Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: Rengine not able to display hackerone scope properly. #1437

Open
1 task done
r3dpars3c opened this issue Sep 12, 2024 · 9 comments · May be fixed by #1440
Open
1 task done

bug: Rengine not able to display hackerone scope properly. #1437

r3dpars3c opened this issue Sep 12, 2024 · 9 comments · May be fixed by #1440
Assignees
Labels
bug Something isn't working release/2.2.1

Comments

@r3dpars3c
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

  1. When we head to Bounty-Hub and hackerone and then Program dash board
    1. Select any program and check the scope
  2. Many scopes are missing on rengine while being correctly displayed on hackerone.
  3. This leads to miss many scopes.

Expected Behavior

All scopes on hackerone and scopes must be visible across both platform.

Steps To Reproduce

As describe above

Environment

Latest

Anything else?

No response

@r3dpars3c r3dpars3c added the bug Something isn't working label Sep 12, 2024
Copy link
Contributor

Hey @r3dpars3c! 👋 Thanks for flagging this bug! 🐛🔍

You're our superhero bug hunter! 🦸‍♂️🦸‍♀️ Before we suit up to squash this bug, could you please:

📚 Double-check our documentation: https://rengine.wiki
🕵️ Make sure it's not a known issue
📝 Provide all the juicy details about this sneaky bug

Once again - thanks for your vigilance! 🛠️🚀

@yogeshojha
Copy link
Owner

Hi @r3dpars3c

The scopes are provided by hackeone API, we do filtering though for the scope we support. But can you give some program name that scopes don't match, I will verify

@r3dpars3c
Copy link
Author

I mainly checks for private hackerone programs.
I found the issue but i can't fix it myself.
What has happened is that.
Some program display valid inscope assets as other rather than pre classified [domain or wildcard].
As the way rengine been developed, it checks hackerone response for distinguishing whether the assets or scope is wildcard or domain.
This leads to missing many assets because sometime that inscope valid assets are classified as other.
This needs to be fixed urgently as we might me missing many potential targets.

Hope this get fixed sooner as i am running expensive VPS.
Can't lose more money waiting for updates.

Thanks
Best Regards

@yogeshojha
Copy link
Owner

Hi @r3dpars3c we do consider OTHER assets as well. Probably the response format is different than that I expected.

If you have, time can you please use postman and send request to hackerone api https://api.hackerone.com/v1/hackers/programs/{program_handle}, check hackerone docs to see how to send api key as auth param

Please redact any sensitive information but I would like to see the response and asset format.

You can mail me yogesh.ojha11@gmail.com if you wish not to share here as its private program.

@r3dpars3c
Copy link
Author

I checked the rengine code but couldn't find Other asset.
Check these files.

ALLOWED_ASSET_TYPES = ["WILDCARD", "DOMAIN", "IP_ADDRESS", "CIDR", "URL"]

WILDCARD: [], DOMAIN: [], IP_ADDRESS: [], CIDR: [], URL: []

I think the proper fixed would be to add Other entries as well.

@r3dpars3c
Copy link
Author

You can try on this program.
https://hackerone.com/capital-one-bounty/policy_scopes

as My private program has similar one to this public program one

@yogeshojha
Copy link
Owner

Aaahah thank you for pointing out, my mistake I missed the OTHERS, sending a PR and please test it out.

@yogeshojha
Copy link
Owner

@r3dpars3c please test this out if you have time

#1440

make down
git fetch
git checkout 1437-bug-rengine-not-able-to-display-hackerone-scope-properly
make build && make up

Since I have introduced a new util function to check the aseet is supported by reNgine or not using regex, please test it out against different targets to see if importing works better.

On UI as well you should be able to see the assets under OTHER section

For example

image

If everything looks give, let me know and I will merge the changes.

@r3dpars3c
Copy link
Author

Hi @yogeshojha
I found the following behavior even after git fetch.

  1. The other scopes are working properly.
  2. But the wildcard and domain aren't working properly.
  3. In instruction assets still get missed, check this program https://hackerone.com/spotify/policy_scopes

#Suggestion.

  1. Import whatever scopes [asset_identifier and instruction sections ] are eligible for bounty
  2. Check whether that contains domain or not.
  3. If it contains the data , Classify them as Wildcard[if * character is detected.] else if not such character is detected let it be in domain category.
  4. Finally after getting all those either wildcard or just domain or just URL, Distinguish as wildcard and domain. after that in wildcard section, Create some more wildcard like [*beta.example.com, *alpha.example.com], consider them as *.example.com
  5. Do not go after Other category as in Hackerone.

#More Suggestion.

  1. Never use dalfox, more of vulnerable endpoints get blocked because of WAF.
  2. I would suggest Sudomy https://github.com/screetsec/Sudomy this gets me more domain than anyone.
  3. Allow more filters on endpoint tab, [Contains parameter, other ]

Thanks
Best Regards
r3dpars3c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working release/2.2.1
Projects
None yet
2 participants