Over the years, I have seen some confusion over the purpose and usage of the custom HTTP header X-Bug-Bounty. Today, I want to clarify what it’s for and how it SHOULD be used.

I will also show you how to configure your Burp Suite sessions to automatically inject this header in your HTTP requests when conducting security research against targets within a Bug Bounty program.

Here we go…

What is the X-Bug-Bounty Header?

Here’s the thing. Any time you see an HTTP header that starts with “X-”, you can refer to it as a custom header. These headers are typically used for purposes not covered by the standard HTTP/1.1 headers defined by the Internet Engineering Task Force (IETF).

The history of this is more nuanced. The “X-” used to mean the header was experimental. Over time, it’s come to represent non-standard headers that can represent anything the developer (or hacker) wants.

In this context, the X-Bug-Bounty header is used in several ways to describe entities related to a Bug Bounty Program. There is no standard definition. But it has significance for security researchers that you should know about.

Let’s talk about it.

X-Bug-Bounty in RESPONSE headers

When you see the X-Bug-Bounty header in a server response, it usually includes URLs or plain text information that discloses where you can get more information on the defined Bug Bounty Program and scope. 

This is rarely used anymore. The security.txt standard is usually a more preferred way to describe this.

When you do see it in the HTTP response, you know that the organization is committed to responsible disclosure and is telling you where to get more information on how to find and report vulnerabilities in their systems.

X-Bug-Bounty in REQUEST headers

When you see the X-Bug-Bounty header in a client request, it usually includes a unique identifier that allows server administrators and security teams to identify the person making the request. This might be an email address or a unique identifier like a customer or client ID. 

Many Bug Bounty Programs require this header to be used when conducting good-faith security research on their servers.

When hackers include it in their HTTP requests, it signals to the server administrators that you are trying to responsibly identify your traffic during an engagement and that you are respecting the process. 

The thing is, it can’t be the ONLY form of attribution. It’s easy enough to forge this header and be identified as someone else.

I’ve never shared this before, but I did that once during a King of the Hill competition. I got a competitor disqualified by forging traffic to look like it was coming from him. I gained a foothold on a tertiary server and used it to launch brute-forced login attempts against a target. The competition rules explicitly stated that using brute-force tools on credentials was grounds for disqualification. I leveraged Hydra’s custom header option to include the competitor’s ID in the X-Bug-Bounty header, then left the server running against rockyou.txt, knowing it would fail. This flooded the server and cluttered the logs, all while I focused on taking down the actual target.

Yeah, I was a bit of an ass. I felt guilty for a few minutes. I bought him a beer and we laughed, cried, and moved on. But it goes to show, you can’t RELY on the X-Bug-Bounty header for identification.

The purpose and value of the X-Bug-Bounty header still make it worth including. Just don’t include it in traffic you don’t want attributed to you (like directory bruteforcing and other mass recon traffic flows) lol  

How to inject X-Bug-Bounty headers into your requests in Burp

Burp Suite makes it easy to massage data as it goes in and out of the attack proxy. Let me show you how to configure it to inject the X-Bug-Bounty header in all outgoing requests.

1. Click on the Proxy tab
2. Click on the Proxy settings button (by the gear)
3. Under Tools > Proxy, scroll down to HTTP match and replace rules
4. Click the Add button
5. For the “Type”, select Request header
6. Leave the “Match” field empty to add a new header
7. In the “Replace” field, enter in your custom header. Ie: X-Bug-Bounty: [email protected] 
8. Click OK to apply the setting.

Now any time a request goes through the Burp attack proxy, it will automatically modify the request and inject the header for you. If you look in the Proxy history and change the type from “Original request” to “Auto-modified request” it might look something like this:

One suggestion I have to ensure you only ever include this header for in-scope targets is to check the button in the settings to “Only apply to in-scope items”. This will help limit where this is injected. 

And since this setting is a Project setting it will stay with the project file you are working in. This means you can use custom identifiers where appropriate. As an example, you can use HackerOne’s email aliases and tailor the header by program using the plus sign, ie: [email protected].

Conclusion

So what do you think… easy enough to do? Do you use the X-Bug-Bounty header during your engagements? Hit me up on X and let me know. 

It takes little effort to use the header, but it can go a long way toward helping security triage track and understand your intentions regarding their apps and infrastructure. Including the header helps build trust as both sides start to work together to track traffic, payloads, and resulting vulnerabilities.

Is it the only way to do it? Of course not. Microsoft, for example, likes security researchers to include the string “MSOBB” in the account name and/or tenant name to identify it as being used for bug bounty hunting. But since it’s not a requirement, and is a recommendation that you can’t really change much after the fact, the X-Bug-Bounty header is a far easier way to approach it.

Hey, YMMV. In any case, now you know what it’s for, and how to use it. HTH.

One last thing…

Have you joined The API Hacker Inner Circle yet? It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly. If you haven’t, subscribe at https://apihacker.blog.

The post Why the X-Bug-Bounty Header Matters for Hackers appeared first on Dana Epp's Blog.

*** This is a Security Bloggers Network syndicated blog from Dana Epp's Blog authored by Dana Epp. Read the original post at: https://danaepp.com/why-the-x-bug-bounty-header-matters-for-hackers