Automated Monitoring + Time = Bug, the bug on HackerOne Target (8×8)

Post image

Hi there,

In this article, I will discuss how my automation machine found a bug in one of the HackerOne programs. Since the program is public and the report is also disclosed, I will here are basic info:-

Program name: 8x8 (and yes, they have VDP + BBP as well)
Scope: *.8x8.com

Backstory

If you don’t know, I am a high school student (when the bug was found + at the time of writing this article), so it becomes difficult to manage hacking and my school. So the only option I had was to set up an automation machine that would do some basic things. So the basic concept was to gather subdomains as much as possible and run nuclei on them. This was done on a regular basis, on a Raspberry Pi.

The simple algorithm is to collect as many subdomains/hosts as possible, and then run nuclei on them.

Note that since this is an automation, I don’t have to wait for it to finish so it can take as much time as it will. This means you can run subdomain enumeration, generate a permutations list, and then brute-force them. A port scan is also a thing.

I’ve built it in whatever time I got, and now it has more than 5000 URLs to scan and more are being added daily with the help of subdomain enumeration.

Also, all these are interdependent, which means the output of one can be the input of the other.

The Bug

One day, when I saw the updates of the bot in the morning, I noticed that my bot had detected a directory listing bug from the custom nuclei template I made. The template was very simple, it will simply detect “Index of /” in the response. Also, it had multiple URL paths, which I gathered by manually visiting disclosed reports, write-ups, etc.

If you want to read the disclosed report, you can read it at https://hackerone.com/reports/1825472

I simply verified it, all with the help of my smartphone, and even reported it with the help of a mobile.

After a few days, the bug was simply resolved and disclosed 🙂

Some takeaways

  • Getting bugs from default templates is also possible if there’s a good list of URLs (though mine is a custom template, but I guess many people must be using the same)

  • Enumerating tools daily on a large scale helps.

  • Time matters. The longer you’ll run the automation, the higher the chances of getting a bug.

But still after all, remaining dependent is not good. I saw one of the videos of Nahamsec (I quit recon), and got a few bugs.

Though automation can make lengthy tasks easier, it can’t 100% replace manual testing

I hope that you found this one informative. See you next time 😉