Recently I started to apply my hacking knowledge to find vulnerabilities on Hackerone platform. But I had no luck, this is the story of how I managed to aquire 2 CVEs in a row: CVE-2021-22963, CVE-2021-22964.

I. My pitfall 😿

Recently I started to apply my hacking knowledge to find vulnerabilities on Hackerone platform. But I had no luck, this is the story of how I managed to aquire 2 CVEs in a row: CVE-2021-22963, CVE-2021-22964.

While doing bug bounty 🕵️, I can’t wrap my head out of money issues: “Damn WTF such stupid bug but 2k 💸$? Why can’t I achieve that?”. The more I read bug reports, the more I experienced my own pitfalls 😡. Learning security was not like this, I remembered how I learn security through CTFs, such a joyful time when solving those problems.

II. Changing my view 👁️‍🗨️

I’ve always remembered my boss saying:

Finding vulnerabilities is about enjoying the journey. - L4w.io

Maybe money-oriented 💸 view is not the solution after all? Thus, after 1 weak suffering on bug bounty program, I tried to approach in a whole new different way.

The question is how to enjoy the journey, I figured that learning the underline technology would be fun, and why wouldn’t I choose the technologies that I am already fond with?

For example, this blog that you are reading, I used Typescript, hosted using Fastify with a markdown render library. And what IDE did I choose to code this blog? VsCode. Wow so many technologies poped up in my head.

III. Finding ideas 💡

Okay, so I have choosen several targets, but of course finding bugs in these targets is also a difficult job. Then I asked myself: “When I play CTF, if I get stucked and cannot solve the problem, what did I do? 🤔”. “I read writeups of course” - I said to my head.

Wait… Writeups? Isn’t bug reports, CVEs are writeups? Many of my targets are open source project, I can even use those CVEs and bug reports to traverse to the git commit and analyze those knowledge.

IV. Finding known CVEs

Here is a good resource for analyzing known CVEs: https://github.com/advisories

But there are actually way more resources:

• ExpressJS published their own security updates: https://expressjs.com/en/advanced/security-updates.html
• Searching: “CVEs ”. For example: “CVE fastify” -> https://www.cvedetails.com/product/60955/Fastify-Fastify.html?vendor_id=20791

Try to find those known bugs and reproduce them, you will be surprised of how much knowledge you achieved.

V. Profit 🏆

The bug I found was in Fastify, fastify-static module. I got the idea based on the ExpressJS bug: CVE-2015-1164. Luckily, Fastify is open on hackerone: https://hackerone.com/fastify so I can immediately reached out to them. Currently they do not offer bounty but screw that, I want to learn the internal components in fastify because it’s fun, that’s all.

The author fixed the bug and listed my finding as CVE-2021-22963. However, because their fix was insufficient, I was able to bypass it. Thus result in my next CVE: CVE-2021-22964 😅. This also remind us how fixing security bug can be quite hard and cumbersome, and sometimes it also leads to another security bug if the devs are not careful 😳.

Kudos to developers of Fastify

References:

• https://github.com/fastify/fastify-static/security/advisories/GHSA-p6vg-p826-qp3v
• https://hackerone.com/reports/1354255
• https://github.com/fastify/fastify-static/security/advisories/GHSA-pgh6-m65r-2rhq
• https://hackerone.com/reports/1361804