Hacking on Bug Bounties for Four Years

Sep 15, 2020


Intro & Motivations

I value transparency a lot, especially when it comes to the bug bounty space. Bug bounty hunters all around the world are submitting a range of reports where the issues found span across multiple domains, often leveraging numerous techniques and methodologies. However, if you’re not already an active bug bounty hunter who has a good understanding of what a bounty program expects, or will pay out for, you have a major disadvantage compared to someone who does have this knowledge. I hope through this blog post, I can demystify the sort of issues bug bounty programs pay for.

The last blog post I did in this series was around four years ago, 120 days, 120 bugs. In the last four years, a lot has happened. I moved to Europe for six months, I moved interstate in Australia twice, I won a live hacking event, I co-founded a company and helped build an attack surface management platform with a team of people I consider family.

Unlike my previous blog post, I did not set myself a goal to find a bug a day. Instead, I participated in bug bounties whenever time allowed. There were many months where I found nothing at all, which often terrified me when it came to evaluating my self worth as a hacker. I also admitted to myself, that I might be a good hacker, but there is always going to be a better hacker out there, and I’ve made my peace with that as a hyper-competitve person.

If you don’t have an excellent understanding of fundamental application security attacks and weaknesses before you approach bug bounties, in my opinion, you are wasting your time. Practice and learn more here.

If you’re looking for a paid, more extensive resource, check out and practice with PentesterLab.

Participating so heavily in bug bounties has given us the knowledge at Assetnote about what security teams actually care about. It’s the reason we can maintain high signal when we are continuously finding exposures.

My primary motivation for this blog post is to educate the masses on what bug bounty programs are paying out for.

For example, would you know that you could submit a dangling EC2 IP (subdomain pointing to an EC2 IP that is no longer owned by the company) as a bug report without reading the proof in the pudding below? I’ve been paid for this by programs, so clearly they value this sort of information.


Findings

Below are all of my findings for the last four years. I’ve redacted information where necessary, but by reading the titles, it should give you a good understanding of what I was reporting to programs.

Date Bug Payout
2020-09-02 14:04:11 UTC [redacted] Hosted Zone Takeover $1,000.00
2020-07-16 18:39:22 UTC Spring debugging endpoints exposed leading to disclosure of all secrets via heapdump on [redacted] & Account takeover by Trace $2,500.00
2020-06-30 22:54:07 UTC Blind SSRF on [redacted] through invoicing API - access to internal hosts $60.00
2020-06-10 13:53:43 UTC Full Account takeover through subdomain takeover via [redacted] $300.00
2020-06-10 13:24:10 UTC Full Account takeover through subdomain takeover via [redacted] $300.00
2020-06-10 13:21:57 UTC Full Account takeover through subdomain takeover via [redacted] $300.00
2020-06-08 14:28:05 UTC Amazon S3 Subdomain Hijack - [redacted] $256.00
2020-06-08 05:29:58 UTC Route53 Hosted Zone Takeover of [redacted] $500.00
2020-06-05 16:27:42 UTC Admin panel for Cisco IP Conference Station CP-7937G exposed on the internet on [redacted] IP ranges $400.00
2020-06-03 21:07:51 UTC Pre-auth Blind MSSQL Injection affecting [redacted] $1,024.00
2020-06-03 14:18:24 UTC Pre-auth MSSQL Injection affecting [redacted] $1,024.00
2020-06-02 15:28:50 UTC Pre-auth SQL Injection affecting [redacted] $1,024.00
2020-06-02 15:26:58 UTC RCE via arbitrary file write and path traversal [redacted] $1,024.00
2020-06-02 15:25:08 UTC RCE via arbitrary file write and path traversal [redacted] $1,024.00
2020-05-18 10:12:38 UTC Route53 Hosted Zone Takeover of [redacted] $1,000.00
2020-05-18 10:11:58 UTC Route53 Hosted Zone Takeover of [redacted] $1,000.00
2020-05-18 10:06:22 UTC Route53 Hosted Zone Takeover of [redacted] $1,000.00
2020-05-18 10:05:20 UTC Route53 Hosted Zone Takeover of [redacted] $1,000.00
2020-05-11 18:47:54 UTC Route53 Hosted Zone Takeover of [redacted] $100.00
2020-05-11 14:59:23 UTC Account takeover through Subdomain Takeover of [redacted] (Cookie Disclosure -> Account Takeover) $2,500.00
2020-05-11 14:31:18 UTC Account takeover through Subdomain Takeover of [redacted] (Cookie Disclosure -> Account Takeover) $2,500.00
2020-05-07 01:47:49 UTC View all metadata for any [redacted] IDOR [redacted] $1,000.00
2020-04-29 22:58:57 UTC IDOR view all [redacted] $4,000.00
2020-04-29 22:57:55 UTC IDOR view the [redacted] $2,500.00
2020-04-24 18:19:23 UTC Subdomain takeover of [redacted] through Heroku $300.00
2020-04-24 18:18:45 UTC Subdomain takeover of [redacted] through Heroku $300.00
2020-04-23 19:45:04 UTC Ability to horizontal bruteforce [redacted] accounts by abusing [redacted] sign up flow $500.00
2020-04-22 17:44:29 UTC View all metadata for any [redacted] IDOR [redacted] $500.00
2020-04-22 17:42:51 UTC IDOR view the [redacted] for any [redacted] for today [redacted] $500.00
2020-04-22 17:42:06 UTC IDOR view all [redacted] for a [redacted] [redacted] $500.00
2020-04-06 19:13:19 UTC Facebook - Payout For [redacted] $5,000.00
2020-03-07 15:12:24 UTC Accessing Querybuilder on [redacted] to gain access to secrets $3,000.00
2020-02-25 15:02:20 UTC Subdomain takeover of [redacted] via Amazon S3 $750.00
2020-02-20 23:01:58 UTC HTML injection, DOS of email receipts and potentially template injection within [redacted] via "Expense Info" section $500.00
2020-02-18 14:45:40 UTC Admin account bruteforce via [redacted]/libs/granite/core/content/login.html $500.00
2020-02-15 12:24:57 UTC Blind XSS via registering on [redacted] $500.00
2020-02-04 03:45:38 UTC HTML Injection in email when contributing to a [redacted] $700.00
2020-01-21 17:13:58 UTC Ability to attach malicious attachments (of any name and of any content type) to [redacted] support staff via [redacted] $2,000.00
2020-01-15 11:41:59 UTC No authentication required to view and delete Terraform locks at [redacted] $250.00
2019-12-12 16:25:11 UTC [redacted] Webhook URL + object leaked in JavaScript on [redacted] $3,000.00
2019-11-21 22:15:20 UTC AWS & Screenhero JWT Credentials from [redacted] not rotated, still working $1,000.00
2019-10-17 13:44:23 UTC RCE on [redacted] via IBM Aspera exploit leading to compromise of secure file storage $1,000.00
2019-10-15 14:29:25 UTC SSO bypass on [redacted] leading to access of internal documents and portals $250.00
2019-10-11 18:07:51 UTC Admin access to [redacted] via guessing credentials $1,500.00
2019-10-11 18:06:15 UTC 3rd party subdomain hijack - EC2 IP of [redacted] is no longer controlled by [redacted] $250.00
2019-09-30 16:56:50 UTC Multiple server-side issues affecting [redacted] (SSRF, admin panels) $2,660.00
2019-09-25 22:10:00 UTC Read any [redacted] details using UUID - IDOR in [redacted] $1,000.00
2019-09-10 16:17:59 UTC SSRF in [redacted] $2,000.00
2019-09-03 15:28:36 UTC SSRF in [redacted] $17,900.00
2019-08-29 00:43:00 UTC Bypassing email whitelists for organisation signup flows on [redacted] $250.00
2019-08-09 05:15:44 UTC [Pre-Submission] SSRF in [redacted] (Iframely) $2,970.30
2019-07-29 16:32:59 UTC [Bypass] SSRF via [redacted] leads to internal network access, ability to read internal JSON responses $23,000.00
2019-07-24 02:52:42 UTC PHPInfo exposed at [redacted] $100.00
2019-07-24 02:46:02 UTC SSRF on [redacted] leading to AWS breach via security credentials $5,000.00
2019-07-08 14:44:23 UTC Remote command execution on production [redacted] (via tsi parameter) - CVE-2017-12611 $2,000.00
2019-06-12 17:42:53 UTC Username/Password for Aspera and other secrets leaked in [redacted] $1,500.00
2019-06-12 17:42:08 UTC SSO/Authorization bypass for APIs hosted on [redacted] $1,500.00
2019-06-12 14:45:09 UTC Remote Code Execution (many endpoints) - [redacted] $4,500.00
2019-06-10 17:29:35 UTC Extract email, dob, full address, federal tax ID and other PII for all leads in [redacted] $1,800.00
2019-06-10 16:53:22 UTC Obtain email, mobile of customers of [redacted] by iterating through Lead IDs via the API $12,600.00
2019-06-10 16:52:40 UTC Ability to pull out all opportunities (IDOR) extract PII for customers of [redacted] $12,600.00
2019-06-07 18:51:24 UTC [redacted][IDOR] - Accessing all accounts via regression / new attack vector by abusing [redacted] (regression?) $2,500.00
2019-06-07 18:17:31 UTC Blind SSRF on [redacted] through RPC call to checkAvailableLivechatAgents $62.50
2019-06-07 18:07:22 UTC HTML injection in emails when adding a reviewer to [redacted] $125.00
2019-06-07 17:42:09 UTC [IDOR] Impersonating an [redacted] employee via /api/readHandler on [redacted] $1,500.00
2019-06-07 15:33:31 UTC Extract mobile number and [redacted] using only an email address, for any [redacted] $750.00
2019-06-07 14:36:01 UTC Zendesk Ticket IDOR / Ability to enumerate IDs via [redacted] $125.00
2019-06-07 14:24:15 UTC Extract mobile number and [redacted] using only an email address, for any [redacted] user $750.00
2019-06-07 14:11:20 UTC HTML Injection in [redacted] receipts if printed from [redacted] $100.00
2019-06-07 13:56:46 UTC Ability to access the airwatch admin panels and APIs in [redacted] $1,000.00
2019-06-07 13:21:31 UTC IDOR on [redacted] allows you to access [redacted] information for any [redacted] user $250.00
2019-06-07 10:13:20 UTC [redacted][IDOR] - Accessing all accounts via regression / new attack vector by abusing [redacted] (regression?) $15,000.00
2019-05-22 19:33:27 UTC SQLi and Authentication Bypass in [redacted] $4,500.00
2019-04-29 14:14:42 UTC Reflected XSS in [redacted] $500.00
2019-04-29 14:14:29 UTC SSRF in [redacted] $1,500.00
2019-04-25 07:33:22 UTC Local file disclosure through Rails CVE-2019-5418 in [redacted] $100.00
2019-04-19 02:28:54 UTC SSRF - [redacted] $4,950.00
2019-04-19 02:28:35 UTC SSRF at [redacted] via the 'url' parameter $4,950.00
2019-03-29 11:23:14 UTC AWS S3 secrets leaked in [redacted] meeting connector giving attackers write access to [redacted] $364.50
2019-03-27 18:41:51 UTC Subdomain takeover of [redacted] through Heroku $750.00
2019-03-20 17:08:11 UTC Reflected XSS in [redacted] $500.00
2019-03-18 17:29:00 UTC Reflected XSS in [redacted] $500.00
2019-03-18 17:28:49 UTC Reflected XSS in [redacted] $500.00
2019-03-18 17:28:35 UTC CVS Repos being leaked on [redacted], including username and password $750.00
2019-03-18 15:35:10 UTC Form on [redacted] leaks username and password for [redacted]/Wowza Steaming Server $500.00
2019-03-15 15:08:35 UTC Extract BCrypt pinCode, associated phone numbers and emails for any [redacted] $5,000.00
2019-03-14 17:51:32 UTC Multiple IDORs on [redacted] $500.00
2019-03-14 17:51:18 UTC Multiple persistent XSS vulnerabilities in [redacted] $1,000.00
2019-03-14 17:51:02 UTC Auth bypass on [redacted] & [redacted] allowing for full access to anonymous users (including private streams) $1,000.00
2019-03-14 17:50:45 UTC Slack Webhook Tokens leaked within JavaScript on [redacted] $500.00
2019-03-11 23:06:12 UTC Ability to send arbitrary Subject + HTML emails as verified [redacted] $900.00
2019-03-04 21:58:43 UTC WP-Engine Subdomain Takeover of [redacted] $500.00
2019-03-04 19:04:59 UTC Extract BCrypt pinCode, associated phone numbers and emails for any [redacted] $500.00
2019-02-22 18:41:36 UTC [redacted] $8,000.00
2019-02-13 17:59:01 UTC Ability to close down any [redacted] using an IDOR in [redacted] $8,000.00
2019-02-07 00:05:37 UTC HTML injection in the [redacted] signup flow on [redacted] $500.00
2019-01-30 16:59:57 UTC VHost header hopping on [redacted] allowing us to access MSSQL DB explorer $1,900.00
2019-01-30 16:14:57 UTC RCE on [redacted] via ObjectStateFormatter deserialization $4,000.00
2019-01-30 16:13:00 UTC ZIP file in webroot containing all source code and database of [redacted] $3,000.00
2019-01-29 21:52:20 UTC Multiple reflected XSS on [redacted] $500.00
2019-01-29 17:54:05 UTC Sensitive data exposure in debug file via [redacted] $100.00
2019-01-23 16:09:32 UTC Git repo's disclosed on multiple [redacted] and [redacted] subdomains $600.00
2019-01-22 23:02:09 UTC Critical: Prod access to all [redacted] Admins and Employees - obtain all emails uuids and access to administrative actions $4,500.00
2019-01-07 21:02:45 UTC SSRF via [redacted] leads to internal network access, ability to read internal JSON responses $23,000.00
2018-12-06 15:58:56 UTC Reflected XSS in [redacted]/pay/alipay/wap.php $400.00
2018-12-06 15:37:27 UTC Reflected XSS in the JavaScript context on [redacted] via `http_referer` parameter $400.00
2018-11-30 15:35:15 UTC Django debug mode being enabled leads to Postgres password leaked on [redacted] $500.00
2018-11-30 15:20:07 UTC Ability to upload SWF files on [redacted] via CKFinder $400.00
2018-11-30 15:08:41 UTC [redacted] discloses sensitive information leading to customer data access via APIs $800.00
2018-11-30 13:46:33 UTC [redacted] Newsroom CMS (China) source code leaked on GitHub, with a WeChat secret - Leads to RCE on contractors machine $200.00
2018-11-29 17:41:02 UTC Bypassing email whitelists for organisation signup flows on [redacted] $500.00
2018-11-29 15:29:00 UTC Blind MSSQL Injection in [redacted] $2,000.00
2018-11-28 15:02:39 UTC Alipay Merchant RSA Private Key disclosed on [redacted] $200.00
2018-11-21 16:58:25 UTC Recursively obtain [redacted] UUIDs by exploiting [redacted] $1,000.00
2018-11-20 22:19:04 UTC API under [redacted] allows unauthenticated users to send messages to [redacted] Slack $100.00
2018-11-15 10:13:13 UTC Externally available MSSQL server for [redacted] reveals a large amount of data + local file read $400.00
2018-11-02 20:18:53 UTC Ability to adjust your own [redacted] order price [redacted] $1,500.00
2018-10-24 14:40:13 UTC Arbitrary File Upload Leading to Persistent XSS on [redacted] $400.00
2018-10-24 10:36:13 UTC Extract the details of every [redacted] User (name, openid, unionid, mobile, nickname, province, city, gender, bday) via [redacted] $400.00
2018-10-22 14:26:23 UTC Critical: Prod access to all [redacted] Admins and Employees - obtain all emails uuids and access to administrative actions $500.00
2018-10-12 18:56:47 UTC Unauthenticated XXE on [redacted]/OA_HTML/lcmServiceController.jsp $166.67
2018-10-06 18:26:10 UTC PhantomJS SSRF with ability to read full response via [redacted] AWS $500.00
2018-09-30 00:29:08 UTC Multiple issues with [redacted] (SSO bypass, Git repo with employee credentials, and broken application logic) $2,000.00
2018-09-03 09:55:32 UTC Multiple instances of error based MSSQL injection on `[redacted]` with access to 30 databases $5,000.00
2018-09-03 09:15:04 UTC RCE through arbitrary file upload via [redacted]/cms/Handler/kvimgupload.ashx $3,000.00
2018-09-03 09:13:37 UTC RCE through arbitrary file upload via [redacted]/staff/cms/Handler/toolsupload.ashx $3,000.00
2018-09-03 09:03:06 UTC MSSQL injection via [redacted]/incentive/report.aspx $2,000.00
2018-08-30 17:52:47 UTC Directory listing on [redacted] leads to Russian [redacted] PII and internal documentation/slide deck disclosure $1,000.00
2018-08-28 07:07:34 UTC Highly sensitive repo's containing internal [redacted] application source and databases with over ~700 emails leaked $800.00
2018-08-20 13:01:40 UTC Server variables leaked on [redacted]/servvar.asp, also allowing for the ability to steal HTTPOnly cookies $400.00
2018-08-14 17:08:24 UTC 3rd party subdomain hijack - EC2 IP of [redacted]is no longer controlled by Salesforce $62.50
2018-08-13 18:25:52 UTC DOM based XSS on [redacted] (works on all browsers) $125.00
2018-08-12 07:04:32 UTC [First 30] Blind SSRF at [redacted]/handle_pasted_images via fileURLs $375.00
2018-08-10 06:36:30 UTC [First 30] Accessible ca and secrets.enc file exposed on VPN - [redacted] $1,250.00
2018-08-10 02:11:48 UTC [first 30] Subdomain takeover [redacted] $555.00
2018-08-09 08:08:16 UTC Ability to obtain profile info and metadata (email, payments, account type, associations) for any [redacted] user if you know their UUID $1,000.00
2018-08-09 07:39:29 UTC Ability to bruteforce any [redacted] dashboard user without any rate limiting $500.00
2018-08-09 05:56:38 UTC Leaked promotion codes (including internal employee promotion codes) and employee UUID's (containing payment profiles)on [redacted] $1,000.00
2018-08-09 05:49:26 UTC Ability to obtain payment profiles and sensitive information of any [redacted] user if you know their UUID $1,000.00
2018-08-09 05:47:46 UTC Ability to obtain profile info and metadata (email, payments, account type, associations) for any [redacted] user if you know their UUID $2,000.00
2018-07-26 16:21:23 UTC Reflected XSS on Jplayer.swf located on the [redacted] owned S3 bucket [redacted] $250.00
2018-07-19 18:46:43 UTC POST based XSS via [redacted]/api/utils/signup $300.00
2018-07-11 22:48:23 UTC (Potential) IDOR in `/api/[redacted]` via [redacted] $500.00
2018-07-11 22:44:36 UTC Ability to enumerate [redacted] via `/api/[redacted]` on [redacted] $2,000.00
2018-07-06 06:53:19 UTC Incentives administration panel is accessible without auth, revealing a large number of users registered on [redacted] $800.00
2018-07-06 06:47:06 UTC RCE on [redacted] through arbitrary file upload $3,000.00
2018-07-06 06:40:07 UTC Auth bypass leading to administrative access to [redacted]/locationcms/ (can modify/delete/add anything) $800.00
2018-07-06 06:31:23 UTC MSSQL injection via [redacted]/locationcms/Template/StoreList.aspx $2,000.00
2018-07-02 12:08:16 UTC Critical issues on [redacted] (database credentials, entire application source code leaked and SQLi) $800.00
2018-06-28 20:17:38 UTC Extract payment method used (email or last 4 card no) through [redacted] $500.00
2018-06-22 15:48:11 UTC Multiple full-response SSRFs on [redacted] API `/api/utils/download-file` leading to internal access to [redacted] assets $3,250.00
2018-06-22 15:47:31 UTC Multiple full-response SSRFs on [redacted] API `/api/partner/[redacted]` leading to internal access to [redacted] $625.00
2018-06-16 19:14:30 UTC Facebook Submission [redacted] $500.00
2018-06-16 17:56:17 UTC Facebook Submission [redacted] $4,000.00
2018-06-16 17:55:00 UTC Facebook Submission [redacted] $5,000.00
2018-06-16 15:54:20 UTC Facebook Submission [redacted] $500.00
2018-06-16 15:10:50 UTC Facebook Submission [redacted] $500.00
2018-06-16 14:56:58 UTC Facebook Submission [redacted] $500.00
2018-06-16 14:38:05 UTC Facebook Submission [redacted] $3,000.00
2018-06-16 13:47:59 UTC Facebook Submission [redacted] $5,000.00
2018-06-16 13:27:27 UTC Facebook Submission [redacted] $500.00
2018-06-13 21:24:58 UTC Stealing Zendesk admin credentials for [redacted].zendesk.com via [redacted] $2,250.00
2018-06-13 21:21:41 UTC Ability to receive a support call with the identity of another [redacted] store using an IDOR in [redacted] $1,500.00
2018-05-31 13:02:19 UTC Incorrect implementation of cloudflare on [redacted] $500.00
2018-05-26 17:51:18 UTC SSRF on [redacted] allows for access to internal hosts [redacted] $1,000.00
2018-05-26 16:52:38 UTC [first 30] - Stored XSS on [redacted] within the Roles dialog $1,206.00
2018-05-26 13:59:34 UTC SSRF on [redacted] allows for access to internal hosts [redacted] $1,728.00
2018-05-26 12:40:45 UTC [first 30] - EC2 IP of [redacted] is no longer controlled by [redacted] $216.00
2018-05-26 11:45:03 UTC [first 30] - Stored XSS on [redacted] within the Roles dialog $125.00
2018-05-26 09:10:39 UTC Ability to bruteforce the password of a current user without locking them out by using an active session $125.00
2018-05-25 13:34:24 UTC [redacted] owned Cisco 3750 on the external internet - bruteforcable via Telnet/SSH/HTTP [redacted] $250.00
2018-05-25 13:33:35 UTC Two wordpress administration panels for [redacted] on WPEngine [redacted] $400.00
2018-05-23 21:59:17 UTC AWS secret key and other secrets (sessions) leaked on [redacted] $500.00
2018-05-02 12:35:46 UTC Server-side source code disclosed on [redacted] $250.00
2018-04-20 13:29:13 UTC Exposed Rabbit-MQ administration panel located at [redacted] $250.00
2018-04-11 22:41:51 UTC Multiple vulnerabilities in [redacted] Russia Telegram bot API leading to significant [redacted] data being exposed $3,750.00
2018-04-05 21:07:29 UTC Sensitive APIs discovered on [redacted] requiring no auth leading to AWS cloud data and user leakage (20k staff details leaked) $15,000.00
2018-04-05 21:06:52 UTC Postgres SQL Injection on [redacted] leading to potential AWS cloud account takeover $15,000.00
2018-03-23 22:29:19 UTC Secrets (CloudFront credentials, private keys, server settings) from config/secrets/secrets.json found on [redacted] $9,500.00
2018-03-22 15:33:20 UTC Django admin panel exposed at [redacted] $250.00
2018-03-16 17:32:47 UTC Multiple vulnerabilities in [redacted] Russia Telegram bot API leading to significant [redacted] data being exposed $500.00
2018-03-09 17:01:55 UTC Arbitrary origins trusted when making authenticated API calls to [redacted] $250.00
2018-03-09 16:58:16 UTC Exposed Django Administration Panel @ [redacted] $750.00
2018-03-02 12:53:11 UTC Exposed Django Administration Panel @ [redacted] $750.00
2018-03-02 12:48:41 UTC Taking over [redacted] owned domain [redacted] due to unclaimed Amazon S3 bucket $500.00
2018-02-28 22:48:14 UTC Multiple SQL injection vulnerabilities on [redacted] $2,500.00
2018-02-20 02:34:49 UTC Secrets (CloudFront credentials, private keys, server settings) from config/secrets/secrets.json found on [redacted] $500.00
2018-02-06 17:40:24 UTC P2P Referral Program Django Admin Panel @ [redacted] $250.00
2018-02-06 17:34:27 UTC Subdomain takeover of [redacted] $4,000.00
2018-01-31 23:17:37 UTC Subdomain takeover of [redacted] and [redacted] via Azure VMs $4,000.00
2018-01-31 14:59:44 UTC AWS credentials disclosure via SSRF in Atlassian Confluence [redacted] $2,500.00
2018-01-24 15:11:23 UTC PHP testing scripts and PHPMyAdmin exposed on the external internet on [redacted]:81 $200.00
2018-01-05 07:00:59 UTC AWS key disclosure via SSRF on [redacted] leads to privileged AWS access $10,000.00
2018-01-04 13:05:48 UTC Domain/subdomain takeover of [redacted] via Azure $400.00
2018-01-04 13:04:15 UTC [redacted] pointing to an IP address no longer owned by [redacted] $200.00
2017-12-27 16:15:40 UTC Ability to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries $20,000.00
2017-12-11 17:46:11 UTC HTML Injection via Emails in company names on [redacted] $500.00
2017-12-11 17:41:39 UTC Persistent XSS on [redacted] via subdomain takeover $500.00
2017-11-28 15:57:33 UTC Ability to write to [redacted].s3.amazonaws.com due to misconfigured S3 ACLs $400.00
2017-11-24 11:32:26 UTC ELMAH exposed on [redacted] exposing usernames, session details, sensitive information $800.00
2017-11-21 00:48:14 UTC Ability to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries $2,500.00
2017-11-14 18:30:11 UTC Ability to extract all UUIDs, emails and first names of [redacted] users via [redacted] queries $500.00
2017-11-13 23:43:58 UTC Persistent XSS on [redacted] via subdomain takeover $500.00
2017-10-23 11:10:21 UTC OpenVPN administration panel exposed for [redacted] $250.00
2017-10-02 23:33:44 UTC No rate limiting enforced on [redacted] allowing for the ability to bruteforce event promo codes $1,150.00
2017-08-29 16:33:52 UTC ███████████ $5,000.00
2017-08-29 16:33:19 UTC ██████████████ $5,000.00
2017-08-29 16:32:25 UTC ████████ $1,500.00
2017-08-29 16:32:04 UTC ██████████ $1,500.00
2017-08-29 16:31:24 UTC ████████████ $500.00
2017-08-29 16:31:04 UTC ████████████ $500.00
2017-08-29 16:30:45 UTC █████████ $500.00
2017-08-29 16:30:25 UTC ████████████ $500.00
2017-08-29 16:30:05 UTC ██████████ $500.00
2017-08-29 16:29:44 UTC ████████████ $500.00
2017-08-29 16:29:22 UTC █████████████ $500.00
2017-08-29 16:29:00 UTC █████████████ $500.00
2017-08-29 16:28:34 UTC █████████████████ $500.00
2017-08-29 16:28:04 UTC ███████████ $500.00
2017-08-29 16:27:16 UTC ███████████ $100.00
2017-08-29 16:26:58 UTC ███████████ $100.00
2017-08-02 22:55:34 UTC Source code disclosure (including current MySQL DB creds) for https://[redacted] $1,000.00
2017-08-02 22:55:18 UTC Potential second order RCE on https://[redacted] $9,000.00
2017-08-02 22:53:54 UTC SQL Injection in https://[redacted]/job.php $2,000.00
2017-08-02 22:53:40 UTC SQL Injection in https://[redacted]/detail.php $2,000.00
2017-08-02 22:53:16 UTC SQL Injection in https://[redacted]/controls/PE/loaddata.php $2,000.00
2017-07-28 12:58:25 UTC Deep dive into [redacted] crash dump reporting tool - Persistent XSS + Downloading all crash dumps - [redacted] $2,000.00
2017-07-20 01:19:28 UTC Exposed [redacted] statistics/administration panel $500.00
2017-07-20 01:18:15 UTC Ability to enumerate and bruteforce user accounts on [redacted] $400.00
2017-07-18 00:28:37 UTC Git repository access on QA machines on [redacted] and [redacted] exposing source code and production secrets $10,000.00
2017-07-14 23:00:16 UTC Stored cross-site scripting on exposed development server @ [redacted] $300.00
2017-06-09 10:13:30 UTC Ability to submit bugs on behalf of other users on the [redacted] environments for [redacted] $250.00
2017-06-05 09:42:55 UTC Admin access to Grafana instance with Credential Disclosure $500.00
2017-06-02 09:32:33 UTC Wordpress Database Credentials Leakage + Find and replace MySQL tool (searchreplacedb2.php) on [redacted] + MySQL root password $1,000.00
2017-05-12 11:20:10 UTC Prevent [redacted] users from using their own VK account on [redacted] $1,000.00
2017-05-12 11:19:28 UTC Open admin panel / Multiple WordPress related issues on [redacted] $250.00
2017-05-12 11:18:36 UTC URL Redirection flaw affecting [redacted] official login flow [redacted] $600.00
2017-05-12 11:11:24 UTC Tomcat Manager left enabled on [redacted] (authentication required - exposed admin interface) $250.00
2017-05-12 11:09:23 UTC Ability to upload arbitrary files to the [redacted] S3 bucket via signed Amazon requests [redacted] $1,500.00
2017-05-12 11:07:07 UTC Open administrative interface at [redacted] for [redacted] $500.00
2017-05-04 00:25:09 UTC Arbitrary file write and remote command exection on [redacted] $9,500.00
2017-05-04 00:24:11 UTC Local file disclosure on [redacted] $2,000.00
2017-05-04 00:22:00 UTC MySQL Injection on [redacted] Drupal endpoint [redacted], potentially able to escalate $9,500.00
2017-04-21 04:00:55 UTC Critical 2nd instance of SQL injection (no authentication required) on [redacted] $1,000.00
2017-04-21 04:00:00 UTC Persistent XSS + CSRF via [redacted] $250.00
2017-04-21 03:59:44 UTC Multiple reflected XSS on [redacted] $200.00
2017-04-21 03:57:58 UTC Reflected XSS via video-js.swf on [redacted] $500.00
2017-04-21 03:57:44 UTC Reflected XSS via copy_csv_xls_pdf.swf on [redacted] $500.00
2017-04-21 03:57:26 UTC Reflected XSS via flowplayer-3.2.16.swf on [redacted] $500.00
2017-04-21 03:47:11 UTC Source code disclosure through Git repo exposed on [redacted]/subs/.git/config $1,000.00
2017-04-18 12:51:50 UTC Django debugging mode enabled on [redacted] $250.00
2017-04-18 12:47:29 UTC Fully controllable SSRF on [redacted] allowing for GET/POST to internal resources $17,500.00
2017-04-17 23:09:26 UTC Building control system (Niagara) and 4g CradlePoint router externally exposed for [redacted] Pittsburgh office $500.00
2017-04-14 15:07:24 UTC No rate limiting enforced on [redacted] allowing for the ability to bruteforce event promo codes $500.00
2017-04-14 03:13:46 UTC RCE on [redacted] after bruteforcing valid credentials $9,600.00
2017-04-14 03:11:38 UTC Local file disclosure and SSRF in [redacted] $3,100.00
2017-04-14 03:08:36 UTC SQL injection on [redacted] $1,100.00
2017-04-11 17:36:38 UTC updateUserInfo RPC endpoint IDOR on [redacted] (view/update any users details via UUID) $3,000.00
2017-03-30 00:53:31 UTC 3rd party subdomain hijack - EC2 IP of [redacted] is no longer controlled by [redacted] $150.00
2017-03-21 19:31:45 UTC PHPInfo debug scripts exposed on [redacted] and [redacted] $150.00
2017-03-03 11:03:03 UTC XSS on [redacted] through uploading SWFs as JPG $1,800.00
2017-03-03 11:01:13 UTC XSS on [redacted] due to Wordpress vulnerability $2,000.00
2017-03-01 20:58:14 UTC Ability to bruteforce users on [redacted] confluence via bypassing route redirections $3,000.00
2017-02-24 10:43:41 UTC Account bruteforce bug for [redacted] users $500.00
2017-02-24 10:43:09 UTC [redacted] vulnerable to IIS short name disclosure $250.00
2017-02-17 11:48:41 UTC [redacted] vulnerable to IIS short name disclosure $250.00
2017-02-17 11:46:10 UTC WordPress admin bruteforce and interface through XMLRPC.php on [redacted] $1,000.00
2017-01-24 00:05:33 UTC Subdomain takeover of [redacted] through StatusPage.io $110.00
2017-01-20 10:26:53 UTC Reflected XSS via flashmediaelement.swf on [redacted] $2,000.00
2017-01-19 23:07:35 UTC Ability to bruteforce [redacted] accounts using associated mobile number via [redacted] $3,300.00
2017-01-17 23:24:01 UTC Ability to bruteforce [redacted] active directory through [redacted] $300.00
2017-01-11 01:37:53 UTC Ability to bruteforce [redacted] active directory through [redacted] $3,000.00
2016-12-23 21:02:39 UTC Exposed git repository on [redacted] reveals all application source code, including 1k user plain text passwords + db info $4,000.00
2016-12-20 06:56:47 UTC Publicly accessible sign up for Rocket Chat leading to potential breach of internal employees $50.00
2016-12-16 10:46:58 UTC Expired domain referenced in iframe elements on [redacted] $1,000.00
2016-12-09 11:22:13 UTC Information disclosure - subdomain leaks internal host via DNS $250.00
2016-12-09 11:21:36 UTC Account bruteforce bug on [redacted] $750.00
2016-12-09 11:20:18 UTC Critical - Perform administrative actions via an IDOR on [redacted] - Manipulation of the leaderboard and more $500.00
2016-12-09 11:16:50 UTC [redacted] Administration Panel [redacted] $750.00
2016-12-09 11:15:00 UTC Subdomains [redacted] pointing to EC2 instance owned by LucidPress (*.lucidpress.com) $750.00
2016-12-09 11:13:10 UTC Page takeover of [redacted]/ru/page/cosplay_contest due to expired Wufoo form $750.00
2016-12-09 10:57:37 UTC Publicly accessible *admin* access to AWS auditing tool used by [redacted] $15,000.00
2016-11-29 10:49:02 UTC Ability to map arbitrary VK.com IDs with [redacted] players via [redacted] $750.00
2016-11-29 10:48:37 UTC Info Disc. of Internal Docker Instance $250.00
2016-11-28 14:10:40 UTC Information disclosure (internal IP addresses of all workers, memory usage, status) for [redacted] $250.00
2016-11-18 11:52:25 UTC SQL Injection on [redacted] leading to full administrative access $5,000.00
2016-11-18 11:49:29 UTC Persistent cross-site scripting/partial arbitrary file upload on [redacted] $3,000.00
2016-11-18 11:47:47 UTC Partial Git repo information found on [redacted] $250.00
2016-11-07 18:18:41 UTC Potential dangling subdomain record [redacted] for thismoment's SaaS tool $2,000.00
2016-11-04 17:04:57 UTC Weird Reflected XSS on [redacted] $750.00
2016-11-04 16:50:25 UTC Reflected cross-site scripting on [redacted] $1,200.00
2016-11-03 11:58:18 UTC Subdomain takeover of [redacted] via dangling CloudFront CNAME $250.00
2016-10-31 15:46:05 UTC Public read/write to Amazon S3 bucket [redacted] allowing for ability to replace Android [redacted] APKs and subdomain takeover $200.00
2016-10-24 19:35:37 UTC X-Forwarded-For bypasses to access debugging pages across multiple [redacted] hosts $1,000.00
2016-10-13 17:25:36 UTC Subdomain takeover of [redacted] leading to Starbucks account takeovers via cookie stealing $1,000.00
2016-10-13 17:24:47 UTC Subdomain takeover of [redacted] due to expired Auzre traffic manager endpoint $1,000.00
2016-10-13 17:22:22 UTC Dangling DNS CNAME record for the domain [redacted] pointing to [redacted] $2,000.00
2016-10-13 17:03:25 UTC Symfony app_dev.php found on [redacted] - Profiler is enabled and accessible by anyone $1,000.00
2016-10-10 23:49:06 UTC Exposed administration interfaces for [redacted] infrastructure/third party applications $100.00
2016-09-19 19:35:18 UTC Sensitive information leaked via X-Forwarded-For header spoofing on [redacted] $500.00
2016-09-13 20:44:44 UTC Subdomain takeover of [redacted] via Amazon S3 buckets $100.00
2016-09-07 18:03:11 UTC Subdomain takeover of [redacted] due to expired Auzre traffic manager endpoint $1,000.00
2016-09-04 00:38:19 UTC Insecure S3 bucket [redacted] leading to the takeover of critical assets [redacted] $1,000.00
2016-09-01 21:21:44 UTC Subdomain hijack of [redacted] through Unbounce Pages $100.00
2016-08-31 20:32:42 UTC Subdomain takeover of [redacted] leading to [redacted] account takeovers via cookie stealing $1,000.00
2016-08-31 12:56:29 UTC [Critical] Blind XSS in the [redacted] administration panel leading to full access of administration panel $250.00
2016-08-31 01:33:12 UTC Multiple critical risk vulnerabilities affecting Accellion Kiteworks on [redacted] $3,000.00
2016-08-30 18:00:10 UTC Reflected Cross-site Scripting on [redacted] due to unpatched Confluence $50.00
2016-08-29 16:15:09 UTC Subdomain takeover possible on [redacted] through Uservoice Feedback SaaS $25.00
2016-08-23 17:06:26 UTC Subdomain takeover of [redacted] through Heroku $50.00
2016-08-23 15:43:27 UTC Persistent cross-site scripting on event pages created on [redacted] $75.00
2016-08-17 19:20:34 UTC Subdomain takeover of [redacted] $200.00
2016-07-30 13:56:21 UTC Subdomain hijack of [redacted] due to expired S3 bucket [redacted] $25.00
2016-07-26 20:35:16 UTC Multiple source code repositories, private internal documents and config from [redacted] $350.00
2016-07-25 21:01:07 UTC Server-side request forgery allowing for the ability to contact internal [redacted] AWS hosts such as ElasticSearch and Staging instances $3,000.00
2016-07-14 01:27:21 UTC Subdomain Takeover [redacted] via Heroku $100.00
2016-07-14 00:40:57 UTC Subdomain no longer controlled by [redacted] $100.00
2016-07-14 00:29:42 UTC Subdomain no longer controlled by [redacted] $100.00
2016-07-11 14:18:03 UTC Subdomain hijack of [redacted] (WP-Engine) $1,000.00
2016-07-04 02:15:08 UTC Subdomain hijack of [redacted] via Vagrant Share $100.00
2016-07-04 02:13:59 UTC 3rd party subdomain hijack - EC2 IP of [redacted] is no longer controlled by [redacted] $100.00
2016-07-01 09:29:53 UTC Open administration panel with no authentication (full access) - [redacted] $500.00
2016-06-24 19:06:43 UTC Subdomain hijack of [redacted] (WPEngine #2) $1,000.00
2016-06-17 10:15:30 UTC Open Remote bruteforcable MySQL login on [redacted] $750.00
2016-06-13 15:22:23 UTC Password based bruteforcable SSH server on [redacted] $250.00
2016-06-03 10:22:34 UTC Administration Panel Access (no auth required) to the [redacted] $3,000.00
2016-06-03 10:21:53 UTC Multiple issues on [redacted] with the Django Rest API [Info disc, Priv Esc, IDOR] $500.00
2016-05-20 12:43:21 UTC Minor information disclosure on [redacted] (project details and gitignore) $250.00
2016-05-20 12:41:34 UTC Partial page takeover again on [redacted] $1,000.00
2016-05-18 18:18:11 UTC Leaked FTP credentials for [redacted] => persistent XSS, uploading of files, SOP bypass $800.00
2016-05-13 10:10:21 UTC Nine open administrator panels exposed on [redacted] $1,500.00
2016-05-13 10:09:19 UTC Subdomain takeover of [redacted] leading to the takeover of multiple pages on [redacted] $2,500.00
2016-05-13 10:08:42 UTC CSRF & Arbitrary file upload vulnerability to a [redacted] owned s3 bucket $500.00
2016-05-06 10:00:26 UTC Open Joomla administration panel for the [redacted] application on [redacted] $500.00
2016-05-06 09:58:21 UTC Three instances of reflected XSS on https://[redacted] $2,000.00
2016-04-26 09:47:31 UTC Reflected XSS on [redacted] via ZeroClipboard $1,750.00

Analysis

I can tell you that the exact amount made, after calculating all of the payouts in the table above, is $635,387.47 made in 1590 days (4 years, 4 months). This is not the total amount I have made all-time in bounties. This figure is only inclusive of the HackerOne platform, no other platforms that I have submitted bugs to have been counted in this blog post. I report the vast majority of my bugs to programs on HackerOne.

I know hackers in the bug bounty community that are capable of making hundreds of thousands within weeks or months. Sadly, that’s not me, but I do find them inspiring. As I said earlier in this blog post, I came to terms with the fact that there are better hackers out there, and these days, I am proud to sit at rank 43rd on HackerOne at the time of writing this.

If you divide the amount of money by the number of days, you will quickly work out that it averages out to roughly $400 USD a day. I could have been earning this amount or more by working as a consultant with a high day rate, but the difference is, I made all of the ~635k on my own terms.

I worked when and where I wanted to and didn’t touch a bounty program for weeks if I wasn’t feeling up to it.

There were at least 62 bugs in the table above that were the direct result of automation. This accounts for 18% of the total number of bugs I reported in the last 4 years. This is a pretty interesting takeaway, and proves to me that automation is one of the facets that leads to success in finding security issues.

These companies paid me quite a lot of money in order to lock down their attack surfaces. While earning this money and learning new techniques along the way, we built as much of the workflows, techniques, tooling and methodologies into Assetnote. We found that by translating bug bounty success, into a more digestible enterprise product, we were able to successfully establish ourselves as a key player in the attack surface management space.

Today, we have a strong customer base that uses our product to not only find exposures as they happen immediately, but also more creatively to reduce their bug bounty spend, not paying for issues that are found through automation. Assetnote’s platform has been thoroughly tested against attack surfaces in the last four years of my bug bounty hunting, and is capable of continuously finding security vulnerabilities.

A majority of the bugs were only possible due to automated asset discovery, but still required some manual inspection and exploitation. Large scale asset identification is still a key pillar of my success.

In terms of criticality, there were 24 SQLi’s, 22 SSRFs, 20 IDORs, and at least 11 RCEs.

I focused my time mainly on Uber as I simply enjoyed it more and valued the team working there - first with Matthew Bryant, Collin Greene and then with Joel Margolis after Matt and Collin had left.

For the four years of hacking on Uber, I was able to come up with a methodology when approaching their assets by having a deep understanding of their architecture, and development practices. This was absolutely key to my success, and I’m sure other successful bug bounty hunters have a specific way they approach a program. Every company is different when it comes to hacking them.


Collaboration

Throughout these four years, I collaborated with and learnt a lot from (in no particular order):

  • Andre - we owned [redacted] together through ObjectStateFormatter deserialization

I came across a host and using all of my techniques when it comes to attacking .NET applications, I was able to find a few serious issues, but not command execution. At the time, research was released around how it is possible to achieve RCE through the VIEWSTATE parameter, via insecure deserialization, if you have the machineKey.

I enlisted Andre to help, and he was able to not only successfully leak the machineKey, but also was one of the first people to create a tool to exploit this vulnerability.

Andre’s heavy experience in CTFs were key to our success in this collaboration.

  • Joel - we owned Facebook together through an XXE in a vendor product

I asked Joel for help when I was reversing a vendor product that Facebook had put up on their attack surface, under one of their corporate domains.

I was able to get the source code of this product by spinning up an AMI from Amazon’s Marketplace and then getting a shell on the deployed instance. However, when trying to debug a tricky potential XXE through XSD’s I wasn’t able to go further by just reading the source code.

I didn’t know why my exploits weren’t working.

Joel’s experience when it came to Java was key to our success here. He decompiled the jar files, he created an intelliJ project and fixed all of the errors. Then we started debugging it step by step.

It was an absolute pleasure watching Joel work this out and I look forward to collaborating with him in the future.

  • Naffy - for helping me understand the best attack against Yahoo’s attack surface is persistence

I’ve known Naffy for almost a decade now, and the biggest thing I have taken away from him is that any attack surface can be broken into given enough time and effort. In the early days of bug bounties, Naffy was dominating the leaderboard for Yahoo’s bounty program - due to this he has a lot of experience with large attack surfaces.

Yahoo, now owned by Verizon, have an incredible amount of infrastructure and assets deployed on the internet. However, the noise on the attack surface is ridiculous to deal with.

What Naffy showed me was that with enough persistence and time, things break, and we have to be watching closely to capitalise on that.

  • Sean - I’ve lost count of the number of things we have owned together

Every time I have been in a tricky situation where I struggle with exploiting an issue due to technical complexities or lack of knowledge, Sean has been the one to push through and help develop proof-of-concept exploits.

Sean has been able to translate high-risk security issues into automation very successfully and it has led to a lot of vulnerabilities that we have disclosed together.

  • Oscar - I did a lot of collaboration on bounties with Oscar while I was at Bishop Fox

I used to talk with Oscar, daily, when I was at Bishop Fox. Oscar played a huge role when it came showing me how to hyper-optimise the speed at which DNS bruteforcing is possible.

While I worked with him, I found him to be incredibly switched on and most of all, a kind person. He has contributed to many bounty successes while I was working at Bishop Fox.

  • Huey - we fine tuned my methodology on Uber together

JavaScript source maps are a brilliant way to better understand the internals of any client-side application. I look for source map files now every time I find JavaScript files, and that is thanks to Huey.

On Uber, we have used sourcemap files to better understand the GraphQL queries and API endpoints that are being used by Uber applications, to further exploit them. I have a better understanding of JavaScript thanks to Huey.

  • Anshuman - we audited source code together for a PayPal live hacking event

For a recent live hacking event, we took apart the CMS called PencilBlue as it was being used by a particular target. Together, we had a blast auditing the source code, beating each other to different flows in the application source code and bonding over the speed at which we approach attack surfaces.

  • Rhys - he helped me convert a stolen secret into an account takeover

At a live hacking event, I discovered credentials such as secret keys that were leaked through Google’s cached pages. A development asset which printed all of the environment variables and secrets in plain text was being proxied through ngrok, and Google had managed to not only index, but cache it, with all of the secrets in place.

After stealing these secrets from the cached copy, I asked Rhys to help me prove impact. He definitely delivered, by converting the tokens I stole, into an interactionless account takeover. Rhys is also very switched on. He won that live hacking event by miles.

We gained access to Mozilla’s internal AWS network by exploiting WebPageTest.

There are probably more people that I worked with over the years, but I cannot immediately recall. My point to you is that collaboration has been really important when it comes to growth and success in bug bounties.

Also please don’t just ask someone to hack something for you. In all of the cases above, the reason why collaboration was so successful was because the initial triage was done by either party. There was always the initial foothold or concept that was shared out of trust, which then led to actual collaboration on the issue. Don’t expect people are going to exploit things for you without presenting at least half the exploit chain or idea.


Methodology

As I’ve talked about previously in this presentation, my methodology still revolves around the identification of assets belong to an organization on the internet.

The speed of asset identification and content discovery has increased tremendously. This is partially due to the fundamental shift in the security scene from writing tools in Python, to writing them in Golang or Rust, due to the speed benefits they entail.

We have also adopted this trend at Assetnote, and key components of our platform such as our in-house DNS resolver, has been re-written and optimized in Rust by Huey to take advantage of the speed it brings.

The one thing I have noticed when it comes to analysing an attack surface, is making sure that your tools output information in a way that highlight relationships. For example, the output of most fast DNS bruteforcing tools, simply sucks. Here’s how I prefer DNS data to be laid out – something that tracertea shared with me:

0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64
0.0.0.0.0.0.0.0.0.shopify.com -> wc.shopify.com. -> 23.227.38.64

When you are looking at thousands of assets at once, you have no idea how much of a difference this optimisation can make. I can immediately recognise the relationships between the source and destination when it comes to analysing this DNS data.

It’s surprising that something so simple has had such a profound affect on me, but the same goes for color coding when displaying content discovery results. Most tools still lack in this area, and anyone who has had to spend the time combing through thousands of content discovery results will tell you that the task gets tiring quickly. Ultimately, I spend my time finding needles in haystacks, and colors make it so much easier.

When it comes to methodology, the program that has had the most profound affect on me is Uber, due to the ever changing attack surface.

In the four years, Uber has changed how they develop their software and deploy it. It has been extremely important to keep up with this and constantly reflect on the methodology being used to pierce through an attack surface. The continuous assessment of assets on the internet has been very effective against large attack surfaces in particular.

Attack surfaces are alive, evolving and complex at times.

When I first started hacking on Uber, I would see services such as Redis and HAProxy (admin panel) being exposed directly to the internet. I considered this to be an immature attack surface at the time as it was trivial to discover these security misconfigurations. But over the years, wow have they evolved.

These days, you simply will not find exposed services like Redis on Uber’s core attack surface, and this is a direct reflection of their processes and practices maturing internally when it comes to application security, and in a wider picture, their entire attack surface.

Instead, all of Uber’s internal and sensitive assets are routed to OneLogin at the DNS level. There have been cases where sensitive assets have slipped through the cracks and did not have OneLogin protecting them, but again, this is why monitoring attack surfaces continuously is so important.

Who knows? Someone could accidentally disable OneLogin protecting their assets for a short period of time, or spin up a sensitive asset that does not enforce OneLogin. Maybe because they are trying to test some changes, maybe because they don’t realise what they are doing.

I can confirm that the continuous monitoring of assets for security exposures is a core part of my methodology, and it is also the reason for why we inherently baked it into Assetnote.

Not included in this blog post is all of the work I put into the United Airlines bug bounty, and due to the terms and conditions of their bounty program, I cannot go into much detail, but I can say that their attack surface has helped me hone my skills in .NET application security testing.

When I initially looked at an IIS server four years ago, I wouldn’t know where to start. These days, I have a methodology that has proven to be extremely successful when it comes to IIS servers in general.

Due to this and so much more that I do when I am approaching attack surfaces, I plan on releasing more videos on our YouTube channel over the next year. Please subscribe if you haven’t already :)


Assetnote’s Continuous Security Platform puts the power of automated reconnaissance and large scale asset identification in the hands of security teams around the world, so that they can replicate our methodologies and successes. Knowing what assets and exposures an attack surface has is key to locking it down, and we do our best to help security teams from all over the world with this.

If you work at a business that could use help with identifying and monitoring your assets, please reach out to us.