Analyzing Cryptographic Vulnerabilities on Hackerone

Analyzing Cryptographic Vulnerabilities on HackerOne

Atefeh Fakhari Seminar Software Composition, MCS 2020 Supervisor : Mohammadreza Hazhirpasand

1 Objective

We are interested in looking for what types of cryptographic vulnerability exist on HackerOne.

2 What is HackerOne?

Hacker finds a vulnerability Hacker submits it to the Company rewards the hacker company via their Security page

3 HackerOne

4 Data extraction with python

5 Dataset

9311 Hacktivity

3160 Hackers

315 Companies

5,342,500

6 Top 20 hackers

Top hackers based on the total money earned Top hacker based on the total bug report 100000 70 120 80000

90000 70000 60 100 80000 60000 50 70000 80 50000 60000 40 50000 60 40000 30 40000 30000 40 30000 20 20000 20000 20 10 10000 10000 0 0 0 0

Reward earnedSeries1 Series2Number of bug Reward earnedSeries1 Series2Number of bug

7 Top 20 companies

Mail.ru 684 HackerOne 433 U.S. Dept Of Defense 352 Shopify 335 Node.js third-party modules 291 Nextcloud 290 PHP (IBB) 251 Twitter 221 New Relic 195 Uber 187 Shopify-scripts 161 Legal Robot 154 GitLab 148 Weblate 139 Gratipay 136 VK.com 126 Starbucks 125 Zomato 114 Slack 110 LocalTapiola 105 0 100 200 300 400 500 600 700 800

Number of Bug 8 Analyzing cryptographic vulnerability

9 Weaknesses

There are 121 unique weaknesses

10 Weaknesses

11 Crypto bug types

Clear text transfer / Mix content https-http 25 Certificates related problems (validation, CAA .. ) 21 Weak crypto defaults / Default encryption password and salt 18 The POODLE attack 13 The side channel attacks / The timing attacks 11 Secret key / Key disclosure / Hard-coded password / Session cookie disclosure 11 OpenSSL bugs 9 Cookie ssl flag / HTTP Strict Transport Security 9 Weak Pseudo-Random Number Generator 8 The sweet32 attack 7 Key forgery / Signing issues / Signature verification 6 The Breach attack 4 The Drown attack 4 The padding oracle attack 4 Cross-site request forgery 3 SSL pinning 3 The Beast attack 3 Reduced key size / premutation / key id collision 3 Encryption without authentication 2 Insecure data storage 2 The freak attack 1 The ssl striping attack 1 Divide-and-conquer session key recovery 1 The CBC cut and paste attack 1 The hash length extension attack 1 The chosen-cipher text attack 1 The Invalid Curve attack 1 Heartbleed 1 Key poisoning 1 Dragonfly handshake of WPA3 1 Number of Bug The KRACK attack 1 12 0 5 10 15 20 25 30 Companies’ crypto bugs

30 37,250 40000

35000 25

30000

20 25000

15 20000

15000 10

10000

5 5000

0 0

Number ofSeries1 Bugbug Series2PaidMoney reward

13 Authentication bugs types

14 Authentication bug types

Bypassing authentication / Weak authorization 91

Weak password reset workflow 30

OAuth 29

Bypass Two Factor Authentication / Multi-Factor Authentication 20

Password policy mistakes 11

One-time password 8

JSON Web Token 3

Replay protection 3

Biometric 1

0 10 20 30 40 50 60 70 80 90 100

Number of Bug 15 Companies’ authentication bugs

10 55,600 60000 9 50000 8

7 40000 6

5 30000

4 20000 3

2 10000 1

0 0

Series2Bug Series1Money

16 Summary