Page 206 - Hands-On Bug Hunting for Penetration Testers
P. 206
Other (Out of Scope) Vulnerabilities Chapter 12
All of that is to be expected as part of the service and doesn't constitute a leaked source of
sensitive system information. This includes both information contained in the present
banners as well as "missing" security banners.
Known Public Files
This is simple: some files are designed to be accessible! Reporting on the configuration or
availability of SPCPUT UYU, XQ VQMPBET , or TJUFNBQ YNM isn't going to merit a
payoutbor probably even a response.
Missing HttpOnly Cookie Flags
HttpOnly cookie flags are anti-XSS prevention devices. If a server-side process flags a
cookie as HttpOnly, it can't be accessed client-side (when the browser attempts to read the
cookie, it just returns an empty string). Every major browser supports HttpOnly cookies.
But whatever their value, they are a safeguard, and their absence does not directly imply a
vulnerability. If there's no additional XSS, there's no issue.
Other Common No-Payout Vulnerabilities
In addition to the larger categories of bugs that we've discussed that typically don't merit a
payout, and keeping in mind that these are in addition to previously-submitted
vulnerabilities, which are ineligible for payout everywhere, there are also a lot of one-offs
and miscellaneous would-be vulnerabilities you should try to avoid submitting.
Weak or Easily Nypassed Captchas
CAPTCHA (and their successor, reCAPTCHAs) are Google-administered Turing tests
designed to block bot form submission spam by asking a bot to do things (sophisticated
natural language detection, image pattern recognition, performing tasks on dynamic
challenges, and so on) that your average bot can't do. Because they represent a third-party
service whose security posture is managed by an outside company, most companies that
host CAPTCHAs themselves won't reward any CAPTCHA-related bugs or vulnerabilities.
[ 191 ]
