Page 210 - Hands-On Bug Hunting for Penetration Testers
P. 210
Other (Out of Scope) Vulnerabilities Chapter 12
Server Information
Although it's a valuable part of the discovery phase in any engagement, discovering the
type of server or hosting service is not a bug. Obfuscation is nice, but superfluous, and basic
public server data itself doesn't suggest a compelling attack chain worthy of a payout.
Rate-Limiting
Rate-limiting might surprise you as something that has to be explicitly excluded in a
program's out-of-scope vulnerabilities, but obviously rate-limiting (protecting your server
from getting hosed by selectively throttling requests) is a feature, not a bug.
Summary
This chapter has covered different types of security flaws that typically don't rise to the
level of a profitable vulnerability, including DoS/DDoS, Self-XSS, and other types of attacks,
as well as information that is commonly reported by scanners and pentesting tools but that
don't necessarily interest bug bounty program operators. Along with various miscellaneous
out-of-scope vulnerabilities, and an analysis of the common features that link these bugs
together (they require other exploits, they have limited reach, they require social
engineering or attacks on third-party services, and so on), you should have an
understanding of not only what bugs don't get rewarded but why they aren't valuable.
Now, moving forward, you can tune your own workflow to lower the noise in your
reporting, and build a pentesting regimen that cuts down on time-wasting dead ends and
focuses on the vulnerabilities that matter.
Questions
1. Why are DoS/DDoS attacks typically out-of-scope? What's a scenario where a
DoS/DDoS-related bug would merit a reward?
2. What is Self-XSS? Why does it not usually merit an award?
3. What's the potential damage of leaving HTTP's 015*0/4 method enabled?
4. Why don't BEAST and other SSL vulnerabilities typically qualify for bug bounty
programs?
5. What is clickjacking?
[ 195 ]
