FireBounty
46829 policies in database
Link to program      
2016-11-30
2019-08-03
PortSwigger Web Security logo
Thank
Gift
HOF
Reward

Reward

100 $ 

PortSwigger Web Security

Scope

--

  • Website: https://portswigger.net/ and https://forum.portswigger.net/

  • Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition

To help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/

All other subdomains of portswigger.net are strictly out of scope. Do not test these.

Our Web Security Academy is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.

If you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that.

Vulnerabilities of interest

--

Here are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:

Critical - $10,000

  • SQL injection on portswigger.net

  • Remotely retrieving arbitrary users' Burp Collaborator interactions

  • Unauthenticated RCE on Burp Suite Enterprise Edition

High - $3,000

  • Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface

  • File path traversal on portswigger.net

  • Complete authentication bypass on portswigger.net

  • A website accessed through Burp Suite can make Burp execute arbitrary code

Medium - $1,000

  • A website accessed through Burp Suite can retrieve local files from the user's system

  • A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap

  • Given a collaborator payload, an attacker can retrieve interactions generated from the same key

  • Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition

  • CSRF on significant actions

Any medium severity issue involving unlikely user interaction - $100-$1000

  • Reflected XSS that is unexploitable due to CSP

  • Header injection in Burp Suite

CSP Bypass - $100-$1000

  • Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like "CSP headers are missing from static page X" but will consider these on a case by case basis.

Significant vulnerabilities in BApps - $0

  • We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.

If a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.

Issues not of interest

==

The following are strictly forbidden and may result in you being barred from the program, the website, or both:

  • Denial of service attacks

  • Physical or social engineering attempts

  • Targeting subdomains of portswigger.net

  • Bruteforcing subdomains

  • Spamming orders

  • Unthrottled automated scanning - please throttle all tools to one request per second.

We are not interested in low severity, purely theoretical and best-practice issues. Here are some examples:

  • Broken links

  • Denial of service vulnerabilities

  • Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)

  • HTTP Options header

  • Server errors with no sensitive information like https://portswigger.net/careers%22%3E

  • Headers like Server/X-Powered-By disclosing version information

  • XSS issues in non-current browsers

  • window.opener related issues

  • Unvalidated reports from automated vulnerability scanners

  • CSRF with minimal security implications (logout, DoS, etc.)

  • Issues related to email spoofing (eg SPF/DMARC)

  • DNS issues

  • Content spoofing

  • Reports that state that software is out of date or vulnerable without a proof of concept

  • Missing autocomplete attributes

  • Missing cookie flags on non-security sensitive cookies

  • SSL/TLS scan reports (this means output from sites such as SSL Labs)

  • Client-side caching issues

  • Concurrent sessions

  • HPKP / HSTS preloading

  • Implausible bruteforce attacks

There are a few known issues we consider to be low severity, but may fix eventually:

  • Upstream TLS verification needs hardening

  • Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded.

  • Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.

  • Spectre

Some other caveats and common mistaken reports:

  • The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.

  • Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)

  • Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.

  • Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project->Save Copy to create a sanitised project file.

  • Plug 'n Hack discloses the port the proxy is listening on by design

  • We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.

  • As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.

  • We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).

  • Some scanners report a false positive STARTTLS vulnerability on the Collaborator Server.

  • Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.

What constitutes a vulnerability in Burp Suite?

--

The system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.

Contact

--

If you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net

Good luck and have fun!

In Scope

Scope Type Scope Name
application

Burp Collaborator
application

Burp Suite Enterprise Edition
application

Burp Suite Pro/Community
application

Burp Suite Extension (BApps)
web_application

portswigger.net
web_application

forum.portswigger.net
web_application

https://enterprise-demo.portswigger.net/

Out of Scope

Scope Type Scope Name
web_application

*.web-security-academy.net
web_application

*.portswigger.net

This program have been found on Hackerone on 2016-11-30.

FireBounty © 2015-2024

Legal notices | Privacy policy