Gateway Internal Network Testing is a critical component of bug bounty programs or pentests, aimed at identifying and mitigating security vulnerabilities within an organization’s internal network. Unlike external testing, which focuses on public-facing systems, internal testing via Gateway gives hackers access to pre-defined, private internal assets. This provides enhanced security controls, as testing is limited to what is allowlisted, and access is managed more closely. External access, on the other hand, generally involves more public or external-facing systems and offers fewer restrictions on network boundaries.
HackerOne grants ethical hackers and pentesters authorized access to the internal network during Gateway Internal Network Testing. These hackers use their skills to uncover potential security flaws that malicious actors can exploit. These activities give insights that help organizations fix vulnerabilities before attackers can exploit them.
Key aspects of Gateway Internal Network Testing within HackerOne programs include
Scope Definition: Clearly delineating what can be tested by specifying IPs or entire CIDRs.
Access Provision: Granting ethical hackers the necessary permissions to access and explore the internal network securely without disrupting business operations.
Control and Compliance: Providing insights into testing activities through logs, enabling the organization to temporarily or permanently deny access to in-scope assets for one or more hackers. This ensures transparency, control, and adherence to program requirements.
By incorporating Gateway Internal Network Testing into programs, organizations can leverage the expertise of a global community of security researchers. This collaborative approach enhances the internal network's security posture and fosters a culture of continuous improvement and vigilance against emerging threats.
HackerOne Gateway Offerings
Our Gateway solution integrates with Cloudflare's Cloudflared tunnel, enhancing internal network testing services for bug bounty programs and penetration testing. This integration ensures encrypted, secure, and reliable remote access without complex VPN setups. Comprehensive logging and monitoring provide visibility into testing activities and real-time access control, keeping your internal assets secure while identifying and mitigating vulnerabilities.
This graphic shows a high-level representation of the architecture:
We offer two configurations to suit your needs: self-managed and Kali virtual machine.
Self-Managed Configuration Using Cloudflared
For organizations that prefer hands-on control, we provide a comprehensive guide to configure the Cloudflared tunnel yourself. This method lets you set up and manage the secure connection between your internal network and the testers. You retain full control over the configuration, ensuring that all traffic is encrypted and protected without the need for complex VPN setups. For technical details, please visit our Self-Managed Cloudflared Configuration page.
Using Custom Kali Virtual Machine
For those seeking a more streamlined approach, we offer a custom Kali VM pre-configured with the Cloudflared tunnel. This virtual machine is tailored for internal network testing, providing testers with a secure and ready-to-use environment. The custom Kali VM simplifies the process, eliminating the need for manual configuration and ensuring that all security measures are in place from the start. For technical details, please visit our Custom Kali Virtual Machine page.
Internal Assets Management
The internal assets can be added as in-scope assets via Asset Management. All in-scope private IP assets (RFC1918) specified in the Asset Management system are automatically added as internal routes to the Cloudflared tunnel.
This automatic integration allows program managers to manage these internal assets without additional configuration, streamlining the testing process.
IP/CIDR Minimization
The system consolidates adjacent IPs/CIDRs into the smallest possible ranges to optimize route management. This minimization process reduces the complexity of the route table while ensuring full coverage of the in-scope testing range. As a result, the internal routes shown on the Gateway internal testing page might not exactly match the list of assets in the asset management system but will still accurately represent the in-scope assets.
Example
If the following IPs/CIDRs are specified in the asset management:
10.0.0.0/8
10.1.0.0/16
172.16.0.0/12
192.168.0.0/24
192.168.1.0/24
The Gateway internal testing page might display a minimized list like:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/23
This consolidated range ensures comprehensive coverage while maintaining an efficient route table.
Cloudflared Tunnel Status
Once the tunnel is correctly created and authenticated using the instructions displayed in Program > Gateway > Internal Testing, the tunnel configuration and related routes will appear to you.
Health status | Description |
Healthy | The tunnel is active and serving traffic through four connections to the Cloudflare global network. |
Degraded | The tunnel is active and serving traffic, but at least one individual connection has failed. Further degradation in tunnel availability could risk the tunnel going down and failing to serve traffic. |
Down | The tunnel cannot serve traffic as it has no connections to the Cloudflare global network. |
Inactive | This value is reserved for tunnels that have been created but have never been run. |
Important Information
HackerOne Gateway uses a split tunnel rule. The WARP client routes all traffic from the machine through the VPN according to split tunnel rules, including RFC1918 addresses.
HackerOne does not enforce any rule that penetration testing teams must limit testing activities to the HackerOne Virtual Machine and its default settings.
The Split Tunnel Policy is crucial for controlling which traffic is routed through the Cloudflared tunnel during internal network testing. This feature ensures that hackers only access the systems designated as in-scope, preventing unintended access to other internal resources. By using this policy, organizations can isolate testing traffic to the intended assets, ensuring that out-of-scope systems remain protected.
For example, hackers and pentesters can run the tools locally, and the traffic will go through the VPN, making the in-scope assets reachable from the machine where WARP is active. HackerOne recommends granting testing teams as much flexibility as possible and practical for thorough testing and best results.
All HackerOne testers will use their <H1 username>@wearehackerone.com email to log in to the WARP client.
Limitations
All the in-scope private IP addresses/CIDRs (under RFC1918) are added to the tunnel by default. The WARP client will overwrite the routes on the network interface, which means the pentester won’t have proper access to other devices if their private IP addresses fall under the specified range.