Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneAhacker1H1:2213251
HistoryOct 17, 2023 - 3:26 p.m.

HackerOne: New Search Feature: Search for non-public words in limited disclosure reports

2023-10-1715:26:45
ahacker1
hackerone.com
$2500
22
hackerone
search feature
limited disclosure
attacker
secret leakage
bug bounty
JSON

Similar to https://hackerone.com/reports/685909
An attacker can search for words in limited disclosure reports, and see if it exists in the full report. HackerOne will return whether the word exists in the full report, rather than in the limited part (e.g. summary/title …) of the report

Steps to reproduce:

Have the new beta search feature enabled:

  1. Search for
    addProjectV2ItemById AND reporter:("ahacker1")
    Note that there is a hit for the phrase in the limited disclosure report (https://hackerone.com/reports/1711938) even though the word cannot be publicly found in the limited disclosure report.

(This phrase is only the full report, not in the limited disclosure report)

Impact

For example, if there is a secret inside the full report (but not inside the limited portion), the attacker could leak it with a lot of tries.
Suppose secret starts with PREFIX_

then attacker could search for:
PREFIX_a
PREFIX_b

until it matches in the report
PREFIX_k

then the attacker could continue
searching for
PREFIX_ka
PREFIX_kb
PREFIX_kc

until a match
PREFIX_ko
This could be continued on until the attacker hits the end of the secret, therefore leaking the secrets.

The number of tries would take around:
around 30 chars to try in each iteration * 40 (average length of a secret)
= 1200 tries

JSON