Our client, a global luxury goods company, was faced with a challenge common to many CISOs over the world. The client was facing a massive increase in cyberattacks (more than one million in the last nine months), mainly due to their increased digitisation. This digital strategy encompasses more than a billion web pages, an expansion to the cloud, the opening of their information systems, and an increased use of APIs – all supported by agile development with continuous integration.

With digital change happening all around, there needed to be a parallel upgrade in security. The company realised the need for a modern, efficient security solution, better suited to their cybersecurity challenges. With new releases occurring every 15 days, that new model needed to be agile, innovative, and effective. It was time for change and progress. Following consultation with various service providers, this world-renowned luxury brand chose 

 to help implement a crowdsourced security strategy and launch their Bug Bounty programs.

This is their story: How the crowdsourced security strategy started, how it evolved, and what the future holds.


• Rapid revenue growth from digital channels
• Surge in cyber attacks in the last nine months


• Scale agile framework
• A DevSecOps platform
• A global 24/7 SOC team


• Align security with agile development and bi-monthly releases
• Audits may last up to a month but still don’t go “deep enough”
• “Wild” vulnerability submissions through various channels


• YesWeHack Private Bug Bounty program
• Deployment of a VDP with YesWeHack to follow




Our client began by launching two private Bug Bounty programs: one dedicated to their scopes in China and APAC, which feature dedicated infrastructures; the other focused on the ‘rest of the world’. Their scope included a dozen URLs, several applications, and a few back-end APIs. In terms of budget and rewards, our client accepted YesWeHack’s recommendation to start small with a rewards budget of €15,000. They also concurred with our suggestion of rewards ranging from €100 to €1000 for a report.

“Unlike what U.S. providers will tell you, it is possible to begin a Bug Bounty program on a small budget.” 

Customer’s tips: Leverage YesWeHack’s expertise and advice to determine your perimeter and reward grid.

For its scopes in China, our client needed local researchers that could read Mandarin. These researchers also needed knowledge of the country’s local customs, owing to the specific nature of the applications, the unique approach to trading and buying, and the different tools compared to those used in Europe and the U.S. YesWeHack connected the client a team of researchers that matched these expectations.

 Customer’s tips: Ask YesWeHack for help in selecting your first round of researchers.

The first report arrived within 30 minutes of the program opening. After only four hours, more than eight reports had been submitted, including one critical and two high-level vulnerabilities.

💡 Customer’s tips: Do not launch your Bug Bounty program in the early evening if you want to sleep at night!


 Customer’s tips: Be responsive. If you want researchers to be involved and stay active on your program, you need to respond quickly. Our goal is to have researchers’ reports processed within three days.

To ensure vulnerability reports are shared quickly and reliably between researchers and development teams, our client uses the JIRA connector provided by YesWeHack. This way, tickets can be sent directly to the teams, facilitating remediation. Learn more about how YesWeHack’s bug tracking integration solution contributes to smarter DevSecOps communication and collaboration 

Two months on from the launch of Bug Bounty, approximately 30 reports have been submitted and 60% have been corrected. This first glimpse of the Bug Bounty model enabled our customer to realise the extent of the flaws in their infrastructure – especially in China.

“We undertook significant penetration testing within our Chinese infrastructure. But they never uncovered the critical vulnerabilities surfaced by our Bug Bounty program.” 

Now that our client has a clear understanding of how a Bug Bounty program works, the team has decided to expand its scope, increase the rewards, and invite new researchers. At YesWeHack, we always advise our clients to start small and grow step-by-step. This first phase is essential to understand how researchers work and how they think, but also how to deal with reports without being overwhelmed.

As a world-renowned luxury brand, our client receives wild reports on a regular basis, through various communication channels such as the service centre, mailings, and social networks. This makes it difficult to centralise everything, forward it to the right people, and treat it with the necessary severity.

To better manage these reports, our client is setting up a 

(VDP) with the help of YesWeHack. This allows them to:

Centralise requests, ensuring they are sent to the right stakeholder internally.

Reduce “noise”: indeed, submissions will be completed by researchers using a dedicated and detailed online form.

Standardise reporting formats between the VDP and the Bug Bounty program – streamlining internal processes and enabling automation at scale

Interested in a demo or you want to discuss crowdsourced security with our experts?

Founded in 2015, YesWeHack is a Global Bug Bounty & VDP Platform.


YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting tens of thousands cybersecurity experts (ethical hackers) across 170 countries with organizations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.YesWeHack runs private (invitation based only) programs and public programs for hundreds of organizations worldwide in compliance with the strictest European regulations.

In addition to the Bug Bounty platform, YesWeHack also offers: support in creating a 

, a learning platform for ethical hackers called 

 and a training platform for educational institutions, 

How a world-renowned luxury brand implemented a crowdsourced security strategy

 and general security testing. Given the wide range of available plugins, we have launched a series called “PimpMyBurp” to present our selection of Burp Suite extensions.

These last few weeks, we have selected 17 Burp Suite addons that caught our attention and certainly deserve yours. Let’s be honest: these extensions will not do everything for you, nor will they make you rich in the blink of an eye. However, those will certainly make your daily life as a Bug Hunter (so much) easier, especially because they are really convenient! Many of them can be used to do some one-click actions such as sending requests to FUFF or SQLmap directly, analysing Javascript… and more.

The following extensions are all very useful and complementary, so we decided to cover those in a single dedicated article rather than detailing each one separately. If you think I’ve forgotten some essential addons (and I probably did) feel free to 

👇 Addons to write your requests faster

BurpSuiteAutoCompletion & HopLa: autocompletion for headers & payloads

These two plugins are very similar but both helps when you want tosave time writing requests and crafting payloads and headers more easily. 

was the first addon (if I remember correctly) to integrate autocompletion for headers in Repeater tab and Intruder too. A few days ago, a new plugin (inspired by BurpSuiteAutoCompletion) has been released by Synacktiv. Called 

, this extension also add autocompletion for payloads.

https://github.com/Static-Flow/BurpSuiteAutoCompletion

Writing GraphQL requestcan be challenging, even more when you have mutations. In my last article 

, I told you about InQL, and it is thus quite naturally that this extension finds its place here. InQL allows you to perform Introspection, and if it’s available, you will have all Mutations and Query integrated in Burp Suite. You can then define a specific authorization header and it’s also possible to use a local web interface to build your GraphQL requests.

👇 Addons to (help you) find vulnerabilities (JWT, SSRF…)

Collaborator Everywhere: adding BurpCollaborator headers in your requests

Collaborator Everywhere is a simple but useful burp extension dedicated to SSRF vulnerabilities research. This addon, developed by James Kettle (aka Albinowax) will inject “non-invasive” headers, designed to reveal backend systems by causing pingbacks to Burp Collaborator.

To help efficiently triage pingbacks I wrote Collaborator Everywhere, a simple Burp extension that injects payloads containing unique identifiers into all proxied traffic, and uses these to automatically correlate pingbacks with the corresponding attacks.

https://github.com/portswigger/collaborator-everywhere

More and more web apps are using AES encryption (mobile application principally) but Burp can’t decrypt thid traffic easily. This extension will help you do the job. You still need to have a 

 which means you need to make little reverse on your target first.

HTTP Methods Discloser: list all HTTP methods available on your target

GET, POST, PATCH, PUT, DELETE… Do you test all methods every time on all your requests? 

can do it for you and can help you find hidden methods. Very useful on API endpoints, sometimes vulnerabilities occur by using a different method like PUT instead of PATCH thus allowing to bypass 403 status.

https://github.com/xxux11/http-methods-discloser

JWT4B: cracking JWT has never been easier

 is a common authentication method, which can come with various known problems if not properly implemented. “None” algo flaw, weak security key on HS256… 

will add a new feature to read JWT and help you identify potential flaws.

403Bypasser: bypass restricted directory with multiple payloads

Any hacker know when a server respond with a status code “403 Forbidden” for a directory, this means “

you should try to bypass this restriction

to detect the 403 status code and find a workaround on your target.

https://github.com/sting8k/BurpSuite_403Bypasser

👇 Addons to pair Burp Suite with other tools

BC2Telegram : send burp collaborator notification in Telegram

It’s all in the title, this extension allow you to combine Burp Collaborator and Telegram to receive notification directly on this messenger application. Simple but effective.

Burp Copy As FFUF: copy your requests to use it with FFUF

FFUF is used by many people for enumerating files and directories (myself included) and coupled with Burp Suite, these tools can be very effective for recon. With 

 you can create a default template to generate a specific query to use with FFUF, directly from Burp Suite with one click.

https://github.com/d3k4z/burp-copy-as-ffuf

Burp-Send-To: adds a customizable “Send to…” context-menu to use with (SQLmap, WPscan, Nikto)

Burp is probably not the only tool you use for your hunting sessions. If you use other tools like SQLMap or your own custom scripts, this 

 extension could be useful to add a little more automation when you want to export your query in ready-to-use mode. There are a lot of possibilities to customize and prepare your templates for export.

👇 Addons to enhance Burp (repeater, intruder, collaborator…)

Stepper: create sequences of steps in repeater

lets you create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps. For example, your target require multiple steps to authenticate (login form > 302 redirect > JWT in response), you can use Stepper to automatically extract the JWT and reuse it after.

Burp Repeater Tab Highlighter Javas: highlight Repeater tabs in different colors and fonts

After 24 hours of hunting, your repeater tab can be huge and it’s not always easy to find the right tab with the right payload and you kind of get into this situation of, “

So, not this one with the old session cookie, the new one, but with the JSON content-type, yeah, this one. Oh no, not the 70… the 59 maybe… Oh no. Damn, it was tab number 41

“. You know what I mean? 😉 Adding colors to the title of your tabs can therefore be useful and help you to quickly identify the right tab for the right test.

https://github.com/b4dpxl/Burp-Repeater-Tab-Highlighter-Java

ReshaperForBurp: IFTTT for Burp Suite (IF This Then That)

Do you know IFTTT? It’s a useful service to create applets with conditional triggers. Who would not like to do the same on Burp? This is what the 

extension offers. Many examples are available on the GitHub repository, feel free to use them as an inspiration!

https://github.com/synfron/ReshaperForBurp

Burp Scope Monitor: monitor and keep track of tested endpoints

When you are facing a big target, it’s hard to keep the books and have a clear view of what you have already tested, which endpoint you have tried to broke and which endpoints you need to test yet. 

 could help you organize your recon process with a dedicated tab where each endpoint can be marked as analyzed or not.

https://github.com/Regala/burp-scope-monitor

Domain hunter Pro: a recon tool embarked in Burp Suite (subdomain enumeration, crawl, retrieving page titles, status code…)

Recon is part of a global bug hunter routine and many external services, tools and scripts exist to do this. The extension 

 could help you identify new assets, directly in Burp Suite. The tool is rather comprehensive and offers numerous options to search all corners of your target.

https://github.com/bit4woo/domain_hunter_pro

Source-Mapper: analyze source map files and extract the source code

JavaScript Source Map files are debugging files containing the original & uncompressed source code of the deployed JavaScript code. These files can contain sensitive data and could be very useful for effective reconnaissance to gather new information about your target. 

and analyze them in an attempt to extract the source code.

https://github.com/lachlan2k/source-mapper

PimpMyBurp #4: Burp Suite extensions that should get your attention!

File upload is one of the most common functionalities application has to offer. This functionality, however, is implemented in many different forms based on the application’s use case. While some applications only allow uploading a profile picture and support only image-related extensions, on the other hand, some applications support other extensions based on their business case. Storing and retrieving these files on the server-side is again a huge task and required to be handled with caution.

Due to the involved complexity and level of caution that is required to implement a file upload functionality, this becomes one of the interesting attack vectors and can open doors to multiple critical security vulnerabilities such as Remote Code Execution. In this blog series, we will be focusing on various File Upload Attacks, Bypasses, and some robust mitigation around them from both an attacker’s well a defender’s perspective.

In the first part of the file upload attack series

we will look at an attack surface that one gets when there’s a file upload functionality and we will focus on some of the interesting file upload attacks.

The below mindmap gives a picture of various attacks that are possible when an application implements File Upload Functionality. This series of blogs will be based on this mindmap itself.

One of the most interesting attacks that come into mind whenever there is a file upload functionality is Remote Code Execution. There are several ways to execute a code execution with malicious files, one of the most common is to upload a shell and gain further access.

Let’s assume a scenario where a PHP based application provides a file upload functionality and stores the files as it is on the server which can later be accessed.

In order to achieve remote code execution, one can try the following steps:

Create a PHP shell or use an existing shell.

Upload the shell (bypassing restrictions, if any)

After successful upload, navigate to the shell path, for example, https://testweb.com/files/shell.php to see if it is accessible.

If the shell is accessible, based on how the shell gets executed, attempt for the shell execution, for example, https://testweb.com/files/shell.php?cmd=whoami

We will talk about the file upload bypass techniques in the next part of the file upload attack series.

ZipSlip attack is an interesting attack vector that can be tested when the application accepts archives in file upload functionality and later unarchive it for further processing.

: Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution. It was discovered and responsibly disclosed by the Snyk Security team ahead of public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal, and many more.

https://github.com/snyk/zip-slip-vulnerability

 contains all the information about this attack such as the affected libraries, projects, and other relative information.

To check for this issue, one can follow below simple steps:

Create a malicious file using this tool: 

Upload the malicious file to the archive upload functionality and observe how the application responds.

File overwrite is an interesting attack during the file upload when a user can control and arbitrarily set the path where the file should be stored. This can be considered similar to the Zip Slip and Path Traversal attack but assuming the scenario where it is possible to directly upload a file and change its path to overwrite an existing system file, this is kept as a separate issue.

Navigate to the file upload functionality and upload this file while capturing the request with Burp Suite.

3. Now modify this request by changing the 

4. If the upload is successful, refresh the application and observe if there’s any misbehavior or crashes to confirm the vulnerability.

This attack may look similar to the attack mentioned above, i.e. File Overwrite attack, however, in this scenario we are assuming that 

it is not possible to overwrite a system file due to implemented checks that can not be bypassed. 

In this situation, we will attempt to create a file, outside the intended directory that may allow an attacker to injection malicious files, cause misbehavior in the application, or other security implications.

Navigate to the file upload functionality and upload a file while capturing the request with Burp Suite.
[Assume that the application stores files in the following directory: testweb.com/files/external/upload/folder/test/<uploaded_file>

2. Now modify this request by changing the 

3. If the upload is successful, try to access the file outside the expected directory and if it is possible to access the file, it can further be used to perform other attacks.

Often there is a size restriction associated with the File Upload functionality that may range from 5 MB to 200 MB or even smaller/larger depending upon the application logic. However, in certain situations, if this limit is not defined or the proper validation checks are not present, it may allow an attacker to upload a file with a relatively large size resulting in resource consumption that may lead to a Denial of Service situation.

Create a file that is larger in the size than defined upper limit. For example, an image file having a 500 MB file size.

Now, upload the file, and if the application accepts the file and starts processing it, browser the application from another device to see if there’s any sluggish behavior or connectivity error.

As we have observed so far that the file upload functionality is really interesting and can lead to multiple security vulnerabilities. It is possible to test for Server-Side Injection attacks such as SQL Injection, Command Injection, or others using the File Upload feature.

The most unnoticed or ignored method is to test the 

for testing server-side injection vulnerabilities. When the application is unsafely handling the uploaded file, storing or processing it on the server-side, a malformed filename containing some payload may get executed and result in a server-side injection vulnerability.

Let’s assume an application with file upload functionality is having the following request structure.

2. Now, it is possible to modify this request’s 

parameter and use the server-side injection payload at 

png position for multiple attack scenarios like below:

Similarly, this can also be tested for the Client-Side Injection issues like Cross-Site Scripting, which we will discuss in detail in the next part of this blog series.

 or simply put, let’s say you have clicked a picture using a Digital Camera, when this image is processed and saved on the storage device, some properties are added to the file such as 

and other information as applicable to describe the image’s information. This is basically data about data or our friend 

One of the simplest and most discovered metadata leakage issues is in the Image Upload Functionalities. This issue is more commonly known as 

EXIF Metadata Leakage/Information Disclosure. 

However, the Metadata Leakage is not just limited to images but can be found in other file formats such as 

For this blog series and to gain understanding, let’s look at how to identify the EXIF metadata leakage in the image upload functionalities.

First of all, it is essential to understand that not all image upload EXIF leakage is considered sensitive. If there is a user profile picture or private pictures that an attacker can access and enumerate the EXIF metadata such as Location, Device Information, etc. it can be of low impact issue.

Navigate to the https://testweb.com/user/12345 and right-click on the Profile Picture and copy the 

 to check the image for EXIF data leakage.

For testing purpose, the following GitHub Repository can be used to find images having EXIF Metadata: 

ImageTragik Attack // ImageMagick Library Attacks

ImageMagick is one of the widely used packages by the web applications to process images. However, security researchers identified multiple loopholes in this library, one of which leads to Remote Code Execution when a malicious user-submitted image is processed by the application using vulnerable ImageMagick Library.

There are multiple interesting CVEs that have public exploits available and can be tested against the target. A detailed vulnerability analysis along with the exploitation for these issues is available 

CVE-2016–3714 — Insufficient shell characters filtering leading to (potentially remote) code execution

To check for this issue, one can follow the below steps [Assuming the ImageMagick Library is in use]:

Craft a malformed exploit.svg a file like this:

2. Upload this file using the upload functionality.

3. At the back, the ImageMagick library will try to process the file by running convert exploit.svg exploit.png and during this, the command defined in the exploit.svg i.e. ls -la will be executed.

Similarly, the other vulnerabilities can also be exploited and a great explanation is available 

This is all for the Part-1 of File Upload attack series and we hope you enjoyed reading & learned something new that will help in your bug hunting journey. Stay tuned for Part-2 of the File Upload attack series for more interesting attack vectors. Happy Hacking!

File Upload Attacks (Part 1)

 the first version of our Burp Suite extension called “YesWeBurp”. As you probably know (or not) this extension developed in Python is dedicated to use it with our platform and is useful to fetch all programs (public & private), rules, scope, user-agent and more. This extension was nice but because we’ve launched a new series called “HowTo” on 

how to write a Burp Suite extension in Kotlin

, we’ve also decided to completely redevelop YesWeBurp.

The previous version of YesWeBurp was developed in Python. It’s a great language, but not really optimized to write a perfect Burp add-on. By using Kotlin, it’s like using a “native” language to works with Burp Suite and allows us to interact and use the full power of the tool.

TL;DR: This new version of our extension is harder, better, faster than the previous (really!).

tab you can set your credentials. If OTP is activated on your account (and it is strongly recommended), you can enter your OTP, and click on 

. Once you are logged in, the programs remain visible until Burp is closed.

If everything is okay, you should see a new tab called “

” which contains the full list of public and also private programs (in orange) you have access.

When you click on a program, all the information are displayed in different tabs:

In the top right-hand corner there is a “

” button. If you click on it, a new window with the scope information will open:

Each line can be modified (in case of regex is not properly defined) before to be added to scope. Once you have selected the scopes, you can add them to your burp by clicking on the button “

“. If a program asks to define a specific User-Agent, you can also modify and add it by clicking on the button “

If you want to install this new version of YesWeBurp 2.0, a version 

is already available on our GitHub repository

 and soon it will also be available on the BApp Store.

YesWeBurp 2.0 : A new version of our Burp Suite extension is available

YESWEHACK PROPHILE ON S5S

 has received the “Cybersecurity Made in Europe” mark after meeting the requirements outlined by the 

European Cyber Security Organisation (ECSO)

. The label is delivered throughout Europe via ECSO’s approved partners. In France, the label is issued by the 

label recognises cybersecurity companies from the European Union (EU27), European Free Trade Association (EFTA) and European Economic Area (EEA) countries, as well as from the United Kingdom (UK), based on the evaluation according to the following criteria:

Trustworthy cybersecurity (ICT) products and services: 

the requirements include compliance with 

‘s “Indispensable baseline security requirements for the secure ICT products and services”.

“We are proud to count YesWeHack among the first recipients of the Cybersecurity Made in Europe Label which promotes European cybersecurity companies by providing them visibility among business partners, end users and investors. YesWeHack is among the fastest growing French cybersecurity companies and is one of Europe’s key player in ethical hacking developing its business across the globe based on trusted European values” says 

, ECSO’s founder and Secretary General.

“YesWeHack is really proud to be recognized with this label by ECSO. This award further acknowledges our commitment to providing trustworthy cybersecurity products and services in compliance with strict European data and privacy regulations” says 

Confidentiality, sovereignty and data privacy are indeed at the heart of YesWeHack’s business from the beginnings:

Our platform complies with European security, financial traceability and privacy requirements – the strictest worldwide, especially those relating to personal data (

Our data is stored in the European Union, and is immune to non-European policies.

Our infrastructure is hosted on a private and sovereign cloud (European headquarters and location), meeting the strictest security requirements (ISO 27001, CSA STAR, SOC I/II type 2 & PCI DSS certified).

European Cyber Security Organisation (ECSO) is a non-for-profit organisation, established in 2016. ECSO unites more than 260 European cybersecurity stakeholders, including large companies, SMEs and startups, research centres, universities, end-users, operators, associations, as well as regional and national administrations. ECSO works with its members and partners to develop a competitive European cybersecurity ecosystem providing trusted cybersecurity solutions and advancing Europe’s cybersecurity posture and its technological independence.

Founded in 2015, YesWeHack is the #1 European Bug Bounty & VDP Platform.
YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting tens of thousands cybersecurity experts (ethical hackers) across 170 countries with organizations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices. YesWeHack runs private (invitation based only) programs and public programs for hundreds of organizations worldwide in compliance with the strictest European regulations.

Eager to know more about YesWeHack’s crowdsourced security platform? Drop us a line and one of our experts will get back to you!

YesWeHack has received the “Cybersecurity Made in Europe” label issued by ECSO

 was on finding a way to create a valid prototype pollution payload to exploit SSRF and retrieve a secret flag.

We are glad to announce the #9 DOJO Challenge winners list.

The FIRST and 4 best quality write-up reports

 feeds to be notified of the upcoming challenges.

The YesWeHack Blog

How a world-renowned luxury brand implemented a crowdsourced security strategy

PimpMyBurp #4: Burp Suite extensions that should get your attention!

File Upload Attacks (Part 1)

How a world-renowned luxury brand implemented a crowdsourced security strategy

YesWeBurp 2.0 : A new version of our Burp Suite extension is available

YESWEHACK PROPHILE ON S5S

YesWeHack has received the “Cybersecurity Made in Europe” label issued by ECSO

YesWeBurp 2.0 : A new version of our Burp Suite extension is available

DOJO CHALLENGE #9 Winners!

How-To: Learn how to write a Burp Suite extension in Kotlin – Setting up

Swiss Post launches public Bug Bounty program with YesWeHack

DOJO CHALLENGE #9 Winners!

Don't wait for threats to strike

Produits

Chercheurs

Ressources

A propos

Suivez-nous