bug: Rengine not able to display hackerone scope properly.

[r3dpars3c]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

1. When we head to Bounty-Hub and hackerone and then Program dash board
2. 2. Select any program and check the scope
3. Many scopes are missing on rengine while being correctly displayed on hackerone.
4. This leads to miss many scopes.

Expected Behavior

All scopes on hackerone and scopes must be visible across both platform.

Steps To Reproduce

As describe above

Environment

Latest

Anything else?

No response

[github-actions]

Hey @r3dpars3c! 👋 Thanks for flagging this bug! 🐛🔍

You're our superhero bug hunter! 🦸‍♂️🦸‍♀️ Before we suit up to squash this bug, could you please:

📚 Double-check our documentation: https://rengine.wiki
🕵️ Make sure it's not a known issue
📝 Provide all the juicy details about this sneaky bug

Once again - thanks for your vigilance! 🛠️🚀

[yogeshojha]

Hi @r3dpars3c

The scopes are provided by hackeone API, we do filtering though for the scope we support. But can you give some program name that scopes don't match, I will verify

[r3dpars3c]

I mainly checks for private hackerone programs.
I found the issue but i can't fix it myself.
What has happened is that.
Some program display valid inscope assets as other rather than pre classified [domain or wildcard].
As the way rengine been developed, it checks hackerone response for distinguishing whether the assets or scope is wildcard or domain.
This leads to missing many assets because sometime that inscope valid assets are classified as other.
This needs to be fixed urgently as we might me missing many potential targets.

Hope this get fixed sooner as i am running expensive VPS.
Can't lose more money waiting for updates.

Thanks
Best Regards

[yogeshojha]

Hi @r3dpars3c we do consider OTHER assets as well. Probably the response format is different than that I expected.

If you have, time can you please use postman and send request to hackerone api https://api.hackerone.com/v1/hackers/programs/{program_handle}, check hackerone docs to see how to send api key as auth param

Please redact any sensitive information but I would like to see the response and asset format.

You can mail me [email protected] if you wish not to share here as its private program.

[r3dpars3c]

I checked the rengine code but couldn't find Other asset.
Check these files.

rengine/web/api/views.py

Line 67 in e9251c4

ALLOWED_ASSET_TYPES = ["WILDCARD", "DOMAIN", "IP_ADDRESS", "CIDR", "URL"]

rengine/web/static/custom/bountyhub.js

Line 460 in e9251c4

WILDCARD: [], DOMAIN: [], IP_ADDRESS: [], CIDR: [], URL: []

rengine/web/reNgine/definitions.py

Line 565 in e9251c4

)

I think the proper fixed would be to add Other entries as well.

[r3dpars3c]

You can try on this program.
https://hackerone.com/capital-one-bounty/policy_scopes

as My private program has similar one to this public program one

[yogeshojha]

Aaahah thank you for pointing out, my mistake I missed the OTHERS, sending a PR and please test it out.

[yogeshojha]

@r3dpars3c please test this out if you have time

#1440

make down
git fetch
git checkout 1437-bug-rengine-not-able-to-display-hackerone-scope-properly
make build && make up

Since I have introduced a new util function to check the aseet is supported by reNgine or not using regex, please test it out against different targets to see if importing works better.

On UI as well you should be able to see the assets under OTHER section

For example

If everything looks give, let me know and I will merge the changes.

[r3dpars3c]

Hi @yogeshojha
I found the following behavior even after git fetch.

1. The other scopes are working properly.
2. But the wildcard and domain aren't working properly.
3. In instruction assets still get missed, check this program https://hackerone.com/spotify/policy_scopes

#Suggestion.

1. Import whatever scopes [asset_identifier and instruction sections ] are eligible for bounty
2. Check whether that contains domain or not.
3. If it contains the data , Classify them as Wildcard[if * character is detected.] else if not such character is detected let it be in domain category.
4. Finally after getting all those either wildcard or just domain or just URL, Distinguish as wildcard and domain. after that in wildcard section, Create some more wildcard like [*beta.example.com, *alpha.example.com], consider them as *.example.com
5. Do not go after Other category as in Hackerone.

#More Suggestion.

1. Never use dalfox, more of vulnerable endpoints get blocked because of WAF.
2. I would suggest Sudomy https://github.com/screetsec/Sudomy this gets me more domain than anyone.
3. Allow more filters on endpoint tab, [Contains parameter, other ]

Thanks
Best Regards
r3dpars3c