Low bug bounty payout contemplating the discovering
I’m performing a pentest on a ruby on rails utility in the mean time and researching attainable CRSF points. I ran throughout this subject on HackerOne.
Initially, it says this discovering led to a CVE and there’s no CVE listed right here. It seems to be like that is the associated CVE: CVE-2020–8166
This web page lists particular updates:
Sadly, the above web page results in Google Teams content material. Google deprecated Google Teams so I hope the Ruby on Rails undertaking has a backup of this content material and may restore it.
Nonetheless, I can use the above data and a few content material I used to be capable of produce by means of fuzzing the positioning I’m testing to find out whether or not a website is operating a susceptible model of Ruby on Rails that may be inclined to this assault.
I regarded on the payout — $500? CSRF is a high-risk discovering that may result in severe exploitation of an online utility. That looks as if a fairly low quantity contemplating each the severity of the discovering and the period of time the particular person appears to have put in right here. For me, $500 is like 2 hours of labor and it seems the particular person spent extra time than that submitting this subject.
I feel the one cause this particular person was capable of spend the time reporting the bug was because of the truth that they found it throughout a associated penetration take a look at. That goes to point out why penetration assessments are nonetheless favorable in comparison with bug bounties the place testers are paid appropriately for the period of time they put into discovering bugs.
Maybe the payout is decrease as a result of ruby is an open supply undertaking and can’t afford to pay extra. Additionally the exploit does require some entry to acquire the required tokens.
In case you’re operating Ruby on Rails be sure to upgraded to the newest model to keep away from this exploit and the detailed steps to breed it on this website.
Teri Radichel
In case you appreciated this story please clap and observe:
Medium: Teri Radichel or E mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies through LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts