Published on April 30, 2017
1. [email protected] Bug Bounty Battlefield Null_Mumbai Humla Session
2. $$Bug_Bounty$$ #whoami • Sagar M Parmar • Active #$> Synack Red Team • <3 $$ Bug Bounties. • Working as a Security Analyst at Network Intelligence India Pvt. Lt • Chapter Leader of OWASP_Jodhpur • Email: [email protected] • Follow> https://twitter.com/sagarparmar121 [email protected]
3. $$> Bug Bounty <$$ • What is Bug Bounty? • I am new, how should I start? • How should I take It forward? • How should I become Pro? • What I should do when I am Pro? [email protected]
4. • What is bug bounty? Also calls as VRP (Vulnerability Reward Program) • Company (Security Team/Vendor) Improve Security, Business Grow, Create Program. Offer Cash , HOF , Swag. Acknowledge Your Work. • Researchers / Bug Hunter Hit Target and Get Bugs. Sometimes Duplicates , Sometime $$$ , Sometime Swag, Sometime HOF, Sometime Only Thanks :P Recheck Bug After Fix. [email protected]
5. • A Brief History of Bug Bounty Programs. [email protected] Google ~ 30k USD Facebook ~ 40k USD Yahoo ~ 15k USD PayPal, GitHub, AT&T, Twitter, Square, Mozilla, Microsoft etc. Well-known Platform, - 2012 - 2013 - 2013
6. [email protected] Popular Platform BugCrowd Managed Security Program for Company 27125 World Wide Researcher 250+ Programs HackerOne H1 Security Inbox for Company 200+ Public Program SynAck Private Bug Bounty Program Everyone Want To Join
7. [email protected] I am new, how should I start? Dont’s Do’s Learn about your target. Pick any company. Learn about it thoroughly. Its services. All subdomains All mobile applications. Monitor any changes. Read Program rules carefully. Expect learning something new. Give respect to Breakers Defenders Decisions I want money, I don’t care about your policy. But, that X company gives money for this. I will hack you to the death. F**k the repeater, I love Burp Scanner, Acunitix. I love cookies & session related bugs and version disclosure. SQLmap is good only when risk=3
8. [email protected] Have Some <Patience> • Duplicate • Wait for response time • Forget about submission. • Learn and find new Bugs • Find New target. • Go as deep as possible (Chain attack) • NEVER Ever run a Scanner. • Do Manual testing.
9. [email protected] Tips • Make a list for all type of vulnerability • Make a database for all type of targets. Like: php, asp, WordPress, apache, angulers. • Make a list for all public exploit. • Do fuzzing • Create Google Alerts for page change in list of bounty programs OR any other thing of your choice.
10. [email protected] Private Target • site:ohmylovelywebsite.com –repititive_pages -www - forums -answers -discussions • inurl: src|path|link|url • - filetype:asp|aspx|jsp|jspa|php • Intitle: bitcoin|money
11. [email protected] • Shodan - Computer Search Engine • Use this for finding domains/services which are not exposed.
12. [email protected] NerdyData>> Search Engine • Source Code Search Engine – Search for specific vulnerable codes. Any match with target site is good.
13. [email protected] Bing: IP Search
14. [email protected] Yandex: Awesome Search Engine.
15. [email protected] Bug Bounty Report Format Vulnerability Reporting ------------------------------ Vulnerability Name : Vulnerability Description & Impact : Vulnerable URL : Vulnerable Parameter : Payload Used : Steps to Reproduce : How to Fix (Recommandation) : Proof of Concept(Screenshot) : Or Video POC
16. [email protected] Private Target Approach Find support email id in website or with help of google and other search engine
17. [email protected] Wait for Response after submit vulnerability
18. [email protected] But I want more money.. • Look out for less exposed areas of site. • Injection Attacks _ every one doing it. • Authorization issues are hard to find, less duplicate. • Privilege escalations on a least exposed entity in the site have good chances of hitting a good bug.
19. [email protected] Much More Money… • Make a checklist of test cases. • Divide it in two parts. • Normal bugs • Everyone knows about them. • Abnormal bugs. • You / Someone else found this. • Only active researchers know about them.
20. ` [email protected] Hell lot of money… • Find more logical bugs. • ~ More mone • ~ Less Dupes • ~ More reputation • Read blogs. Voila! What a bug! I will test this too. • OMG! I tested this app too. Why I missed? • Be aware of every damn new test case to hit a bug. • One NEW + UNIQUE + CRITICAL bug to rule them all.
21. [email protected] How should I take It forward?
23. [email protected] XSS (Cross Site Scripting) Try Harder!! Lesser known tags and event handlers
24. [email protected] SQLi(Structed Query Language Injection) What: SQL injection is type of attack in which attacker passes some malicious query and exploit the backend (get) database information. What vulnerability. : Authentication bypass is vulnerability. Type: 3 types of SQL Injection: (1) union based, 2) error based 3) blind SQL injection. How To Check For SQL Injection? 1.Check any User Input with quotes(single ‘ or double “ or / ) if it breaks the SQL Query or not. 2.If some content is missing or an error is there then do further testing 3.Balance the SQL Query by using quotes and SQL Comments like (#,-- -) 4.Find The Number of Columns Used in table of the Running Query Eg: username=admin’order by 1-- - loads normally username=admin’order by 2-- - loads normally username=admin’order by 3-- - Gives Error/Content Missing Which means There are only 2 columns
25. [email protected] SQLi 5. Create/Join another row using Union clause Eg. Username=admin’ union select 1,2-- -// will create another row 6. False the Query by using some Boolean logic like : Eg. Username=admin’ and 1=2 union select 1,2-- -// will create another row This will make the Column(s) To be shown in the Page 7.Now You can Extract The information by using SQL Queries in the visible column
26. [email protected] SSRF (Server Side Request Forgery) • Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server. • Usually, Server Side Request Forgery (SSRF) attacks target internal systems behind the firewall that are normally inaccessible from the outside world (but using SSRF it’s possible to access these systems). • With SSRF it’s also possible to access services from the same server that is listening on the loopback interface. How to Look for SSRF? 1.Check For Different Requests where some parameters contains some URL To External/ Internal hostname/IP. 2.We could try putting our own IP/hostname in that parameter and Simply Check your Server Logs. 3.If there is a Request in logs from their IP then You need to Look for internal services. 4.You can do various stuffs like Port scanning, Fingerprinting Services and also use their Server As a proxy to attack others. 5.You Can Enter http://localhost:port to check for services or if its blocked then you could use 127.0.0.1 or also you could use IPv6 localhost : http://[::]:port
27. [email protected] LFI (Local File Inclusion) Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others. How To Check for Inclusion Vulnerabilities? 1.Check For parameters where you feel there’s another file included Eg: http://www.site.com/?page=somepage http://www.site.com/?file=somepage.php 2. Use file:// protocol or Directory Traversal techniques to read files like : Eg: http://www.site.com/?page=../../../../../../etc/passwd #for *nix http://www.site.com/?page=C:/Windows/System32/drivers/etc/hosts #for Windows 3. Also you could use file:///etc/passwd or file://c://windows/system32/drivers/etc/hosts 4. For PHP specific applications you could use php://filter wrapper to read files too. 5. It Could be used to Escalate to RCE in some cases where you are able to include external files Or use data: wrapper(Remote File Inclusion)
28. [email protected] Remote Code Execution (RCE) Remote Code Execution can be defined as In computer security, arbitrary code execution or remote code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It happens When a user input is unvalidated and directly used in Command line arguments or in Eval-ish like functions. How to Check For RCE? 1.Fuzz Every possible parameters/User Inputs for Command Execution. 2.Vulnerabilites like RCEs are found much more when source code is there. 3.Functionalities like “pinging”, “dns” lookups should be tested well for RCE. 4.Various Ways for testing command execution: 1. Pipes(|) or ||(double pipes) eg: ||ls 2. Ampersand (&) or double Ampersand(&&) eg. & dir 3. $(ls) /* For *nix only 4. (Backticks) `ls` /* For *nix only */ 5. May be some switches/options could be used related to Running commands
29. [email protected] How should I become PRO? • Follow Top Researchers • Read blogs • Read about vulnerability • Create your own logics • Follow twitter
30. [email protected] Reference Links or researcher blogs XSS & Sqli:> http://securityidiots.com http://www.pwntester.com https://www.hackerone.com/resources/hack-learn-earn www.geekboy.ninja https://blog.bugcrowd.com/topic/bug-hunter-tips-and- tricks Publiclydisclosed hackerone All top Researcher blogs and twitter account.
31. [email protected] Challenge>> cAPTURE tHE fLAG (CTF) 3L33t time starts :P
32. [email protected] http://securityidiots.com/ null.co.in owasp.org
33. [email protected] https://github.com/infosecninjaa/Bug_bounty_nulll