Transcript
Bugcrowd is proud to release our VRT, a valuable resource for both researchers and customers to better understand the technical rating rating we use to classify vulnerabilities. This report details how and why we created the VRT, and a usage guide to accompany the taxonomy itself.
THE METHODOLOGY
USAGE GUIDE:
In February 2016 we released the Bugcrowd Vulnerability Rating Taxonomy (VRT) in an effort to further bolster transparency and communication, as well as to contribute valuable and actionable content to the bug bounty community.
The VRT is intended to provide valuable information for bug bounty stakeholders. It is important that we identify the ways in which we use it successfully, and what considerations should be kept in mind.
Bugcrowd’s VRT is a resource outlining Bugcrowd’s baseline priority rating, including certain edge cases, for vulnerabilities that we see often. To arrive at this baseline priority, Bugcrowd’s security engineers started with generally accepted industry impact and fur ther considered the average acceptance rate, average priority, and commonly requested program-specific exclusions (based on business use cases) across all of Bugcrowd’s programs.
Priority is a Baseline
Implications For Bug Hunters: Bugcrowd’s VRT is an invaluable resource for bug hunters as it outlines the types of issues that are normally seen and accepted by bug bounty programs. We hope that being transparent about the t ypical priority level for various bug types will help bug bounty participants save valuable time and effort i n their quest to make bounty targets more secure. The VRT can also help researchers identify which types of high value bugs they have overlooked, and when to provide exploitation information (PoC info) in a report where it might impact priority. Interested in becoming a Bugcrowd researcher? Join the crowd.
Implications For Customers: The VRT helps customers gain a more comprehensive understanding of bug bounties. Not only will our customers be better able to understand priorities and their impact better, but this also helps them write better bounty briefs, adjust bounty scope, and
The recommended priority, from Priority 1 (P1) to Priority 5 (P5) , is a baseline. That having been said, while this baseline priority might apply without context, it’s possible that application complexity, bounty brief restrictions, or unusual impact could result in a dif ferent rating. As a customer, it’s important to weigh the VRT alongside your internal application security ratings. For bug hunters, if you think a bug’s impact warrants reporting despite the VRT’s guidelines, or that the customer has misunderstood the threat scenario, we encourage you to submit the issue regardless and use the Bugcrowd Crowdcontrol commenting system to clearly communicate your reasoning.
Low Priority Does not Imply Insignificance For customers, it’s important to recognize that base priority does not equate to “industry accepted impact.” Base priority is defined by our Technical Operations Team and our VRT is a living document - see the following point about a “Vulnerability Roundtable.” Your internal teams or engineers might assess certain bugs – especially those designated P4 or P5 within the VRT – differently. Read more about our vulnerability prioritization. As a bug hunter, it’s important to not discount lower priority bugs, as many bug hunters have used such bugs within “exploit chains” consisting of two or three bugs resulting in creative, valid, and high-impact submissions.
communicate more clearly about bugs. In the fixing stage, the VRT will help business units across the board in communicating about and remediating the identified security issues. For more information on our priority rating and worth of a bug, read our recently launched guide “What’s A Bug Worth.”
Importance of a Vulnerability Roundtable Bugcrowd reviews proposed changes to the VRT every week at an operations meeting called the “Vulnerability Roundtable.” We use this one hour meeting
to discuss new vulnerabilities, edge cases for existing vulnerabilities, priority level adjustments, and to share general bug validation knowledge. When the team comes to a consensus regarding each proposed change, it is committed to the master version. Members of the Technical Operations team look forward to this meeting each week, as examining some of the most difficult to validate bugs serves as a unique learning exercise. This specific document will be updated externally on a quarterly basis.
Communication is King Having cut-and-dry baseline ratings as defined by our VRT, makes rating bugs a faster and less difficult process. We have to remember, however, that strong communication is the most powerful tool for anyone running or participating in a bug bounty. Both sides of the bug bounty equation must exist in balance. When in doubt, ask dumb questions, be verbose, and more generally, behave in a way that allows you and your bounty opposite to foster a respectful relationship. As a customer, keep in mind that every bug takes time and effort to find. As a bounty hunter, try to remember that every bug’s impact is ultimately determined by the customer’s environment and use cases.
One Size Doesn’t Fit All As the version of the VRT we have released only covers some web and mobile application vulnerabilities, it should be viewed as a foundation. Any vulnerability taxonomy would look much more robust with the addition of IoT, reverse engineering, network level, and other vulnerability categories – most of which have been validated and triaged by Bugcrowd in the past. In addition, while this taxonomy maps bugs to the OWASP Top Ten and the OWASP Mobile Top Ten to add more contextual information, additional metadata could include CWE or WASC, among others. As always, the program owner retains all rights to choose final bug prioritization levels.
Priority
P1
P2
P3
OWASP Top Ten + Bugcrowd Extras
Specific Vulnerability Name
Variant or Affected Function
A1 - Injection
File Inclusion
Local
A1 - Injection
Remote Code Execution (RCE)
A1 - Injection
SQL Injection
Error-Based
A1 - Injection
SQL Injection
Blind
A1 - Injection
XML External Entity Injection (XXE)
A2 - Broken Authentication and Session Management
Authentication Bypass
Vertical
A4 - Insecure Direct Object References (IDOR)
Insecure Direct Object Reference (IDOR)
Critical Function
A5 - Security Misconfiguration
Using Default Credentials
Production Server
A5 - Security Misconfiguration
SSL Attack (Heartbleed)
With POC (Leak Server's Memory Contents)
A6 - Sensitive Data Exposure
Critically Sensitive Data
Password Disclosure
A6 - Sensitive Data Exposure
Critically Sensitive Data
Private API Keys
I9 - Insecure Software/Firmware
Command Injection
I2 - Insufficient Authentication/Authorization
Cryptographic Flaw
Incorrect Usage
I6 - Insecure Cloud Interface
Insecure Direct Object Reference (IDOR)
Critical API Function
I9 - Insecure Software/Firmware
Hardcoded Password
Privileged User
A2 - Broken Authentication and Session Management
Authentication Bypass
Horizontal
A3 - Cross-Site Scripting (XSS)
Stored
A4 - Insecure Direct Object References (IDOR)
Insecure Direct Object Reference (IDOR)
Important Function
A4 - Insecure Direct Object References (IDOR)
Server-Side Request Forgery (SSRF)
Internal
A5 - Security Misconfiguration
Misconfigured DNS
With POC (Subdomain Takeover)
A5 - Security Misconfiguration
Using Default Credentials
Staging/Development Server
A8 - Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
Critical Function
B 1 - A pp li ca ti on -L ev el D en ia l- of -S er vi ce ( Do S)
C ri ti ca l I mp ac t a nd /o r E as y D if fic ul ty
I6 - Insecure Cloud Interface
Insecure Direct Object Reference (IDOR)
I9 - Insecure Software/Firmware
Hardcoded Password
Non-Privileged User
I1 - Insecure Web Interface
Insecure Data Storage
Password
Non-Admin to Anyone
Important API Function
A3 - Cross-Site Scripting (XSS)
Stored
Admin to Anyone
A1 - Injection
HTTP Response Manipulation
Response Splitting (CRLF)
Priority
P3 CONTINUED
P4
OWASP Top Ten + Bugcrowd Extras
Specific Vulnerability Name
Variant or Affected Function
A2 - Broken Authentication and Session Management
Weak Login Function
Over HTTP
A2 - Broken Authentication and Session Management
Session Fixation
With POC (of Account Takeover)
A3 - Cross-Site Scripting (XSS)
Reflected
A4 - Insecure Direct Object References (IDOR)
Insecure Direct Object Reference (IDOR)
A5 - Security Misconfiguration
Mail Server Misconfiguration
SPF Record (Employee Email Domain)
A5 - Security Misconfiguration
Weak Password Policy
Complexity, Both Length and Char Type Not Enforced
A6 - Sensitive Data Exposure
EXIF Geolocation Data Not Stripped From Uploaded Images
Automatic User Enumeration
A6 - Sensitive Data Exposure
Visible Detailed Error Page
Critical Information
A8 - Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
Important Function
B 1 - A pp li ca ti on -L ev el D en ia l- of -S er vi ce ( Do S)
H ig h I mp ac t a nd /o r M ed iu m D if fic ul ty
I6 - Insecure Cloud Interface
Insecure Direct Object Reference (IDOR)
Non-Admin to Anyone Unimportant Function
Unimportant API Function
A3 - Cross-Site Scripting (XSS)
Reflected
Admin to Anyone
A1 - Injection
Reflected File Download
On Domain
A1 - Injection
Content Spoofing
External Authentication Injection
A2 - Broken Authentication and Session Management
Failure to Invalidate Session
On Logout
A2 - Broken Authentication and Session Management
Failure to Invalidate Session
On Password Reset
A2 - Broken Authentication and Session Management
Failure to Invalidate Session
On Password Change
A2 - Broken Authentication and Session Management
Session Token in URL
Over HTTP
A2 - Broken Authentication and Session Management
Sensitive Token in URL
A3 - Cross-Site Scripting (XSS)
Cookie-Based
A3 - Cross-Site Scripting (XSS)
IE-Only
Older Version (IE 10/11)
A3 - Cross-Site Scripting (XSS)
Referrer
With POC
A3 - Cross-Site Scripting (XSS)
TRACE Method
With POC
A3 - Cross-Site Scripting (XSS)
Universal (UXSS)
With POC
A3 - Cross-Site Scripting (XSS)
Off-Domain
Data URI
A4 - Insecure Direct Object References (IDOR)
Server-Side Request Forgery (SSRF)
External
A5 - Security Misconfiguration
Access-Control-Allow-Origin: *
A5 - Security Misconfiguration
Crossdomain.xml *
A5 - Security Misconfiguration
Lack of Password Confirmation
Change Email Address
A5 - Security Misconfiguration
Lack of Password Confirmation
Change Password
Priority
P4 CONTINUED
P5
OWASP Top Ten + Bugcrowd Extras
Specific Vulnerability Name
Variant or Affected Function
A5 - Security Misconfiguration
No Rate Limiting on Form
Login
A5 - Security Misconfiguration
No Rate Limiting on Form
Email-Triggering
A5 - Security Misconfiguration
Unsafe File Upload
No Antivirus
A5 - Security Misconfiguration
Unsafe File Upload
No Size Limit
A5 - Security Misconfiguration
Weak Password Policy
Complexity, Length Not Enforced
A5 - Security Misconfiguration
Weak Password Policy
Complexity, Char Type Not Enforced
A5 - Security Misconfiguration
Weak Password Reset Policy
Token is Not Invalidated After Use
A5 - Security Misconfiguration
Lack of Security Header
Cache-Control: no-cache / no-store (Sensitive Page)
A5 - Security Misconfiguration
Missing Secure or HTTPOnly Cookie Flag
With POC (that Token is Session Token)
A5 - Security Misconfiguration
Clickjacking (for Sensitive Action)
With POC
A5 - Security Misconfiguration
OAuth Misconfiguration
Missing State Parameter
A5 - Security Misconfiguration
Captcha Bypass
Implementation Vulnerability
A6 - Sensitive Data Exposure
EXIF Geolocation Data Not Stripped From Uploaded Images
Manual User Enumeration
A6 - Sensitive Data Exposure
Weak Password Reset Policy
Password Reset Token Sent Over HTTP
A6 - Sensitive Data Exposure
Visible Detailed Error Page
Important Information
A6 - Sensitive Data Exposure
Weak Password Reset Policy
Referrer Leakage Over HTTP
A6 - Sensitive Data Exposure
Mixed Content
Sensitive Data Disclosure
A7 - Missing Function Level Access Control
Username Enumeration
Data Leak
A8 - Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
Unimportant Function
A9 - Using Components with Known Vulnerabilities
Rosetta Flash
With POC
B1 - Application-Level Denial-of-Service (DoS)
Low Impact and/or Medium Difficulty
Password Length DoS (Server-Side)
M2 - Insecure Data Storage
Credentials Stored Unencrypted
On External Storage
M2 - Insecure Data Storage
Sensitive Application Data Stored Unencrypted
On External Storage
M4 - Unintended Data Leakage
Improper Export of Android Application Components
With POC
M5 - P oo r A ut ho ri za ti on a nd A ut he nt ic at io n
C ha ng e A cc ou nt D at a W it ho ut P as swo rd
I5 - Privacy Concerns
Unnecessary Data Collection
WiFi SSID+Password
I3 - Insecure Network Services
Telnet Enabled
Credentials Required
A3 - Cross-Site Scripting (XSS)
Stored
Self
A3 - Cross-Site Scripting (XSS)
Reflected
Self
A9 - Using Components with Known Vulnerabilities
Outdated Software Version
Without POC
Priority
P5 CONTINUED
OWASP Top Ten + Bugcrowd Extras
Specific Vulnerability Name
Variant or Affected Function
M10 - Lack of Binary Protections
Lack of Exploit Mitigations
Position Independent Executable (PIE)
M10 - Lack of Binary Protections
Lack of Exploit Mitigations
Automatic Reference Counting (ARC)
M10 - Lack of Binary Protections
Lack of Exploit Mitigations
Stack Canaries
M10 - Lack of Binary Protections
Lack of Jailbreak Detection
M10 - Lack of Binary Protections
Lack of Obfuscation
M10 - L ack of Binar y Protections
Runtime Instrumentation-Based (Requires Jailbreak)
M4 - Unintended Data Leakage
Sensitive Data Hardcoded
OAuth Secret
M4 - Unintended Data Leakage
Sensitive Data Hardcoded
File Paths
A1 - Injection
CSV Injection
A1 - Injection
Reflected File Download
Off Domain
A1 - Injection
Content Spoofing
404 Page Message
A1 - Injection
Content Spoofing
Search Result Message
A10 - Unvalidated Redirects and Forwards
Open Redirect
Host Header
A10 - Unvalidated Redirects and Forwards
Open Redirect
Referrer
A2 - Broken Authentication and Session Management
Failure to Invalidate Session
All Sessions
A2 - Broken Authentication and Session Management
Failure to Invalidate Session
On Email Change
A2 - Broken Authentication and Session Management
Non-Sensitive Token in URL
A2 - Broken Authentication and Session Management
Session Token in URL
Over HTTPS
A2 - Broken Authentication and Session Management
Session Fixation
Without POC (of Account Takeover)
A3 - Cross-Site Scripting (XSS)
Universal (UXSS)
Without POC
A3 - Cross-Site Scripting (XSS)
IE-Only
XSS Filter Disabled
A3 - Cross-Site Scripting (XSS)
IE-Only
Older Version (< IE10)
A3 - Cross-Site Scripting (XSS)
Referrer
Without POC
A3 - Cross-Site Scripting (XSS)
TRACE Method
Without POC
A5 - Security Misconfiguration
Exposed Admin Portal
To Internet
A5 - Security Misconfiguration
Unsafe File Upload
File Extension Filter Bypass (Downloadable)
A5 - Security Misconfiguration
Mail Server Misconfiguration
SPF Record (Domain Not Used for Email)
A5 - Security Misconfiguration
Weak Password Reset Policy
Token is Not Invalidated After Email Change
A5 - Security Misconfiguration
Weak Password Reset Policy
Token is Not Invalidated After Password Change
A5 - Security Misconfiguration
Missing Secure or HTTPOnly Cookie Flag
Non-Session Cookie
A5 - Security Misconfiguration
Clickjacking (for Sensitive Action)
Without POC
Priority
P5 CONTINUED
OWASP Top Ten + Bugcrowd Extras
Specific Vulnerability Name
Variant or Affected Function
A5 - Security Misconfiguration
Lack of Verification Email
Account Registration
A5 - Security Misconfiguration
Lack of Verification Email
Account Deactivation
A5 - Security Misconfiguration
Lack of Verification Email
Account Email Change
A5 - Security Misconfiguration
Mail Server Misconfiguration
DMARC Record
A5 - Security Misconfiguration
Missing DNSSEC
A5 - Security Misconfiguration
Weak Password Policy
A5 - Security Misconfiguration
Weak Password Policy
Allows Password to be Same as Email/Username
A5 - Security Misconfiguration
Weak Password Reset Policy
Token Has Long Timed Expiry
A5 - Security Misconfiguration
Weak Password Reset Policy
Token is Not Invalidated After New Token is Requested
A5 - Security Misconfiguration
Lack of Security Speed Bump Page
A5 - Security Misconfiguration
Captcha Bypass
Brute Force, Tool, or Crowdsourcing
A5 - Security Misconfiguration
Username Enumeration
Brute Force
A5 - Security Misconfiguration
OPTIONS/TRACE Enabled
No Further Impact
A5 - Security Misconfiguration
Insecure SSL
Lack of Forward Secrecy
A5 - Security Misconfiguration
Insecure SSL
Insecure Cipher Suite
A5 - Security Misconfiguration
Lack of Security Headers
X-Frame-Options
A5 - Security Misconfiguration
Lack of Security Headers
Cache-Control (Non-Sensitive Page)
A5 - Security Misconfiguration
Lack of Security Headers
X-XSS-Protection
A5 - Security Misconfiguration
Lack of Security Headers
Strict-Transport-Security
A5 - Security Misconfiguration
Lack of Security Headers
X-Content-Type-Options
A5 - Security Misconfiguration
Lack of Security Headers
Content-Security-Policy
A5 - Security Misconfiguration
Lack of Security Headers
Public-Key-Pins
A5 - Security Misconfiguration
Lack of Security Headers
X-Content-Security-Policy
A5 - Security Misconfiguration
Lack of Security Headers
X-Webkit-CSP
A5 - Security Misconfiguration
Lack of Security Headers
Content-Security-Policy-Report-Only
A6 - Sensitive Data Exposure
Mixed Content
Requires Being a Man-in-the-Middle
Allows Reuse of Old Passwords
A NOTE FROM OUR TECHNICAL OPER ATIONS TEAM
UPDATES
We believe in growth and transparency for security and bug bounty communities and see the release of our VRT as a tool that may help align expectations between researchers and program owners across ALL programs. Much of our employees’ expertise in validating and rating thousands of submissions across hundreds of managed bounties is distilled into this document, making it a key component of Bugcrowd’s managed services. Our internal VRT is a living document that changes constantly in response to discussions at our Vulnerability Roundtable, so specific priority ratings and notes are frequently updated.
1.0 - February 5, 2016 (PDF)
1.0.1 - March 23, 2016 (current) Divided the Cross-Site Scripting (XSS) entries to provide additional granularity that
As our first and foremost goal is usability, the VRT is not exhaustive. We believe that foregoing extreme technical depth for usability in creating such a community resource is a worthwhile tradeoff. We’re confident that a security engineer using our VRT as a guide can triage and run a successful bug bounty program. Happy Hunting, Bugcrowd Technical Operations Team Follow us at @BugcrowdOps and continue the discussion on our forum.
captures priority variations for XSS within applications with multiple user privilege levels. Documentation here.