Cybersecurity spotlight on bug bounty researcher @Ammar Askar

The GitHub bug bounty team is excited to close out Cybersecurity Awareness Month with another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Program, @Ammar Askar!

As home to over 100 million developers and 372 million repositories, GitHub maintains a strong dedication to ensuring the security and reliability of the code that powers daily development activities. GitHub’s Bug Bounty Program continues to play a pivotal role in advancing the security of the software ecosystem, empowering developers to create and build confidently on our platform and with our products. We firmly believe that the foundation of a successful bug bounty program is built on collaboration with skilled security researchers.

Since its inception nine years ago, our bug bounty program has been a fundamental component of GitHub’s security strategy. This dedication is manifested through live hacking events, the revamp of our VIP bounty program, limited disclosures on HackerOne, expanding bounty targets, over $3.8 million in total rewards via HackerOne since 2016, and much more! As we continue to explore opportunities to make our program more exciting for the researchers to hack on, we also heard the feedback from our community and launched the GitHub Bug Bounty Merch Shop earlier this year, so now every submission can potentially also receive a swag bonus along with the bounty!

In our second security researcher spotlight, we’re excited to chat with another top contributor to GitHub’s Bug Bounty Program, @Ammar Askar, who specializes in privilege escalation and authentication/access control bugs and has found some very interesting and impactful issues throughout their research.

Can you share some insights into your journey as a bug bounty researcher? What motivated you to start and what has kept you coming back to it?

I’ve been interested in security about as long as I’ve been programming. My programming experience started with modding Minecraft, where I learned how a simple java exception in the wrong spot could take down a server for dozens of people.

A lot of my security skills were improved by playing CTFs (security competitions) during college. CTFs offer a great way to learn a broad set of domains: from forensics to web security to reverse engineering. After a while, I figured I should try to apply these new skills to bug bounty programs. I had heard great things about GitHub’s program and how responsive the security team is, so I decided to start there.

The thing that keeps me coming back is the puzzle-like aspect of hunting for security bugs. You investigate these systems and make up theories and try to exploit a security issue. When I’m looking at a codebase where I feel like a bug might exist, the process of experimenting and learning about it is really fulfilling.

What do you enjoy doing when you aren’t hacking?

Currently, I’m a very avid runner. I’ve run four races over the last year and it’s nice having a hobby that takes me away from screens and touching grass.

Aside from that, I do a decent amount of tinkering with electronics and 3D printing. Designing and making stuff that gets to live in the real world has its own charm.

How do you keep up with and learn about vulnerability trends?

I primarily keep up with security news through a few social media sources:

• The /r/netsec subreddit is a great source for general news and the most upvoted stuff on there tends to be high-quality articles discussing security techniques or vulnerabilities.
• The Google Project Zero blog does very deep dives into really interesting security issues, these tend to be mostly about low level memory safety.
• Talks given at DEFCON, which are viewable on their YouTube channel, are usually entertaining and great to have on in the background.
• A few Twitter accounts, for example, professor @matthew_d_green for cryptography. @LiveOverflow makes great YouTube videos and @David3141593 does great posts on reverse engineering.

What tools or techniques do you find most effective for discovering security vulnerabilities?

In terms of techniques, gathering as much information about a target is a great place to start. When I suspect a feature in a product might have a vulnerability, I try to look at its source code if I can, any user documentation or API documentation and blog posts about the feature and what it’s capable of.

You’ve found some complex and significant bugs in your work – can you talk a bit about your process?

When it comes to large software projects, my main theory on security bugs is they tend to fall in two camps.

• The first are the sort of intro level security issues we learn about, like SQL injection or XSS. These tend to be easy to find with some static analysis if you have source code access or automation. They can also be mitigated with safe-by-default libraries like prepared statements for SQL and DOMPurify for XSS, so they are rare in mature software.
• Secondly, the more interesting and complex bugs arise from when more code and more features get added to a software. With these new features, programmers need to understand and assume properties of a complex system. If you can find where these assumptions might be wrong, you can usually find a security bug.

To give a concrete example, when I was investigating CVE-2023-23761, which I reported to GitHub, it was kicked off by me learning that GitHub supports SSH certificate authentication. From this, I asked myself what would happen if an organization issues a certificate for a user not in their organization. Would the certificate magically work for that user’s repositories? Turns out not, it only allows access to that particular organization’s repositories. That meant I was out of luck but then I wondered where else you could use SSH on GitHub, and it turns out you can edit your gists as a Git repository! I gave it a shot and I could edit anyone’s gists with my fake certificate.

What are your favorite classes of bugs to research and why?

My favorite class is probably privilege escalation and authentication/access control bugs. It’s really cool to be able to trick a piece of software into giving you access to things it shouldn’t. These are also very rewarding in terms of impact as they can give you access to private data from other users.

Do you have any advice or recommended resources for researchers looking to get involved with bug bounty programs?

Get out there and try stuff practically. Learned a new technique from a video or a blogpost? Go test it out in your own little toy app, see what you can use to patch it and what the limitations are.

Don’t be disheartened if you don’t find bugs in really big bounty programs for mature software. Take it as a learning experience to discover how they mitigate issues. Reading write ups on previous bug bounties can help guide you and figure out where to look.

Also, brush up on your web and mobile security basics; that’s what most bug bounty programs involve. PortSwigger’s WebSecurity Academy is a great resource and playing CTFs can also teach you a lot.

Do you have any social media platforms you’d like to share with our readers?

My GitHub profile is @ammaraskar and my website and blog are at https://ammaraskar.com/.

Thank you, @Ammar Askar, for participating in GitHub’s bug bounty researcher spotlight! Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure, and we continue to welcome and appreciate collaboration with the security research community. So, if this inspired you to go hunting for bugs, feel free to report your findings through HackerOne.