The US House of Representatives has passed a bill that would oblige federal contractors to implement a vulnerability disclosure policy (VDP).

If the bill subsequently passes the Senate, security researchers would have a formalised process through which to responsibly report vulnerabilities in systems belonging to providers of goods and services to the federal government.

Federal Contractor Cybersecurity Vulnerability Reduction Act

 (PDF), the Office of Management and Budget (OMB) would recommend updates to contract requirements and language around implementing VDPs within the Federal Acquisition Regulation (FAR), which governs federal procurement processes.

The OMB would consult with the director of the Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Director and the director of the National Institute of Standards and Technology (NIST) in drafting these recommendations.

The bill requires that the Department of Defense (DOD) must conduct a similar review with regards to defence contractors.

VDPs would have to be consistent with NIST guidelines.

“Cyber threats don’t wait for bureaucratic red tape. This legislation ensures federal contractors meet the same high cybersecurity standards we expect from federal agencies,” 

, the congressional Republican who introduced the bipartisan bill in 2023. “By eliminating vulnerabilities before our adversaries can exploit them, we’re reinforcing America’s cyber resilience in real time.”

The bill has now been referred to the Committee on Homeland Security and Governmental Affairs.

VDPs have already been rolled out across US government departments, including the 

As of September 2024, CISA’s own VDP platform had, three years after launch, triaged over 12,000 submissions from 3,200 security researchers, resulting in 

 (PDF), 2,000 of which had been remediated at that point.

News of the US VDP bill’s passage through the house came just a few days after the UK Home Office, which is responsible for immigration, security and law and order, 

However, the announcement did not meet with universal acclaim. The CyberUp campaign has 

 that the VDP, which prohibits researchers from breaking “any applicable law or regulations”, is undermined by the fact that “the Computer Misuse Act – an archaic law written in 1990 when just 0.5% of the population had internet access – blanketly criminalises all unauthorised access to computer systems, irrespective of intent or motive to act in the public interest.”

Piecemeal efforts to reform the law are currently 

VDPs have long been seen as best practice within the cybersecurity industry, with the 

 guidelines on vulnerability disclosure a significant milestone. However, in recent years the rate of adoption in the public and private sector has accelerated, partly in anticipation of regulatory requirements.

 for instance requires that vendors of products with digital elements (PDEs) implement VDPs. The 

UK Product Security and Telecommunications Infrastructure (PSTI) Act

 mandates similar obligations for Internet of Things (IoT) manufacturers.

Secure, coordinated vulnerability disclosure

As a secure channel for coordinated vulnerability disclosure, a VDP shows your customers that you take security seriously and can usefully complement a 

 aligned with industry best practices and your specific needs and integrate it into your website. Other product features:

Unified interface for receiving reports and managing vulnerabilities

Receive only valid, actionable reports thanks to our in-house triage service

Triage team can evaluate bug severity and liaise with security researchers

End-to-end encryption ensures confidential communication

US House passes bill mandating vulnerability disclosure policies for federal contractors

, asked participants to perform a punycode attack to overwrite source code, escape a sandbox and perform a JavaScript code injection which exposes the flag.

Want to create your own monthly Dojo challenge? Send us a message on X!

 feeds to be notified of upcoming challenges.

Read on to find out how one of the winners managed to solve the challenge.

TALKIE PWNII #4: VIDEO CHALLENGE WRITE-UP

We want to thank everyone who participated and reported to the Dojo challenge. Below is the best write-up overall:

The challenge revolves around a web application that allows users to purchase and update websites. However, the application is vulnerable to code injection due to improper handling of user input in the 

 function. The application uses Node.js's 

 module to execute JavaScript code within a sandboxed environment. The issue arises from the use of 

, which is intended to restrict code execution but is improperly implemented, allowing an attacker to escape the sandbox and execute arbitrary code on the host machine.

This vulnerability is particularly dangerous because escaping the 

 context can lead to remote code execution (RCE), granting an attacker access to sensitive system resources and executing commands.

During the initial reconnaissance phase, a thorough code inspection was conducted to understand the application's architecture and functionality. The application is built using Node.js and utilizes the 

 module to execute user-provided JavaScript in an isolated environment. The code defines a sandboxed execution context and processes user input before passing it to 

. Additionally, various utility functions are implemented to handle user requests and manage application logic. By analyzing the source code, we can identify how input is handled, processed, and executed, which provides insight into potential security risks and areas requiring further scrutiny.

On the initial code analysis, the tech stack was analyzed, and it wasn't tough to realize that the underlying stack was Node.js, sqlite3 for database and ejs for templating. The first block of code is the main method, which handles the user input and handles the main application functionality.

 function executes,, it first initializes the db with 

 function which populates the database with two websites 

, by decoding potentially URL-encoded strings. Next, it is checked if the 

 variable is an empty string. In case it is empty string, the function returns early with 

The next try-catch block was an important block in uncovering this vulnerability.

The provided code is responsible for handling the registration of a website by checking its availability and, if available, proceeding with its purchase. The process follows a structured approach to ensure that duplicate registrations do not occur.

, which queries the database to check if the provided website name already exists. If the website is found in the database, it means it has already been registered by another user. If the website is already taken (

), the function immediately returns an error message:

If the website is available, it is converted to Unicode using 

. This step is crucial because domain names can be represented in Punycode, which encodes international characters into ASCII. It means if an attacker provides the punycode encoded version of an existing website, it escapes the availability check and gets converted back to Unicode version in this step.

In case an invalid website is given, it throws the error, "Invalid website given!"

Next lines of code is responsible for updating the content of a website for the client after checking if the website already exists in the database.

This code retrieves all websites from the database, checks if the provided website exists, and if found, updates its content with the given source code. The update stops once the first matching website is found. This method is crucial for injection of the user provided payload.

And here comes the most crucial block of the code.

This section of the code is responsible for verifying the source code of the website 

 by executing it in a controlled and secure environment. The code first retrieves the source code associated with the specified website from the database using the 

 function. Once the source code is obtained, it is run in a sandboxed environment using 

. This approach ensures that the source code is executed in isolation from the rest of the system, effectively preventing any unintended side effects or security vulnerabilities from affecting the broader environment.

The execution occurs in a context created by 

. If the source code contains errors or causes an exception during execution, the error is caught by the 

 block. When an error occurs, the function 

 is called to notify the infrastructure team about the issue, and the main function returns an error message indicating that the code verification process failed with the message "Our code is broken!"

Having understood the complete application logic, it is now easy to look for the security flaws. There is a normal flow when the user enters an available website and a valid or empty code, it displays the "Nice Catch - You're all set!" message.

 which already exists on the database, it shows that it has been already registered by another user. This blocks one from updating the source code and executing it in the sandbox environment.

 payload that escapes the availability check was required. The simple idea (and also mentioned in the hint) is to convert the website 

 to punycoded version which came out to be 

 check and gets converted back to unicoded version once availability check is done. So this can be used to update the source code of the website that could potentially escape the sandbox and execute code that can read the environment variables.

Now a payload that escapes the payload and can read the environment variables was required. On the pursuit of payload for 

, I came across multiple resources and tried a lot of different payloads. I finally managed to come up with the payload that escapes the JavaScript sandbox.

 Function object. A JavaScript function has a characteristic in which it accepts code as string and will then execute it. Our attack will exploit this fact and — along with a immediately invoked function execution, known as IIFE for short — will print the environment variables for the running Node.js process.

Which displayed the environment variables and you've pawned it modal.

I then changed the payload to display just the FLAG env variable,

With this injection, it is possible to read the environment vaiables of the Node.js process that is executing. The punycoded website name 

 escaped the availability check and allowed to update the malicious source code in the website i.e. 

this.constructor.constructor("console.log(process.env.FLAG)")()

 that exposes the sensitive env variables to the attacker.

An attacker could exploit this vulnerability to execute arbitrary Javscript code and disclose internal information like environment variables. If users are allowed to run custom code, they have complete access to the Node.js server runtime and can spawn processes, access the file system, and more.

Use Secure Sandboxing Libraries: Libraries like vm2 provide stricter isolation and prevent prototype pollution attacks.

Restrict Global Access: Limit access to built-in objects like Function, eval, and require by explicitly defining a safe environment.

Implement input sanitization to block malicious payloads

Dojo challenge #39 - Phishing winners & writeup

Are we entrusting too much coding to AI, too soon? The results of two new studies, along with fresh concerns expressed elsewhere, suggest we might be. 🤖

Exhibit A is a think piece that achieved the remarkable feat of eliciting a 

thoughtful, non-provocative response on X from Elon Musk

collective atrophy of basic programming skills

 to the loss of human muscle memory when it comes to navigating cities in the Google Maps era. “We’re at this weird inflection point in software development,” began the 

. “Every junior dev I talk to has Copilot or Claude or GPT running 24/7,” continued Namanyay Goel, a developer and entrepreneur. “They’re shipping code faster than ever. But when I dig deeper into their understanding of what they’re shipping? That’s where things get concerning,” he continued, before warning ominously of long-term adverse consequences of this rush to over-automate software development. 💡

Tech and cyber expert Andy Ellis expressed similar concerns in the CISO Series Podcast. In an episode titled ‘

Our Developers’ New Motto is 'LLM Take the Wheel

’, he cited Joel Spolsky’s 2002 article on ‘

risks posed by an over-reliance on LLMs for software development

: “When you see your code behave in a certain way, you might be like: ‘Oh, I probably have a memory leak, or I’m not running on big enough hardware’, whatever it is. And when you lose that understanding of the knowledge of complexity of what’s going on underneath it, you sort of don’t have the ability to reason about what’s happening. And if you let AI write your code […] that’s an abstraction barrier between your prompt engineering and some other level of code, which then has more abstraction barriers below it.” 🧩

Keeping developers connected to their code – especially the how to avoid insecure code and its consequences – is something our 

by leveraging vulnerability reports for internal training purposes

. The insights our ethical hackers provide, notably through proofs of concept for bugs and suggested mitigations, can teach devs secure development best practices and reduce the number of security flaws created. 🧠

Back to bashing AI now and new research revealing how 

AI coding assistants might be eroding code quality

. Based on analysis of 211 million lines of code, a 

 found that there were eight times the number of code blocks with more than four duplicated lines in 2024 compared to 2023. Higher code duplication and reduced refactoring is generally seen as leading to higher maintenance costs, lower code readability and a wider proliferation of vulnerabilities. ⚠️

If this was heartening news for coders worried about being eclipsed and ultimately replaced by AI, then they will be further cheered by an admission by OpenAI researchers that 

even frontier models “are still unable to solve the majority” of coding tasks

, neither OpenAI’s o1 and GPT-4o models nor Anthropic’s Claude 3.5 Sonnet could match human devs in benchmarking tests around “resolving bugs and implementing fixes to them, or management tasks that saw the models trying to zoom out and make higher-level decisions”. 🧐

black-box nature of AI outputs is a problem for security researchers

 just as it is for developers. In ‘The Pitfalls of 'Security by Obscurity’ And What They Mean for Transparent AI’, 

researchers from New York University have argued

 that excessive (albeit partly understandable) secrecy about the inner workings of AI models is undermining security research, especially when their complexity makes transparency in this domain only more imperative. The researchers propose measures such as third-party audits, structured vulnerability disclosure programs, and the creation of shared benchmarks and datasets to evaluate AI safety and fairness. ⬛

AI also comes up (but of course it does!) in an interesting 

, but let’s take a break from AI and highlight another noteworthy quote from the Q&A: “My biggest challenge – but it also applies to all CSOs and CISOs – is being able to 

articulate what are technical attacks, technical vulnerabilities into business impact

,” Marnie Wilking told Infosecurity Magazine. “Being able to go back and forth and bridge that communication gap is a very important skill set but also a very difficult job. At the end of the day, what the leadership team wants to know, what we should be worried about is how it impacts our partners, our customers and our ability to deliver to customers.” 👨💼 (Incidentally, understanding the true business impact of vulnerabilities is a cornerstone of our own business model, to the end of prioritising the most critical bugs first, as our head of triage discussed in an 

 about YesWeHack’s in-house triage service).

“I’ve been watching the litigious world that we’re now in, and I’m not pleased at all,” said Kevin Winter, global CISO at Deloitte, in another illuminating interview. “I didn’t think it would go this direction,” he said, in relation to 

, which have introduced mandatory reporting of “material” cybersecurity incidents, and 

exposed CISOs to the risk of criminal liability

 for making the wrong calls over security incidents. ️⚖️ Winter featured alongside Richard Marcus, CISO at AuditBoard, in the 

CISOs will note with interest that any UK-based employees using iCloud will see their security protections reduced after Apple turned off end-to-end encryption for UK-based users on Friday. As reported by 

, called Advanced Data Protection (ADP), in response to British government requests for a backdoor, to assist with data retrieval related to criminal investigations. An Apple spokesperson said: “As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will.” A former British government minister has 

 the security risks of users losing access to ADP. In contrast, Dr Joseph Lorenzo Hall, distinguished technologist at the Internet Society, was “

With spring on the horizon, our first conferences of the year are hoving into view. First up for the YesWeHack team is 

. Pitched by the organisers as “the most exclusive cybersecurity event in the world”, Next IT Security is a forum for meetingC-level cybersecurity decision-makers for a “day of expert-led discussions” about the most pressing cybersecurity challenges of the moment. Our very own Sam Lowe and Jan Nieminen will be in attendance to discuss the benefits of crowdsourced security, including during a five-minute ‘Fire Starter’ session at 10:50am.

) to demo the YesWeHack platform and field questions about Bug Bounty and vulnerability management, as well as to hand out some swag. If you want to find out more about how to strengthen your security posture cost-effectively, you can find us on booth D1. The organisers are expecting 20,000 visitors from 103 countries for the 17th edition, whose theme is ‘zero trust’.

Read this monthly roundup even sooner by subscribing to 

 – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, 

 – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.

Junior devs ‘can’t actually code’, AI coding risks, security researchers decry inscrutable AI – OffSec roundup for CISOs

Ever wondered whether you ever missed a hidden subdomain that would have unlocked a critical vulnerability and a large bounty reward?

In this article, you will discover how cutting-edge subdomain enumeration techniques, both passive and active, can reveal the unseen corners of your target’s infrastructure.

We’ll explain the advantages of various techniques, recommend enumeration tools for executing them, and show you how to implement these techniques, supported by illustrative examples performed on a real public bug bounty program (that of 

When Bug Bounty hunting or conducting a pentest, subdomain enumeration is a crucial first reconnaissance step before you actually start hacking – maximising the exposed attack surface and therefore your chances of finding vulnerabilities.

Enumerate subdomains using public databases

Using Google dorking to enumerate subdomains

Performing HTTP probes on collected domains

Subdomain enumeration is a technique for collecting subdomains from a domain owned by the program you are testing. The goal is to enumerate as many assets from the program as possible, to gain an understanding of total attack surface and how the infrastructure works. Once you’ve collected all these subdomains, it's easier to scale up your attacks and achieve better results.

Passive subdomain enumeration is an efficient way to collect information about a target without directly interacting with it. The passive enumeration process analyses publicly available data or third-party resources – such as DNS records, SSL/TLS certificate logs or web archives like 

 – to find subdomains. This will allow us to gather historic data without generating suspicious traffic to our target.

The most common, and one of the most effective, techniques for enumerating subdomains is by using third-party subdomain enumeration scanners that rely on passive enumeration of third-party databases. Tools such as 

 can quickly search vast repositories of DNS information.

This technique works so well is because you are aggregating subdomains collected from multiple databases over a long period of time. By broadening your asset discovery, you can get an extensive view of the target’s digital footprint from the outset – encompassing assets that traditional forms of active scanning might miss.

Censys offers the ability to search within its database for subdomains and other juicy information about the target infrastructure. As you can see below, we have performed a simple query that contains a couple of domains of our target. Censys then provides us with subdomains and other useful information.

You can perform a similar technique with Shodan to dig even deeper into your target’s infrastructure. Since Shodan details exposed services associated with indexed subdomains – such as open ports, misconfigured servers or publicly accessible APIs – it can help you focus on attack vectors with a higher risk profile. Here's our Shodan query and the results:

You can find subdomains even more rapidly by using subdomain enumeration tools that query a much wider range of public databases.

, offers versatile output formatting capabilities that streamline the analysis workflow. As a result, researchers can easily integrate results into other security tools or create detailed reports.

Subfinder uses the following databases to search for the subdomains of a domain:

 as the hostname and outputs the result to a JSON file, followed by the results generated:

Another great tool for performing subdomain enumeration is 

, Amass can perform external asset discovery by combining open source intelligence (OSINT) with active reconnaissance techniques. This utility's strength lies in correlating data from diverse sources, which is crucial for building an accurate picture of the target’s attack surface.

Amass uses the following databases to search for the subdomains of a given domain​:

This Amass command (which is followed by the results generated) uses the 

, outputs the result to a file for later use, and sets a timeout of 12 seconds.

We then output the file in a JSON format because it preserves information about where the subdomains were discovered, and allows us to seamlessly insert this data into a database for future use. This structured approach is essential for analysis and for linking reconnaissance data with further testing steps.

RELATED RECON TIPS: Discover and Map Hidden Endpoints and Parameters

Google dorking (aka Google hacking) is an advanced way to perform queries on Google’s search engine. The power of this method lies in how it taps into Google's incomparably vast index of domains. Although Google's captcha protections make this technique trickier to automate, Google dorking remains a potent tool since it can surface active subdomains missed by automated tools.

Google's advanced search operators enable precise subdomain discovery through targeted queries such as '

The google dork below searches for all known subdomains of 

, within Google’s database. The subsequent screenshot shows how it helped us discover several subdomains of our target domain:

subdomain enumeration involves interacting with the target itself in order to find all subdomains of the domain. This direct approach is necessary for uncovering any subdomains that are not publicly indexed, yet in active use. Methods such as brute-force attacks, virtual host (vhost) fuzzing and crawlers play a big role in this process.

While active enumeration might be essential for reconning comprehensively, it also carries the risk of getting the attacker or hunter blocked or generating false positive or false negative responses from web application firewalls (WAFs), bot protection mechanisms or other proxy services. 

Getting banned is especially likely if you perform a large number of requests in a short space of time, particularly when a bot protection mechanism is active across multiple domains that you are scanning. 

Being banned by a particular bot protection mechanism will most likely hamper your efforts to scan any other domains under its protection.

You can reduce the risk of being blocked by implementing rate limiting, using rotating proxies and adhering to 

 guidelines. If you're hunting on Bug Bounty scopes, be sure to follow the program's testing guidelines too. 

DNS brute-forcing, which is among the oldest and most popular techniques for subdomain enumeration, involves creating a wordlist of potential subdomain names and testing them against the target domain. This technique is invaluable because it systematically uncovers subdomains that may not be registered in public databases, thereby revealing hidden parts of the infrastructure. 

When a subdomain responds, it is likely a valid, newly discovered asset. If the domain has a wildcard configuration, additional filtering may be required for accurate results.

DNS brute-forcing is only as effective as the wordlist used. As well as a target domain, you need a wordlist covering an extensive range of permutations to successfully execute a brute-force attack. We recommend sourcing wordlists from 

As we can see above, our Gobuster scan uncovered a couple of related subdomains. To adapt enumeration to your target, you should create a custom wordlist by analysing patterns in subdomains discovered from third-party databases. These patterns typically reflect an organisation's naming conventions.

, you can further refine these patterns and generate additional subdomain variations. We can then perform a more optimised brute-force attack against our target domain.

Once you have a list of domains, we recommend fuzzing for virtual hosts (vhosts), which are domains that share the same IP as another domain on a web server. Vhosts can uncover hidden services sharing the same server, potentially exposing vulnerabilities in less secure subdomains. 

If a subdomain resolves to the same IP address as its parent domain, it may be part of a vhost setup, where multiple domains or subdomains share the same server but serve different content based on the Host header in HTTP requests.

Recommended tools with vhost-fuzzing capabilities include gobuster, 

. In the example below we’ve used Joohoi’s ffu to fuzz the hostname 

 for vhosts using a wordlist file with an easy-to-read CLI output:

In our example, we have performed fuzzing against the target domain (

) by sending requests with different subdomain names in the 

, using a wordlist of possible subdomain names. If we receive an unusual response, we have most likely discovered a new vhost for our target.

A reverse DNS (rDNS) lookup resolves an IP address to its associated domain name. This technique is essential because it can reveal domains that are not listed in public records. rDNS is particularly useful when investigating a range of IP targets. It exposes hidden domains associated with an IP address that might not appear in forward DNS lookups, thus broadening your domain reconnaissance.

 is a versatile DNS toolkit that can perform reverse DNS lookups and execute multiple probe types against both IP addresses and hostnames. Below we've executed a reverse DNS lookup on DnsX by querying PTR records against a list of IP addresses:

Web crawling is a powerful reconnaissance technique for discovering additional subdomains after initial enumeration. By analysing HTTP responses and the Document Object Model (DOM), crawlers can discover hidden API endpoints or internal subdomains.

 is a great tool for implementing advanced crawling techniques, such as passively collecting subdomains by analysing HTTP responses or from the DOM by running a headless browser.

To demonstrate the impressive power of this crawler, we simply navigate to the domain of our target – 

 – and see how many subdomains we can collect:

As you can see above, we collected a bunch of subdomains from a single domain visit. It’s typical to get such as positive result, because modern websites tend to use multiple API endpoints and microservices, each with their own dedicated subdomain.

HTTP probing filters out false positives from among your collected domains by determining which ones are actually running as web servers. This is necessary because it’s highly likely that at least some of your collected domains will not be active. 

We won't delve too deeply into this topic here, as it deserves its own dedicated article, which we plan to write in the future. However, we will cover the basics of performing HTTP probing on your collected domains.

To perform a HTTP probe, we first gather all collected domains into a single file. We then input this file into a HTTP probing tool, such as 

, to generate a list of domains that are running as web servers.

We can run a simple HTTP probe with httpx using the following command:

Or we can run httprobe with this command:

We’ve explained the benefits of various popular techniques, both passive and active, for performing subdomain enumeration. We’ve also recommended some subdomain discovery tools for implementing these techniques, along with practical examples of how to execute them on a real target.

Used in combination, these subdomain enumeration methods expose much larger attack surfaces than any techniques can discover alone. Establishing a strong baseline for your target in this way is a crucial early step in any pentest or bug bounty engagement.

Recon Series #2: Subdomain enumeration – expand attack surfaces with active, passive techniques

Interministerial Digital Directorate (DINUM)

, responsible for digital transformation across the French government, has announced updates to its Bug Bounty programs for Tchap, the secure instant messaging service for public administration, as well as FranceConnect, FranceConnect+, and ProConnect, the unified authentication system for public services and officials in France.

Operated in partnership with YesWeHack, these programs aim to enhance the security of these services by encouraging ethical hackers to report any vulnerabilities they discover.

As part of its information systems security (ISS) policy, the French government has implemented enhanced measures to address growing digital threats. This policy is accompanied by a significant increase in bounties offered by the Bug Bounty programs for Tchap, FranceConnect, FranceConnect+ and ProConnect, to encourage the rapid detection and remediation of vulnerabilities. By increasing the rewards, the goal is also to foster even greater participation from the ethical hacking community, working in the public interest.

The YesWeHack Blog

US House passes bill mandating vulnerability disclosure policies for federal contractors

US House passes bill mandating vulnerability disclosure policies for federal contractors

Dojo challenge #39 - Phishing winners & writeup

Junior devs ‘can’t actually code’, AI coding risks, security researchers decry inscrutable AI – OffSec roundup for CISOs

US House passes bill mandating vulnerability disclosure policies for federal contractors

Recon Series #2: Subdomain enumeration – expand attack surfaces with active, passive techniques

Bounty Grid Boost: Ethical Hackers Invited to Strengthen the Security of the French Government’s Digital Services

Top web hacking techniques of 2024, McDelivery hijack, 4D SOTA jailbreak – ethical hacker news roundup

Recon Series #2: Subdomain enumeration – expand attack surfaces with active, passive techniques

XSS attacks and exploitation: The ultimate guide to cross-site scripting

Vulnerability management reboot sought, CISOs more influential in boardroom, Trump’s cyber overhaul – OffSec roundup for CISOs

CVE surge: Why the record rise in new vulnerabilities?

XSS attacks and exploitation: The ultimate guide to cross-site scripting

Don't wait for threats to strike

Products

Researchers

Resources

Company

Follow us