Analyzing Cryptographic Vulnerabilities on HackerOne
Atefeh Fakhari Seminar Software Composition, MCS 2020 Supervisor : Mohammadreza Hazhirpasand
1 Objective
We are interested in looking for what types of cryptographic vulnerability exist on HackerOne.
2 What is HackerOne?
Hacker finds a vulnerability Hacker submits it to the Company rewards the hacker company via their Security page
3 HackerOne
4 Data extraction with python
5 Dataset
9311 Hacktivity
3160 Hackers
315 Companies
5,342,500
6 Top 20 hackers
Top hackers based on the total money earned Top hacker based on the total bug report 100000 70 120 80000
90000 70000 60 100 80000 60000 50 70000 80 50000 60000 40 50000 60 40000 30 40000 30000 40 30000 20 20000 20000 20 10 10000 10000 0 0 0 0
Reward earnedSeries1 Series2Number of bug Reward earnedSeries1 Series2Number of bug
7 Top 20 companies
Mail.ru 684 HackerOne 433 U.S. Dept Of Defense 352 Shopify 335 Node.js third-party modules 291 Nextcloud 290 PHP (IBB) 251 Twitter 221 New Relic 195 Uber 187 Shopify-scripts 161 Legal Robot 154 GitLab 148 Weblate 139 Gratipay 136 VK.com 126 Starbucks 125 Zomato 114 Slack 110 LocalTapiola 105 0 100 200 300 400 500 600 700 800
Number of Bug 8 Analyzing cryptographic vulnerability
9 Weaknesses
There are 121 unique weaknesses
10 Weaknesses
11 Crypto bug types
Clear text transfer / Mix content https-http 25 Certificates related problems (validation, CAA .. ) 21 Weak crypto defaults / Default encryption password and salt 18 The POODLE attack 13 The side channel attacks / The timing attacks 11 Secret key / Key disclosure / Hard-coded password / Session cookie disclosure 11 OpenSSL bugs 9 Cookie ssl flag / HTTP Strict Transport Security 9 Weak Pseudo-Random Number Generator 8 The sweet32 attack 7 Key forgery / Signing issues / Signature verification 6 The Breach attack 4 The Drown attack 4 The padding oracle attack 4 Cross-site request forgery 3 SSL pinning 3 The Beast attack 3 Reduced key size / premutation / key id collision 3 Encryption without authentication 2 Insecure data storage 2 The freak attack 1 The ssl striping attack 1 Divide-and-conquer session key recovery 1 The CBC cut and paste attack 1 The hash length extension attack 1 The chosen-cipher text attack 1 The Invalid Curve attack 1 Heartbleed 1 Key poisoning 1 Dragonfly handshake of WPA3 1 Number of Bug The KRACK attack 1 12 0 5 10 15 20 25 30 Companies’ crypto bugs
30 37,250 40000
35000 25
30000
20 25000
15 20000
15000 10
10000
5 5000
0 0
Number ofSeries1 Bugbug Series2PaidMoney reward
13 Authentication bugs types
14 Authentication bug types
Bypassing authentication / Weak authorization 91
Weak password reset workflow 30
OAuth 29
Bypass Two Factor Authentication / Multi-Factor Authentication 20
Password policy mistakes 11
One-time password 8
JSON Web Token 3
Replay protection 3
Biometric 1
0 10 20 30 40 50 60 70 80 90 100
Number of Bug 15 Companies’ authentication bugs
10 55,600 60000 9 50000 8
7 40000 6
5 30000
4 20000 3
2 10000 1
0 0
Series2Bug Series1Money
16 Summary
17