But what you say if the bar was lowered—it suddenly was easier and faster to reap returns. Would you participate? Would I have your attention if I told you that I made $600 in 15 minutes using Contrast Community Edition (CE), a free and full-strength application security platform from Contrast Security that provides always-on IAST, RASP, and SCA for Java applications, NET Core, and APIs?
How I Landed a Bug Bounty with Contrast CE
When I started at Contrast Security, I wanted to get my hands dirty with its products to understand how they worked. I picked Contrast CE and ran it against the OWASP Webgoat project, knowing there are plenty of application security vulnerabilities in it. It immediately delivered impressive results—identifying a long list of vulnerabilities. After this initial test, I determined to run it on a real-world application, and one used by millions of users and with a Bug Bounty program in place. I found the perfect candidate in Atlassian JIRA Server, which we also use internally at Contrast Security.
After downloading Atlassian JIRA Server, I followed the setup instructions, which were very straightforward. JIRA Server launched, and I was up and running:
With the JIRA Server successfully running, I moved to connecting Contrast CE to JIRA Server. Following are the different steps:
- I registered for a free account: https://www.contrastsecurity.com/contrast-community-edition.
- With a registered account, I was able to proceed to a login screen: https://ce.contrastsecurity.com/Contrast/.
- Once I was logged into my account, I clicked the “Add Agent” button.
- I then needed to retrieve the license file for my Contrast CE instance and place it in:
- This downloaded the Java agent.
- With those steps completed, I proceeded to connect the Contrast CE agent to the JIRA Server. The best way for me to do so was to set the CATALINA_OPTS JVM environment variable. I concluded that it should be set within the provided “start-jira.sh” script. I opened that file for editing and added:
- With the JIRA Server application running, I then checked Contrast CE to verify the connection.
- I then clicked on the JIRA Server Web Application in Contrast CE, which revealed the first vulnerability with the following message:
- On the main vulnerability page, I could quickly see the vulnerable part of the URL that ended up in a tainted sink:
- With this information in the background, I clicked on the “HTTP Info” tab and the “Replay Request.” Knowing the vulnerability portion of the request, I begin to ideate on different to exploit it.
- My first action was to replace the vulnerable portion of the URL with /WEB-INF/web.xml, knowing that it existed despite the request failing. Then, I executed a typical directory traversal attack similar to /../../../../../../etc/passwd, which also failed. One potential conclusion is the presence of a false positive.
- To determine why the aforementioned requests had failed, I clicked the “Details” tab and the following application flow was revealed:
- This disclosed a potential validator pattern, which prompted me to expand the view that revealed the following:
- JIRA Server was invalidating requests to WEB-INF.
- This prompted me to think about other application areas that could be accessed, which led me to META-INF. Thus, executed a request along the lines of the following:
- This produced the following result:
- This exposed the vulnerability, as the META-INF directory is not supposed to be accessible. Hello, Bug Bounty!
- With this confirmation in hand, I submitted the issue to BugCrowd and received a $600 reward after one week—all by testing with Contrast CE. The issue was fixed with https://jira.atlassian.com/browse/JRASERVER-68942 in each of the following versions:
A CVE was also issued for this vulnerability.
One of the most impressive outcomes of the above is that it took me around 15 minutes to complete these tasks. What a great value proposition for anyone looking to make some extra dollars—using a free tool—via bug bounty programs. Download a free copy of Contrast CE to get started today.
*** This is a Security Bloggers Network syndicated blog from Security Influencers Blog authored by David Lindner, Director, Application Security. Read the original post at: https://www.contrastsecurity.com/security-influencers/i-made-600-with-contrast-ce-cve-2019-8442