Testers, get into security bug bounties!


Published on

An introductory presentation for testers with the scope of motivating to try security bug bounties. It is less theoretical and focuses on practical tips. It is intended to be structured in a way that presents security bug hunting in a non-intimidating way (no super hacking skills needed necessarily, no certifications needed)


Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Testers, get into security bug bounties!

  1. 1. Testers, get intosecurity bug bounties! by Eusebiu Blindu CzechTest 2013
  2. 2. I am a tester, not a security expert
  3. 3. http://www.utest.com/
  4. 4. • potential cash• some reputation• experience• skill improvement
  5. 5. • "Its hard and I never did security stuff before" (psychological)• "I dont have the skills" (technical)• "I dont have time, I have to do something else, I cant fit it in my schedule" (logistics)
  6. 6. • you dont have to totally hack exposing a major flaw in order to be rewarded in security bug bounties• you dont have to know that "much" to get started in sending bug reports• you dont need to be an expert in the field of security
  7. 7. • Try to find small vulnerabilities• Try bug bounty programs that dont offer cash, only mentions• Try to read blog containing reports of already rewarded bugs
  8. 8. • A tester has the reflex of finding and sending general bug reports• Can send "without shame" a bug report without fear of rejection• Has a lot of skills that can be focused on security
  9. 9. Reasons:• it is usually rewarded by every bug bounty program• most feasible to look for ( considering time spent, chances of finding and the reward value)• for testers should be easy, because there is not too much new techical knowledge
  10. 10. (for testers to understand)Simply put: "Make the website popup a window with your desired message on the vulnerable domain by inserting an input"(but read more about it on the "internets"...)
  11. 11. (... a tester might ask)• With an XSS you can attack other users (not the server)• Its one of the most common attacks
  12. 12. 1) Attacker sends email with a link to victim2) Victim clicks on the link3) Attacker steals session cookie and has access to victims account
  13. 13. • error pages• server banner pages• clickjacking
  14. 14. • payed much more• harder to find• requires more "out of the box" thinking• need little bit of luck• can be find as a result of one or more low level bug findings
  15. 15. • https://www.site_to_be_tested.com/• https://www.site_to_be_tested.com/ download?filename=D://www_conten t/reports/12_01_2010.csv
  16. 16. • Main tool should be your brain• Scanners: Acunetix WVS, Burp Suite Pro, Dirbuster, SqlMap• Visibility : Fiddler2• Flash: HP SWFScan• -... and Google Advanced Search
  17. 17. • it will show you types of bugs on a website that you might not be familiar with• do a crawling of a website• do certain activities faster than you• find occasionally small or medium bugs that are rewardable
  18. 18. • think like a human• find major flaws• it will find lots of false positives (fake bugs)• guarantee a totally safe product
  19. 19. Recommandation: You can use the tool in the beginning, after you identified an area. Then go try manually with complex steps and deeper investigation.
  20. 20. Battlefield Bug bountyattack field Small Plan Know where you can search for bugs
  21. 21. • more chances to find bugs in newer bug bounty programs• more chances to find bugs in newly added functionalities• more chances to find bugs in products that are part of new acquisitions
  22. 22. • you have to be faster especially in the beginning of a new bug bounty program than the competition• you have to be more creative than the competition to find complex issues
  23. 23. • you can learn from what others already reported before you• Little bit of healthy competition increases motivation• the application will seem easier to hack after you saw someone else doing it
  24. 24. • read the requirements and see what is rewardable• list all the rewardable domains• list all the rewardable subdomains(see if Android or iOS platforms are rewardable etc)
  25. 25. • read bug bounty requirements• read about the product (on main website for example)• read what was rewarded (social media, blogs, news articles)• similar domains with the known valid ones• whois records for domains belonging to the same company• decrypt data from client app (Desktop,Android,iOS)
  26. 26. • DNS records lookup• similar IPs (consecutive) as other valid subdomains• brute force for possible subdomain name "qa.domain.com,db.domain.com"• Google search: "site:domain.com", "site:domain.com - site:www.domain.com"• data analysed (image files on main site are listed on a different unknown subdomain)
  27. 27. Just send something!
  28. 28. • tools (helps, but its not the main thing)• learning about the business logic and complex functionality helps• similar bugs in another area could exist• the same techniques work differently for different people
  29. 29. • hack the database by finding credentials using scanners and manually analyzing files• hack the database credentials by decompressing a flash file• hack the database credentials by using an unfiltered download functionality
  30. 30. • keep an open mind (Avoid "I will use only Ubuntu")• overcome fear of succeeding (subconscious fear of winning, fear or envious reprisals at workplace)• see more ideas and approaches (social media)• avoid "expert complex" (fear of trying "stupid" stuff)
  31. 31. • social media can help you• your personal standards go higher so you aim for higher
  32. 32. • there are not too many testers to promote it• the current format of bug bounties is new• seen a as a separate domain
  33. 33. Give a try to security bug bounties And..See if it works for you
  34. 34. Thanks!Eusebiu Blinduhttp://www.testalways.comeusebiu.blindu@testalways.com@testalways