johnk

8 High-Impact Bugs and How HackerOne Customers Avoided a Breach: Privilege Escalation

Customers tell us that a big difference between hacker-powered security and traditional approaches is the impact. Since hackers make money for reporting vulnerabilities with a clear business impact—the bigger the impact, the bigger the bounty—hacker-powered security programs make you demonstrably safer. In contrast, we often hear that traditional penetration tests return low or no impact bugs. Even worse, scanners typically produce noisy false-positives, or the same bug over and over.

This blog series counts down 8 high-impact vulnerability types, along with detailed examples of how HackerOne helped customers avoid breaches associated with them. To develop this series, we consulted both OWASP Top 10 as well as HackerOne’s recent analysis of the Top 10 Most Impactful and Rewarded Vulnerability Types.

Next, we headed over to Hacktivity, the largest directory of publicly disclosed vulnerability reports, to grab examples of how our ingenious security researchers helped HackerOne customers avoid costly breaches associated with each type of vulnerability. Hacktivity details vulnerabilities that have been fixed and that all parties—the hacker and the customer—agree to make public. This site lists thousands of real world vulnerabilities, the steps hackers used to find them, and other report and remediation details

To kick things off, let’s look at vulnerability type number 8: Privilege Escalation.

Privilege Escalation

 

Privilege Escalation

According to Mitre, Privilege Escalation happens when an adversary tries to gain higher-level permissions.

Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches involve taking advantage of system weaknesses, misconfigurations, and vulnerabilities. 

In its guidelines to test for privilege escalation, OWASP adds “people refer to vertical escalation when it is possible to access resources granted to more privileged accounts (e.g., acquiring administrative privileges for the application), and horizontal escalation when it is possible to access resources granted to a similarly configured account (e.g., in an online banking application, accessing information related to a different user).”

HackerOne ranked this vulnerability fourth on our list of top ten most impactful and rewarded vulnerabilities. The business impact depends on the nature of the data and access the escalated privilege exposes.

Potential Business Impact

The ways an attacker can use a subdomain takeover include malware distribution, phishing/spear phishing, XSS, authentication bypass, and sending and receiving email on behalf of the victimized company. Home Depot customers saw the impact of this vulnerability firsthand. In a 2014 breach impacting tens of millions of credit card holders, an attacker was able to use privilege escalation to install custom malware on self check-out systems in the U.S. and Canada.

Number 7 in our series of 8 high impact vulnerabilities will look at SQL Injection and how your favorite coffee tastes much better without one -- so stay tuned!

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report