Swag Store

In the bug bounty industry, companies/programs reward hackers with bounties for their contribution, most of the time money and swag from time to time. But what about platforms? How platforms thank their hackers? Unfortunately events are not a standard and only a few selected hackers can participate. What about something more popular, something fair, something that all hunters could enjoy, even the beginners, even the casuals? All platforms have a scoring system so what if you could transform this reputation/score to something more concrete? This is THE SWAG STORE.

For the purpose of this article, I created a demo store located at: https://bbswagstore.myshopify.com/
Please do not focus on prices!

Concept

Basically the idea of the Swag Store is to convert reputation points into something more interesting for hackers than a number on a webpage: get real items. Some of those items are more a quest treasure like the famous Hackerone hoodie, not easy to get if you’re not part of an event. I would be more than happy to be able to buy one, or the amazing Bugcrowd stuff or the Yes We Hack backpack but I’m not starving enough to hunt days and night for months/years. How many bugs should I find for that?

Plus, as a hunter I think we deserve it, we are part of their success, no hackers no platforms. Since most of the platforms get a part of hunters rewards - usually 25% - a hacker who reaches 1000 points had probably reported enough bugs to pay much more than a tee shirt. But it’s only my opinion.

swag store bugcrowd

Get better

When we talk about swag we usually think about tee-shirt, stickers, caps, camera covers and so on… But wait… What if we could get something more useful for everyone? Maybe we could find a way to improve hackers skills at the same time? It would be a win/win because if hackers get better, they would find more bugs right?

Think if, as a hacker, you could get that famous OSCP subscription for free. What you have to do is to find some bugs on some targets (and also be payed for that!). Wouldn’t it be a good deal?

Think if, as a platform you could tell your customers that 80% of your hunters are OSCP certified? Wouldn’t it be a nice marketing move?

Think if, as a company you could have access to a community of hackers who are all OSCP certified? Wouldn’t it be a sign of quality?

swag store learning

Project details

For a quick deployment, I decided to create a store on the e-commerce solution Shopify. Easy to configure, easy to maintain, easy products/customers/orders managment, operational in a minute, Shopify is the best option in this situation (they also have a great bug bounty program on Hackerone). So no development needed for the store itself but we have a problem regarding the payment: how to buy items with platforms reputation?

We can easily assume that a standard tee-shirt with the platform logo would cost much more than 10Ɍ (Hackerone delivers 100Ɍ at subscription). That means that prices have to be high, let’s say 500Ɍ for that tee-shirt. That way we also avoid real orders, who would buy a tee-shirt for 500$?!

Hackers should have a swag credit that would move up (hopefully not down) following their reputation score. Then the idea is to create a discount code (voucher) equivalent to the swag credit when a hacker wants to buy something. The hacker uses the code during the payment process, the platform is notified and his swag credit decreases regarding the real amount of the order.

Required:

  • The hacker should first create an account on the swag store.
  • The hacker should provide his account id from the swag store on the bug bounty platform.
  • The platform should add a button in the hackers profile to create a voucher regarding the swag credit value.
  • The platform should create the gateway scripts with the swag store.

swag store profile

Store configuration

  • First some basics settings regarding customers: /admin/settings/checkout
    - check the option “Accounts are required”
    - check the option “Customers can only check out using email”

  • Currency display: /admin/settings/general
    - Store currency: US
    - HTML with currency: Ɍ{{amount}} REP
    - HTML without currency: Ɍ{{amount}}
    - Email with currency: Ɍ{{amount}} REP
    - Email without currency: Ɍ{{amount}}

  • Disable payments: /admin/settings/payments
    - Disable PayPal Express Checkout
    - Create a “Manual payment method” with dummy datas

  • Create a private app in order to talk with the store using Shopify API: /admin/apps/private/new
    Give Read and write permission to:
    - Customer details and customer groups
    - Discounts - Discounts GraphQL API
    - Discounts - PriceRule REST and GraphQL API

  • Finally, configure the webhook to be notified of the payments: /admin/settings/notifications
    - event: Order payment

Scenario

1/ The hacker creates an account on the store

2/ He submits his store ID in his profile on the bug bounty platform

For convenience, this process could be fully automated by the platform using the Shopify API.

# create customer
curl https://<API_KEY>:<PASSWORD>@<STORE_NAME>.myshopify.com/admin/api/2019-04/customers.json -H "Content-Type: application/json" -X POST -d '{"customer":{"email":"g@10degres.net","accepts_marketing":false,"first_name":"Gwen","last_name":"Gwen","currency":"USD","addresses":[{"first_name":"Gwen","last_name":"Gwen","company":"10degres","address1":"my address","address2":"my address 2","city":"Paris","province":"","country":"France","zip":"75001","phone":"","name":"Gwen Gwen","province_code":null,"country_code":"FR","country_name":"France","default":true}]}}'

3/ The hacker visits his profil page and decide to “Create a discount code”

4/ The plaform creates the voucher on the swag store:

# create price rule
curl https://<API_KEY>:<PASSWORD>@<STORE_NAME>.myshopify.com/admin/api/2019-04/price_rules.json -H "Content-Type: application/json" -X POST -d '{"price_rule": {"title": "ABCDEFGHIJKLMNOPQRSTUVWXYZ","target_type": "line_item","target_selection": "all","allocation_method": "across","value_type": "fixed_amount","value": "-10.0","customer_selection": "prerequisite","prerequisite_customer_ids":["<USER_ID>"],"starts_at": "2019-01-01T00:00:00Z","ends_at": "2019-01-02T00:00:00Z"}}'

# create discount code
curl https://<API_KEY>:<PASSWORD>@<STORE_NAME>.myshopify.com/admin/api/2019-04/price_rules/<PRICE_RULE_ID>/discount_codes.json -H "Content-Type: application/json" -X POST -d '{"discount_code":{"code":"ABCDEFGHIJKLMNOPQRSTUVWXYZ"}}'

For security reason:
- Price rules should be configured with the correct user id: customer_selection + prerequisite_customer_ids
- The end date of the validity of the “offer” should be setted to a short period: ends_at
- The price rule could be only used once: once_per_customer

5/ The discount code is displayed to the hacker

6/ The hacker can now chill out on the store and pick up what he really really wants

7/ During the payment process the hacker provides the discount code

If the discount is >= than the subtotal, then the final price will be 0, everything is fine
If the discount is < than the subtotal, the hacker will have to remove some items from his cart (or pay the difference with real money but no one wants that…)

swag store checkout

8/ The platform is notified by the store that a payment just occured

POST / HTTP/1.1
Content-Type: application/json
X-Shopify-Topic: orders/paid
X-Shopify-Shop-Domain: bbswagstore.myshopify.com
X-Shopify-Order-Id: 8209946494603
X-Shopify-Test: true
X-Shopify-Hmac-Sha256: N2nqX1/zcS4953w9/et+UDvEmMy1QhNEe14zG7afjTc=
X-Shopify-Api-Version: 2019-07
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: */*
User-Agent: Ruby
Content-Length: 6441
Connection: close
Host: www.mysuperbugbountyplatform.com

{"id":8209946494603,"email":"jon@doe.ca","closed_at":null,"created_at":"2019-07-15T16:39:44+02:00"...

9/ The platform decreases the swag credit of the hacker by the real amount of the order

10/ (optional) The platform revokes the voucher

# delete price rule
curl https://<API_KEY>:<PASSWORD>@<STORE_NAME>.myshopify.com/admin/api/2019-04/price_rules/<PRICE_RULE_ID>.json -H "Content-Type: application/json" -X DELETE

# delete discount code
curl https://<API_KEY>:<PASSWORD>@<STORE_NAME>.myshopify.com/admin/api/2019-04/price_rules/<PRICE_RULE_ID>/discount_codes/<DISCOUNT_CODE_ID>.json -H "Content-Type: application/json" -X DELETE

11/ (optional) Using the same method, the platform can revokes all voucher created the day before but not used

Conclusion

My store is just a small example of what could be possible, we can imagine everything: classic goodies, books, courses, conventions invites (most of the time very expensive), software licenses, IOT stuff… etc…

In an improved version of a Swag Store we can imagine that programs items could also be available: Pornhub, Etsy, GitHub, Eset, they all have incredible swag very popular in the community.

Why companies triagers couldn’t enjoy swag too? We could imagine that the reputation meters of the programs increase the same way than hackers meters. That way a company could “buy” great items (like OSCP) to their triagers. Again it would be a great marketing move. And maybe some triagers will think twice before mass closing reports as NA/dup.

GitHub tools collection

This is the current thread in the bug hunter community: how to find sensitive informations on GitHub. Understand how to find tokens/keys/...… Continue reading

« Cloudflare origin server

Published on July 31, 2019

The Hunter Games »

Published on March 24, 2019