be in sequence. It is called a time-of-check/ time-of-use attack, victimizing banks, trading, and eCommerce sites. The simultaneous execution enables funds to be withdrawn before security checks are activated.
This vulnerability happens when an SQL statement is injected with malicious SQL commands, wherein user input was not properly filtered and has escaped, leading to command execution and data leaks.
Broken Access Control
Broken access control issues include the tampering of cookies, URLs, and paths leading to hidden developer panels, and other web application architecture.
Multifactor Authentication Bypass (MFA)
This is a critical vulnerability in WS-Trust enabled cloud environments where attackers bypass the MFA and access cloud applications that use the Microsoft 365 protocol, including production and development environments such as Azure and Visual Studio. The bypass can gain attackers full access to a target’s account including emails, files, data, contacts, etc.
There are various kinds of bug bounty programs but the most sought after are mobile and web hacking skills, with the majority being web programs as most companies want their websites to be tried and tested.
Mobile hacking programs are beginning to rise in demand since mobile companies are coming out with more complicated products. Mobile products have a higher barrier of entry, though, but ethical hacking skills are offered higher rewards.