Page 178 - Hands-On Bug Hunting for Penetration Testers
P. 178

Formatting Your Report                                                     Chapter 10

                      Know your audience. This advice overlaps and extends our discussion of making
                      the correct distinctions and adding the right technical detail. When you contact
                      an internal security team, who responds will depend on the organization. At a
                      small startup, you might get a developer (or even technical founder) to respond
                      to your report. At a larger, more enterprise company, there will be dedicated
                      security engineers and maybe even a proper Network Operations Center
                      (NOC), which is essentially the nerve center of any network/data center. This
                      means that, while you can't depend on your submission being read by a security
                      expert, eventually, your report will get passed to the person tasked with writing
                      the patch, and it should have the technical detail for them to start debugging.
                      This means that if there's a descriptive error stack trace, for examplebalthough it
                      won't get you a rewardbyou can make the contributing developer's life easier by
                      including it.

            These prescriptions, though simple, will improve the quality of your submission reports if
            put into practice.
            Let's look at a sample report, assuming for the context of this section that we're writing
            about a persistent XSS bug we've found in the comments field on a popular link
            aggregation forum (think Reddit or Hacker News). Assuming that we've already filled in
            the critical information about the bug's basic stats (which we'll cover in our Critical
            information section), and added any appropriate contextual information (in this case, the
            XSS payload would be useful), we're now ready to write the steps to reproduce the issue.
            I've included some short notes in italics so that you can distinguish my comments from the
            sample report text:

                   1.  Navigate to an individual thread view (IUUQT   XXX TPNFTJUF DPN UIF
                      MPDBUJPO PG UIF WVMOFSBCMF UISFBE IUNM) and click the Add Comment
                      button. Including a specific URL location is keybeven if you have already added
                      that data to another part of the report. Being specific about the action you're
                      taking in the UI (click the Add Comment button) sounds unnecessarily detailed
                      over something like submit the form, but is still useful.
                   2.  In the input UFYUBSFB modal that opens, enter the following malicious XSS
                      snippet. Then, click the Submit button:
                          TWH POMPBE BMFSU EPDVNFOU MPDBUJPO PSJHJO

                     Make sure to describe the UX at every point where you're changing application
                     state. Referencing the direct frontend components that are a part of the attack
                     surface you're testing will help the developers/engineers involved recreate the
                     entire input chain, from frontend submission to (in this case, failed) backend
                     validation.


                                                    [ 163 ]
   173   174   175   176   177   178   179   180   181   182   183