SECURITY INFLUENCERS BLOG

Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management

START FREE TRIAL

How I Made $600 in Bug Bounty in 15 Minutes with Contrast CE – CVE- 2019-8442

We live in a dynamic economy that is constantly developing new ways to generate revenue. An area that fascinates me are the bug bounty programs such as Atlassian on BugCrowd. Generating tangible rewards from these programs is not an easy undertaking. After years of participating in them, I can attest that the bar is set quite high. It takes time and focus getting your arms around each program and the scope of applications involved.  

But what would you say if the bar was lowered—it suddenly was easier and faster to reap returns. Would you participate? Would I have your attention if I told you that I made $600 in 15 minutes using Contrast Community Edition (CE), a free and full-strength application security platform from Contrast Security that provides always-on IAST, RASP, and SCA for Java applications, NET Core, and APIs?

How I Landed a Bug Bounty with Contrast CE

When I started at Contrast Security, I wanted to get my hands dirty with its products to understand how they worked. I picked Contrast CE and ran it against the OWASP Webgoat project, knowing there are plenty of application security vulnerabilities in it. It immediately delivered impressive results—identifying a long list of vulnerabilities. After this initial test, I was determined to run it on a real-world application, and one used by millions of users and with a Bug Bounty program in place. I found the perfect candidate in Atlassian JIRA Server, which we also use internally at Contrast Security.  

After downloading Atlassian JIRA Server, I followed the setup instructions, which were very straightforward. JIRA Server launched, and I was up and running:

welcome-to-jira

With the JIRA Server successfully running, I moved to connecting Contrast CE to JIRA Server. Following are the different steps:

  1. I registered for a free account: https://www.contrastsecurity.com/contrast-community-edition.
  2. With a registered account, I was able to proceed to a login screen: https://ce.contrastsecurity.com/Contrast/.
  3. Once I was logged into my account, I clicked the “Add Agent” button.

    add-agent
  4. I then needed to retrieve the license file for my Contrast CE instance and place it in:

    /etc/contrast/java/contrast_security.yaml
  5. This downloaded the Java agent.
  6. With those steps completed, I proceeded to connect the Contrast CE agent to the JIRA Server. The best way for me to do so was to set the CATALINA_OPTS JVM environment variable. I concluded that it should be set within the provided “start-jira.sh” script. I opened that file for editing and added:

    export CATALINA_OPTS="-javaagent:/path/to/agent/contrast.jar"
  7. With the JIRA Server application running, I then checked Contrast CE to verify the connection.

    jira-server-application
  8. I then clicked on the JIRA Server Web Application in Contrast CE, which revealed the first vulnerability with the following message:

    jira-server-web-application
  9. On the main vulnerability page, I could quickly see the vulnerable part of the URL that ended up in a tainted sink:

    download/contextbatch/js/atl.dashboard,jira.global,atl.general,-_super/batch.js 
  10. With this information in the background, I clicked on the “HTTP Info” tab and the “Replay Request.” Knowing the vulnerability portion of the request, I begin to ideate on different to exploit it.

    replay-http-request
  11. My first action was to replace the vulnerable portion of the URL with /WEB-INF/web.xml, knowing that it existed despite the request failing. Then, I executed a typical directory traversal attack similar to /../../../../../../etc/passwd, which also failed. One potential conclusion is the presence of a false positive.
  12. To determine why the aforementioned requests had failed, I clicked the “Details” tab and the following application flow was revealed:

    application-flow
  13. This disclosed a potential validator pattern, which prompted me to expand the view that revealed the following:
    data-has-newlines-removed
  14. JIRA Server was invalidating requests to WEB-INF.
  15. This prompted me to think about other application areas that could be accessed, which led me to META-INF. Thus, executed a request along the lines of the following:

    http://localhost:8080/s/b1fee0a256584291c94c59cf5d11a26a-CDN/-hpjday/800007/6411e0087192541a09d88223fb51a6a0/3cebffe675df202df498f33f796ac55b/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml

  16. This produced the following result:

    xml-file-does-not-appear
  17. This exposed the vulnerability, as the META-INF directory is not supposed to be accessible. Hello, Bug Bounty!
  18. With this confirmation in hand, I submitted the issue to BugCrowd and received a $600 reward after one week—all by testing with Contrast CE. The issue was fixed with https://jira.atlassian.com/browse/JRASERVER-68942 in each of the following versions:

    • 7.13.4
    • 8.0.4
    • 8.1.1

    A CVE was also issued for this vulnerability.

    One of the most impressive outcomes of the above is that it took me around 15 minutes to complete these tasks. What a great value proposition for anyone looking to make some extra dollars—using a free tool—via bug bounty programs. Download a free copy of Contrast CE to get started today.

David Lindner, Chief Information Security Officer

David Lindner, Chief Information Security Officer

David is an experienced application security professional with over 20 years in cybersecurity. In addition to serving as the chief information security officer, David leads the Contrast Labs team that is focused on analyzing threat intelligence to help enterprise clients develop more proactive approaches to their application security programs. Throughout his career, David has worked within multiple disciplines in the security field—from application development, to network architecture design and support, to IT security and consulting, to security training, to application security. Over the past decade, David has specialized in all things related to mobile applications and securing them. He has worked with many clients across industry sectors, including financial, government, automobile, healthcare, and retail. David is an active participant in numerous bug bounty programs.

SUBSCRIBE TO THE BLOG