Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hackerone and Bugcrowd Links #535

Open
ThunderSon opened this issue Aug 4, 2020 · 16 comments
Open

Hackerone and Bugcrowd Links #535

ThunderSon opened this issue Aug 4, 2020 · 16 comments
Labels
enhancement A new or improved feature for the WSTG or repo help wanted
Milestone

Comments

@ThunderSon
Copy link
Collaborator

What would you like to happen?
What do you think about adding to every test scenario possible bug bounty reports that are relevant and provide value.
One example would be for file upload XSS since we are updating it: https://hackerone.com/reports/880099

CC: @rbsec @kingthorin

@ThunderSon ThunderSon added the enhancement A new or improved feature for the WSTG or repo label Aug 4, 2020
@kingthorin
Copy link
Collaborator

I'd be good with that, any reference source seems fine/logical to me.

@rbsec
Copy link
Collaborator

rbsec commented Aug 4, 2020

I could see some value to an giving some references to examples of the issue, but I think it'd need to be carefully curated. The examples would have to be well written (both in terms of technical content and style), and should be relatively straightforward examples of the issues. While it's interesting to link to really obscure or clever vulnerabilities, it's probably not very useful for most readers. A straightforward but well written example of SQL injection is much more useful that a really clever blind SQLi through a field in an Excel spreadsheet, for example.

I think it would also be good to expand it past just bug bounty reports - there are lots of really good technical writeups of vulnerabilities that are not reported on those sites. However, you'd need to make sure that people don't just use it as a way to try and show off their posts or push traffic to their sites.

I'm not sure what you'd call the section. "Vulnerability Examples"? "Example Vulnerability Writeups"?

Edit: it might also be worth reviewing the interactions between the reporters and staff as well. For example, asking "why i got low bounty for this report ?" doesn't set a great example of how to disclose things...

@ThunderSon
Copy link
Collaborator Author

I will provide more input on this in the coming days, hopefully with an action plan.

@ThunderSon
Copy link
Collaborator Author

So 3 main things to handle:

  • Curating reports and writeups. They need to be well written and give a great example.
  • Ensure that someone isn't ripping it off from the WSTG. Visibility is us giving back to them, but not plug in whatever is thrown to the WSTG.
  • Section name in the references. I'd go with "Vulnerability Writeups". What do you think? No need to have the "examples" word in it. Does vulnerability reflect that is it is a real world scenario? Or what could be a better name?

@patrickceg
Copy link
Contributor

patrickceg commented Oct 3, 2020

"Vulnerability Writeups" works (since a lot of these may not be formal reports), although the term doesn't show that it was real-world examples to someone reading the guide for the first time.

  • "In the Wild" may be possible wording, although it may be considered jargon.
  • "Real-World Cases"? Textbooks sometimes call it "case study", but "case study" usually implies you cite the source and then regurgitate a page worth of stuff as to why it is relevant, which is not what we want here.

@ThunderSon
Copy link
Collaborator Author

@victoriadrake What do you think about this?

@victoriadrake
Copy link
Collaborator

Thanks for the tag @ThunderSon!

By taking on the curation of write ups, we should be aware that we’ll be spending as much time reviewing them for quality and accuracy as we might spend on WSTG contributions. We also can’t control the external content if it is later changed or updated.

I would suggest we take on a “push” approach rather than a “pull” approach to this. If we happen to come across stellar examples of reports, we can link them; but we should not seek out less-than-stellar reports for the purpose of filling this section on every page. I think that would cheapen the effort.

To agree with and codify what @rbsec stated, I would suggest that we accept reports or articles if they are:

  • Well-written examples of submitting a vulnerability report in a professional and polite manner
  • “Textbook examples,” in other words, straightforward, easy-to-follow examples of common problems
  • Primarily focused on the vulnerability, free of advertisements, and with minimal-if-any self-promotion

As to the title, I suggest “Real-World Examples” as a term that a reader would scan the page for if they were looking for what we’re suggesting.

Phrases like “Vulnerability Writeups” are familiar to bug bounty hunters but less so to business leaders, while @patrickceg is correct that “case study” can indicate quite a different animal from your typical infosec report.

@patrickceg
Copy link
Contributor

I think another criterion can be:

  • The example must describe the impact of the vulnerability when the stakeholders discovered it
    • Note that discovery could be the team discovering it in testing before production, or investigators finding it because the company appeared on the front page of a news site.
    • Was the vulnerability discovered late in the development cycle such that it delayed a product release? Did the vulnerability in production cost millions of dollars of buying credit monitoring for victims? Was the vulnerability used to start an infamous ransomware event?

A tester or test team lead who finds the WSTG is going to want to know how they can explain (to the boss) spending resources to build and maintain the test.

@victoriadrake
Copy link
Collaborator

@patrickceg I’d list that as a nice-to-have rather than required. While they’re important considerations, I don’t know that business impact is in scope for the WSTG.

@patrickceg
Copy link
Contributor

Will WSTG have any other way to let someone know which test to start with or to make high priority? (example: Issue #171 )

@kingthorin
Copy link
Collaborator

IMHO prioritization will depend on tasks outside the Testing Guide, such as: Threat Modelling or Risk Assessment.

@kingthorin kingthorin added this to the v5.0 Release milestone Nov 10, 2020
@github-actions
Copy link

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

@github-actions
Copy link

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

@github-actions
Copy link

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

@github-actions
Copy link

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

@github-actions
Copy link

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement A new or improved feature for the WSTG or repo help wanted
Projects
None yet
Development

No branches or pull requests

5 participants