Synack Red Team Tip: Analytics On Aged Targets

Analytics is a really cool feature on the Synack Red Team platform that can really help you when you’re starting out. It is not only a really good way to identify improvements in your game, but it’s also a good way to find a few extra vulnerabilities on aged targets where you are likely to face a lot less competition.

Here are a few tips to get you started.

Testing For Regressions:
Just because something says it’s fixed, it doesn’t necessarily mean it’s not prone to the same attack in a different way. Patch verifications may be a direct reproduction of the report/steps, they may not test beyond this to see how else it is vulnerable. Regressions pay at 30% market value.

Additional Parameters:
You’ve seen the accepted vulnerabilities on a target and someone has already found the SQLi/XSS you’ve just discovered 3 years ago and it’s still in pending.

All is not lost! Double check that all of the vulnerable parameters on this endpoint have been submitted for this domain by checking the parameters in the create report functionality — it’ll show you how many times they have been reported.

In the example of SQLi, occasionally hunters using sqlmap will stop at the first vulnerable parameter to report an endpoint before someone else beats them to it, because of this there may be an opportunity to report an extra parameter at 10/15/20% market value depending on your level.

Escalate Access Control Issues:
Someone has reported an access control issue where you can directly access a privileged endpoint without authentication using forced browsing.

Go check what else you can do on these endpoints, maybe there is stored XSS, maybe there is SQLi, maybe there is a way to upload your own shell… keep digging. As long as there was no authentication bypass to this endpoint and the vulnerability categories are in scope, this can be attacked until they’re put out of scope.

Look For Similarly Named Endpoints:
You’ve seen SQLi is fixed on an endpoint on an aged target and it definitely is fixed as you have tested it. Go look for similarly named variations of this endpoint in the same directory, or even subdomains — you never know what you’ll find.

Consider additional file extensions too. You never know, endpoint.ext.old.txt might exist with some credentials or goodies to help you identify a new vulnerability!

Nothing too ground breaking, but a few simple tips to consider when you’re totally stuck for ideas.

Good luck, happy hunting, and don’t forget to take a break!