Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bug bounty null_owasp_2k17


Published on

Bug Hunting Battlefield_Null_Mumbai_Humla_29_April2017

Published in: Engineering

Bug bounty null_owasp_2k17

  1. 1. Bug Bounty Battlefield Null_Mumbai Humla Session
  2. 2. $$Bug_Bounty$$ #whoami • Sagar M Parmar • Active #$> Synack Red Team • <3 $$ Bug Bounties. • Working as a Security Analyst at Network Intelligence India Pvt. Lt • Chapter Leader of OWASP_Jodhpur • Email: • Follow>
  3. 3. $$> Bug Bounty <$$ • What is Bug Bounty? • I am new, how should I start? • How should I take It forward? • How should I become Pro? • What I should do when I am Pro?
  4. 4. • What is bug bounty? Also calls as VRP (Vulnerability Reward Program) • Company (Security Team/Vendor) Improve Security, Business Grow, Create Program. Offer Cash , HOF , Swag. Acknowledge Your Work. • Researchers / Bug Hunter Hit Target and Get Bugs. Sometimes Duplicates , Sometime $$$ , Sometime Swag, Sometime HOF, Sometime Only Thanks :P Recheck Bug After Fix.
  5. 5. • A Brief History of Bug Bounty Programs. Google ~ 30k USD Facebook ~ 40k USD Yahoo ~ 15k USD PayPal, GitHub, AT&T, Twitter, Square, Mozilla, Microsoft etc. Well-known Platform, - 2012 - 2013 - 2013
  6. 6. Popular Platform BugCrowd Managed Security Program for Company 27125 World Wide Researcher 250+ Programs HackerOne H1 Security Inbox for Company 200+ Public Program SynAck Private Bug Bounty Program Everyone Want To Join
  7. 7. I am new, how should I start? Dont’s Do’s Learn about your target. Pick any company. Learn about it thoroughly. Its services. All subdomains All mobile applications. Monitor any changes. Read Program rules carefully. Expect learning something new. Give respect to Breakers Defenders Decisions I want money, I don’t care about your policy. But, that X company gives money for this. I will hack you to the death. F**k the repeater, I love Burp Scanner, Acunitix. I love cookies & session related bugs and version disclosure. SQLmap is good only when risk=3
  8. 8. Have Some <Patience> • Duplicate • Wait for response time • Forget about submission. • Learn and find new Bugs • Find New target. • Go as deep as possible (Chain attack) • NEVER Ever run a Scanner. • Do Manual testing.
  9. 9. Tips • Make a list for all type of vulnerability • Make a database for all type of targets. Like: php, asp, WordPress, apache, angulers. • Make a list for all public exploit. • Do fuzzing • Create Google Alerts for page change in list of bounty programs OR any other thing of your choice.
  10. 10. Private Target • –repititive_pages -www - forums -answers -discussions • inurl: src|path|link|url • - filetype:asp|aspx|jsp|jspa|php • Intitle: bitcoin|money
  11. 11. • Shodan - Computer Search Engine • Use this for finding domains/services which are not exposed.
  12. 12. NerdyData>> Search Engine • Source Code Search Engine – Search for specific vulnerable codes. Any match with target site is good.
  13. 13. Bing: IP Search
  14. 14. Yandex: Awesome Search Engine.
  15. 15. Bug Bounty Report Format Vulnerability Reporting ------------------------------ Vulnerability Name : Vulnerability Description & Impact : Vulnerable URL : Vulnerable Parameter : Payload Used : Steps to Reproduce : How to Fix (Recommandation) : Proof of Concept(Screenshot) : Or Video POC
  16. 16. Private Target Approach Find support email id in website or with help of google and other search engine
  17. 17. Wait for Response after submit vulnerability
  18. 18. But I want more money.. • Look out for less exposed areas of site. • Injection Attacks _ every one doing it. • Authorization issues are hard to find, less duplicate. • Privilege escalations on a least exposed entity in the site have good chances of hitting a good bug.
  19. 19. Much More Money… • Make a checklist of test cases. • Divide it in two parts. • Normal bugs • Everyone knows about them. • Abnormal bugs. • You / Someone else found this. • Only active researchers know about them.
  20. 20. ` Hell lot of money… • Find more logical bugs. • ~ More mone • ~ Less Dupes • ~ More reputation • Read blogs. Voila! What a bug! I will test this too. • OMG! I tested this app too. Why I missed? • Be aware of every damn new test case to hit a bug. • One NEW + UNIQUE + CRITICAL bug to rule them all.
  21. 21. How should I take It forward?
  22. 22. XSS (Cross Site Scripting) Cross site script a type of attack attacker can injection malicious script in web application whether these script many type like java, xml, html. By this attacker can get so many things like cookies stealing, change content, phishing and many things. Payload: “><script>alert(1)</script> /*is this blocked? try other payload and check the behaviour of WAF*/ “><img src=x onerror=alert(1)> “><svg/onload=alert(1)> <a href=javascript:alert(1)>helloxss Also try other event handlers like: (onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur… many more…) Payload: Test” onfocus=alert(1) autofocus=“
  23. 23. XSS (Cross Site Scripting) Try Harder!! Lesser known tags and event handlers
  24. 24. SQLi(Structed Query Language Injection) What: SQL injection is type of attack in which attacker passes some malicious query and exploit the backend (get) database information. What vulnerability. : Authentication bypass is vulnerability. Type: 3 types of SQL Injection: (1) union based, 2) error based 3) blind SQL injection. How To Check For SQL Injection? 1.Check any User Input with quotes(single ‘ or double “ or / ) if it breaks the SQL Query or not. 2.If some content is missing or an error is there then do further testing 3.Balance the SQL Query by using quotes and SQL Comments like (#,-- -) 4.Find The Number of Columns Used in table of the Running Query Eg: username=admin’order by 1-- - loads normally username=admin’order by 2-- - loads normally username=admin’order by 3-- - Gives Error/Content Missing Which means There are only 2 columns
  25. 25. SQLi 5. Create/Join another row using Union clause Eg. Username=admin’ union select 1,2-- -// will create another row 6. False the Query by using some Boolean logic like : Eg. Username=admin’ and 1=2 union select 1,2-- -// will create another row This will make the Column(s) To be shown in the Page 7.Now You can Extract The information by using SQL Queries in the visible column
  26. 26. SSRF (Server Side Request Forgery) • Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server. • Usually, Server Side Request Forgery (SSRF) attacks target internal systems behind the firewall that are normally inaccessible from the outside world (but using SSRF it’s possible to access these systems). • With SSRF it’s also possible to access services from the same server that is listening on the loopback interface. How to Look for SSRF? 1.Check For Different Requests where some parameters contains some URL To External/ Internal hostname/IP. 2.We could try putting our own IP/hostname in that parameter and Simply Check your Server Logs. 3.If there is a Request in logs from their IP then You need to Look for internal services. 4.You can do various stuffs like Port scanning, Fingerprinting Services and also use their Server As a proxy to attack others. 5.You Can Enter http://localhost:port to check for services or if its blocked then you could use or also you could use IPv6 localhost : http://[::]:port
  27. 27. LFI (Local File Inclusion) Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others. How To Check for Inclusion Vulnerabilities? 1.Check For parameters where you feel there’s another file included Eg: 2. Use file:// protocol or Directory Traversal techniques to read files like : Eg: #for *nix #for Windows 3. Also you could use file:///etc/passwd or file://c://windows/system32/drivers/etc/hosts 4. For PHP specific applications you could use php://filter wrapper to read files too. 5. It Could be used to Escalate to RCE in some cases where you are able to include external files Or use data: wrapper(Remote File Inclusion)
  28. 28. Remote Code Execution (RCE) Remote Code Execution can be defined as In computer security, arbitrary code execution or remote code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It happens When a user input is unvalidated and directly used in Command line arguments or in Eval-ish like functions. How to Check For RCE? 1.Fuzz Every possible parameters/User Inputs for Command Execution. 2.Vulnerabilites like RCEs are found much more when source code is there. 3.Functionalities like “pinging”, “dns” lookups should be tested well for RCE. 4.Various Ways for testing command execution: 1. Pipes(|) or ||(double pipes) eg: ||ls 2. Ampersand (&) or double Ampersand(&&) eg. & dir 3. $(ls) /* For *nix only 4. (Backticks) `ls` /* For *nix only */ 5. May be some switches/options could be used related to Running commands
  29. 29. How should I become PRO? • Follow Top Researchers • Read blogs • Read about vulnerability • Create your own logics • Follow twitter
  30. 30. Reference Links or researcher blogs XSS & Sqli:> tricks Publiclydisclosed hackerone All top Researcher blogs and twitter account.
  31. 31. Challenge>> cAPTURE tHE fLAG (CTF) 3L33t time starts :P
  32. 32.
  33. 33.