Open r3dpars3c opened 2 months ago
Hey @r3dpars3c! π Thanks for flagging this bug! ππ
You're our superhero bug hunter! π¦ΈββοΈπ¦ΈββοΈ Before we suit up to squash this bug, could you please:
π Double-check our documentation: https://rengine.wiki π΅οΈ Make sure it's not a known issue π Provide all the juicy details about this sneaky bug
Once again - thanks for your vigilance! π οΈπ
Hi @r3dpars3c
The scopes are provided by hackeone API, we do filtering though for the scope we support. But can you give some program name that scopes don't match, I will verify
I mainly checks for private hackerone programs. I found the issue but i can't fix it myself. What has happened is that. Some program display valid inscope assets as other rather than pre classified [domain or wildcard]. As the way rengine been developed, it checks hackerone response for distinguishing whether the assets or scope is wildcard or domain. This leads to missing many assets because sometime that inscope valid assets are classified as other. This needs to be fixed urgently as we might me missing many potential targets.
Hope this get fixed sooner as i am running expensive VPS. Can't lose more money waiting for updates.
Thanks Best Regards
Hi @r3dpars3c we do consider OTHER assets as well. Probably the response format is different than that I expected.
If you have, time can you please use postman and send request to hackerone api https://api.hackerone.com/v1/hackers/programs/{program_handle}, check hackerone docs to see how to send api key as auth param
Please redact any sensitive information but I would like to see the response and asset format.
You can mail me yogesh.ojha11@gmail.com if you wish not to share here as its private program.
I checked the rengine code but couldn't find Other asset. Check these files. https://github.com/yogeshojha/rengine/blob/e9251c41bcaf166c80b07ca7d206bf5b55e599ee/web/api/views.py#L67 https://github.com/yogeshojha/rengine/blob/e9251c41bcaf166c80b07ca7d206bf5b55e599ee/web/static/custom/bountyhub.js#L460 https://github.com/yogeshojha/rengine/blob/e9251c41bcaf166c80b07ca7d206bf5b55e599ee/web/reNgine/definitions.py#L565
I think the proper fixed would be to add Other entries as well.
You can try on this program. https://hackerone.com/capital-one-bounty/policy_scopes
as My private program has similar one to this public program one
Aaahah thank you for pointing out, my mistake I missed the OTHERS, sending a PR and please test it out.
@r3dpars3c please test this out if you have time
https://github.com/yogeshojha/rengine/pull/1440
make down
git fetch
git checkout 1437-bug-rengine-not-able-to-display-hackerone-scope-properly
make build && make up
Since I have introduced a new util function to check the aseet is supported by reNgine or not using regex, please test it out against different targets to see if importing works better.
On UI as well you should be able to see the assets under OTHER section
For example
If everything looks give, let me know and I will merge the changes.
Hi @yogeshojha I found the following behavior even after git fetch.
https://hackerone.com/spotify/policy_scopes
https://github.com/screetsec/Sudomy
this gets me more domain than anyone.Thanks Best Regards r3dpars3c
Is there an existing issue for this?
Current Behavior
Expected Behavior
All scopes on hackerone and scopes must be visible across both platform.
Steps To Reproduce
As describe above
Environment
Anything else?
No response