I found Security Vulnerability in your web application
I found Security Vulnerability in your web application. For security purpose can we report vulnerability here,then will i get bounty reward in PayPal or Bitcoin for Security bug ?Is it just me, or are security consultants swarming web sites, looking for bugs unasked, and emailing you demanding thousands of dollars in bounties for security flaws? If you search the web for the exact email above, you will get hundreds of hits. Whether the cost is to an unsolicited consultant, or due to a data breach, flaws in your product can be pricey. In this page, I'm going to write down some basic things to check in your website to make attacks harder, so at least you're not being shaken down for stupid mistakes.
I have ceased any bounty payments, because the things they generally find are not very likely to happen. I have to make a business decision: Do I want a perfect web application, or can I live with a few possible attacks? I am not Apple. I am not a bank. This is going to sound foolish, but at the end of the day I simply cannot afford to pay out half of my revenue each and every month for these things, because I still have to provide for my family.
Still, here is a list of the things I have learned. I am sure there is a larger list somewhere, but I have not found it.
Don't put sensitive information in URLsWhen a user is logged in, what is in the URL at the top of the screen? Is there an identifier in there that should not be shared?
- If the user pasted any URL on your site, while logged in, to Twitter, could anybody get access to something they should not? Could other users edit this user's files?
- If a script on your page that you have no control over reads window.location and sends it back to its creator, is this a problem?
Verify any information you include in generated emailsOne consultant found a way to send password reset emails from me to any user, and replace the URL in the email with his own. How did he do this? Because I was lazy.
In my code, I had abstracted the password reset emails into a reusable library. The code needed to know which web site it was resetting the password for when it created the email. So I just included it in the POST request. And this resulted in a costly bounty I had to pay.
Rate limit generated emailsOn that note, can anyone make you send an unlimited number of emails? Any code that automatically sends an email needs rate limiting.
Prevent password guessingIt's a fact that most people's passwords can be guessed in less than 100 tries. That's why they should use a password manager and create longer and more random passwords.
So one of the first things a consultant will do is figure out your API call to login and run it through their script file of passwords. If they don't get stopped right away, then this will result in a significant bounty.
You need to rate login attempts, in at least two ways. You should of course limit the attempts for a particular login name. But then the consultant will just cycle through different login names. You will need to also limit it based on IP address or other information as well.
Put limits on file uploadsCan you accept an image on your website? Do you resize it on the server? Great, let me dig out my 18 megapixel .png file for you. It's only 1KB so your code will accept it. Without proper checks, it will crash your server.
Protect "secret" web urlsDo you have any secret web urls in your app for checking its status, or performing administration? Maybe you use go, and left in the code for /debug/pprof? All secret urls can be easily guessed using automated tools that just try every word or combination of characters and see if they get a 404 error.
Assuming the consultant can list all the secret urls on your web site, can they do anything bad?
UI RedressingIf you allow your web site to be placed into an IFRAME it opens up a lot of attacks. If the attacker can trick a user into clicking on their url, then they will open up your web site inside their own page, and super-impose their login button over yours, and steal ther user's passwords.
Of course, anyone can do this without the iframe permissions by creating an exact copy of your site. But the point is to make it a little harder for them. Here is some information on IFRAME breaking.