tl;dr

Security researchers must now test on the bugcrowd.hotdoc.com.au subdomain, and to access that subdomain, the header "Bugcrowd: 38fd3272-b289-4e03-9a90-8adf34cb5d95" must be sent with all requests, and the old subdomain, and VPN method of access, will no longer work.

For more information, keep reading, or check the program brief for more details.

What's changed?

A few things have changed around accessing the bug bounty's in-scope domain, the major changes are listed below - all three things will need to be taken into account in order to successfully pen test.

The domain

The in-scope domain has changed from the staging subdomain to the bugcrowd.hotdoc.com.au subdomain. Testing on other domains is no longer in scope.

No VPN

The old way of identifying security researchers enabling them access was to use a "VPN" proxy server between the researcher and our server, enabling us to check a fixed IP address. This is no longer active and should no longer be used.

Header based

The new way of being granted access to the Bugcrowd subdomain is by attaching the header "Bugcrowd: 38fd3272-b289-4e03-9a90-8adf34cb5d95" to all requests.

Give me the details!

As mentioned above, all requests to the bugcrowd.hotdoc.com.au require the Bugcrowd header to be set with the correct value.

Example

$ curl -I https://bugcrowd.hotdoc.com.au
HTTP/2 418

Above: a GET request to the subdomain receives a 418 status code.

$ curl -I -H "Bugcrowd: 38fd3272-b289-4e03-9a90-8adf34cb5d95" https://bugcrowd.hotdoc.com.au
HTTP/2 200

Above: a GET request with the custom header receives a 200 OK status code.

Of course, using cURL only to pen test would be a nightmare, so, there are a few options to make this easier: Burp Suite "match and replace", a Burp Suite extension, or a Chrome extension.

Burp Suite "Match and Replace"

If you are using Burp Suite as a proxy for your testing, it is possible to use the “Match and Replace” feature to automatically add the header to every request.

Under the “Proxy” panel, in the “Options” tab, there are options for “Match and Replace”. If you click “Add”, you can specify a Request header match/replace rule, and leave the Match: condition blank, which will add a new header, rather than modify a header that is already present.

Set the value of the header you wish to send here, and it will add that header to every request that goes via the proxy.

Using a Burp Suite Extension

The Add Custom Header extension for Burp Suite will allow you to “Add or update custom HTTP headers from session handling rules”. This might be preferable to the “Match and Replace” option shown above.

Using a Chrome Extension

If you’re not using Burp Suite, another option is to use the Chrome Plugin ModHeader.

This will allow you to browse via Chrome, and send the custom header through. You will probably want to configure it to either only send the header for the bugcrowd.hotdoc.com.au subdomain - either through the configuration in the extension itself, or by only enabling permissions for the given subdomain in the extension settings built into Chrome.

Thanks for reading, and, we really appreciate all the hard work you're all doing on our program, keep it up!!