Page 209 - Hands-On Bug Hunting for Penetration Testers
P. 209

Other (Out of Scope) Vulnerabilities                                       Chapter 12

            This example drives home a general point we've been making (and will continue to make)
            throughout this book: attack scenarios modeling a critical attack are essential to making
            sure that your submission is rewarded.



            Clickjacking and Clickjacking-Enabled Attacks

            $MJDLKBDLJOH is when an attacker hides a malicious link in a transparent or obscured link
            under a legitimate, safe, button so that users are tricked into following the black hat URL.
            Clickjacking is omitted from bounty programs because it requires that the company itself is
            use dark patterns (malicious UX/UI techniques), tricking users into following harmful links
            on a platform they control. Since any company actually doing that most certainly wouldn't
            advertise it, bounty programs aren't interested in paying out for a vulnerability that can
            otherwise only exist if a user modifies code on their own machine. That's why clickjacking
            (and vulnerabilities that can only occur via clickjacking) don't get rewarded.



            Physical Testing Findings

            Sometimes, firms interested in rigorous security audits go several steps further than just
            hiring a team to test a website or probe a networkbthey pay for a researcher to test the
            physical security perimeter controlling access to their data center. This type of testing is
            most common in industries with strong compliance policies around access controlbPCI
            compliance, for example, entails that you have taken certain physical security measures (ID
            cards required for access to the premises, limited access to actual server boxes, and so on)
            for safeguarding your infrastructure.
            Anything even close to physical testing is out-of-bounds for the type of work this book is
            concerned with. If you've identified a vulnerability that consists of you sneaking in through
            the company break room and messing with someone's unlocked laptop, that is not a
            vulnerability. That activity is very much out-of-scope and potentially legally actionable.



            Outdated Browsers

            When you find a vulnerability that depends on an outdated browser for an attack vector,
            especially for a comparably ancient install (older than IE 8), it doesn't make sense for a
            company to reward it with a payoutboutdated browsers aren't receiving security updates
            (and any fix the company might want to apply), after all. Even if the issue can be patched
            server-side, it makes no sense to carve out exceptions to an applicable end-of-life policy.



                                                    [ 194 ]
   204   205   206   207   208   209   210   211   212   213   214