Page 220 - Hands-On Bug Hunting for Penetration Testers
P. 220
Going Further Chapter 13
Remote Code Execution (RCE)
RCE is a three-letter acronym to make anyone quake. Remote code execution is exactly
what it sounds like. It triggers the execution of an arbitrary code snippet on a remote
machine through a network (for example, the internet). A vulnerability that allows for RCE
is a highly-critical issue that will ensure you get a nice payout. The possibilities afforded by
having that sort of access to a service are vast: adding the machine to a botnet, exfiltrating
data, draining the victim's resources with cryptocurrency mining. Considering the open-
ended possibilities of a Turing complete language, an imaginative attacker can do an
impressive amount of damage.
Safe Harbor
Some bug bounty programs will also advertise a safe harbor clause. This is in essence a
promise from the company to certify you as a researcher and guarantee your freedom from
legal action in exchange for you following the testing guidelines they have laid out in their
RoE.
Scope
An engagement's scope refers to both the areas of the target application that can be
subjected to analysis (as defined by IP addresses, hostnames, and functionality) as well as
the type of testing behavior not allowed (for example, active scanning disallowed, don't
mess with or modify another user's data, and so on). Adhering to scope is critical, both out
of respect to the program's operators and to minimize any liability you might incur by
touching out-of-bounds systems.
Security Posture
A great, standard definition of an organization's security posture comes from the National
Institute for standards and technology: the security status of an enterprise's networks,
information, and systems based on information security resources (for example, people,
hardware, software, policies) and capabilities in place to manage the defense of the
enterprise and to react as the situation changes.
[ 205 ]
