The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

5,348 views

Published on

Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.

Published in: Technology

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

  1. 1. detectifyThe Secret Life of a Bug Bounty Hunter Frans Rosén @fransrosen
  2. 2. detectify Frans Rosén "The Swedish Ninja" Knowledge Advisor @detectify ( twitter: @fransrosen ) Blog at labs.detectify.com HackerOne #6 @ hackerone.com/thanks Highest paid out bounty on H1: $30k
  3. 3. detectify Rundown 1. Background 2. Approaching a target 3. Free money 4. Automation 5. Browsers 6. End
  4. 4. detectify How it started
  5. 5. detectify THEN I FREAKED OUT osv…
  6. 6. detectify Thailand
  7. 7. detectify Thailand
  8. 8. detectify How it actually started
  9. 9. detectify Approaching a target
  10. 10. detectify SWFs
  11. 11. detectify By @nirgoldschlager and @homakov
 http://homakov.blogspot.se/2013/02/hacking-facebook-with-oauth2-and-chrome.html
 http://www.breaksec.com/?p=6039 Facebook Connect
  12. 12. detectify https://www.facebook.com/v2.2/dialog/oauth ?scope=publish_actions,email &client_id=298315034451
 &response_type=token &redirect_uri=https://www.example.com/login Facebook Connect
  13. 13. detectify https://www.facebook.com/v2.2/dialog/oauth ?scope=publish_actions,email &client_id=298315034451
 &response_type=token &redirect_uri=https://xxx.example.com/yyy No restrictions! Facebook Connect
  14. 14. detectify Open Redirect https://www.victim.com/account/logout?redirect_url=https://example.com@www.victim.com https://www.linkedin.com/uas/login?session_redirect=https://example.com%252f@www.linkedin.com%2Fsettings https://vimeo.com/log_in?redirect=/%09/example.com https://test6473.zendesk.com/access/login ?return_to=//example.com:%252525252f@test6473.zendesk.com/x https://trello.com/login?returnUrl=/example.com
  15. 15. detectify Firefox…
  16. 16. detectify Firefox… Chrome: Invalid Safari: Domain not found
  17. 17. detectify Firefox… Chrome: Invalid Safari: Domain not found Firefox: example.com !
  18. 18. detectify Firefox… Chrome: Invalid Safari: Domain not found Firefox: example.com ! https://www.mozilla.org/en-US/security/advisories/mfsa2015-129/ CVE-2015-7195
  19. 19. detectify Firefox + Prezi… https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com
  20. 20. detectify Firefox + Prezi… https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com HTTP/1.1 301 Location: //example.com%0a%23.prezi.com
  21. 21. detectify Firefox + Prezi… https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com HTTP/1.1 301 Location: //example.com%0a%23.prezi.com https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email &response_type=token &redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com &client_id=298315034451
  22. 22. detectify Firefox + Prezi… https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com HTTP/1.1 301 Location: //example.com%0a%23.prezi.com https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email &response_type=token &redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com &client_id=298315034451 NOO! :(
  23. 23. detectify Firefox + Prezi…
  24. 24. detectify Try the app + proxy
  25. 25. detectify Note during the walkthrough Structure of IDs Numeric? ID hashes visible cross accounts?
  26. 26. detectify Hashed IDs publicly available Update other users / Get user info ID as hashes, but visible using Google. No check if user was in another company. Bounty $3,000 https://hackerone.com/reports/23126
  27. 27. detectify 3rd-party scripts (get)?(query|url|qs|hash)param location.(hash|href|search).match
  28. 28. detectify 3rd-party scripts k.type='text/javascript'; var m,src=(m=location.href.match(/bkxsrc=([^&]+)b/)) && decodeURIComponent(m[1]); k.src=src||'https://cdn.krxd.net/controltag?confid=HrUwtkcl';
  29. 29. detectify 3rd-party scripts
  30. 30. detectify Paywalls
  31. 31. detectify CSP bypass script-src 'self' https://ajax.googleapis.com https://html5sec.org/minichallenges/3
  32. 32. detectify CSP bypass script-src 'self' https://ajax.googleapis.com https://html5sec.org/minichallenges/3 <script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/ angular.js></script>
  33. 33. detectify CSP bypass script-src 'self' https://cdn.mxpnl.com
  34. 34. detectify CSP bypass script-src 'self' https://cdn.mxpnl.com
  35. 35. detectify script-src 'self' https://www.googleadservices.com CSP bypass
  36. 36. detectify script-src 'self' https://www.googleadservices.com CSP bypass
  37. 37. detectify CSP bypass
  38. 38. detectify All ze subdomains!
  39. 39. detectify Subdomains
  40. 40. detectify Subdomains
  41. 41. detectify Subdomains
  42. 42. detectify Free money
  43. 43. detectify Facebook
  44. 44. detectify Facebook
  45. 45. detectify Facebook
  46. 46. detectify Facebook POST /rest/v1.1/me/transactions?http_envelope=1 HTTP/1.1 Host: public-api.wordpress.com cart[blog_id]=44444444
  47. 47. detectify Facebook
  48. 48. detectify Facebook
  49. 49. detectify Google XXE https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/
  50. 50. detectify Google XXE
  51. 51. detectify Google XXE
  52. 52. detectify Google XXE
  53. 53. detectify Google XXE
  54. 54. detectify Google XXE
  55. 55. detectify Square hidden payload
  56. 56. detectify Square hidden payload
  57. 57. detectify Automation – Mr Roboto
  58. 58. detectify Collect 1. Collect all subdomains 2. Sort by popularity 3. Inject www between pop2 and pop1 4. Use to scan further + deeper 5. Every day. On all targets.
  59. 59. detectify Subdomains
  60. 60. detectify Collect 1. Make requests to all domains 2. Save both headers + redirects + content timeout 10 curl -sD - "http://$p" -L --insecure --max-time 5 > $x x="streams/stream_pipe_$p"
  61. 61. detectify Retroactive searching
  62. 62. detectify
  63. 63. detectify Browser fun
  64. 64. detectify Safari – the special lil’ snowflake ❄
  65. 65. detectify Safari 6…
  66. 66. detectify Safari 6…
  67. 67. detectify Safari 6… *press enter*
  68. 68. detectify Safari 6…
  69. 69. detectify Safari 6…
  70. 70. detectify Safari 6…
  71. 71. detectify Safari 6…
  72. 72. detectify Safari 8…
  73. 73. detectify Safari 8…
  74. 74. detectify Safari 8…
  75. 75. detectify Safari 8…
  76. 76. detectify Safari 8…
  77. 77. detectify Safari 8…
  78. 78. detectify Safari 8…
  79. 79. detectify Safari 8…
  80. 80. detectify Safari <= 8 Mixed Content UXSS 1.Find URL with Mixed Content 2.Use fragment payload to inject clickable link in console 3.SE to get user to open Inspect and click link 4.??? 5.PROFI-XSS-T!!!
  81. 81. detectify Safari 9 Nice!
  82. 82. detectify Safari 9 Host Header injection
  83. 83. detectify Safari 9 Host Header injection
  84. 84. detectify Safari 9 Host Header injection
  85. 85. detectify Safari 9 Host Header injection
  86. 86. detectify Safari 9 Host Header injection
  87. 87. detectify One more thing "Best X ever"
  88. 88. detectify Best report "Exploitable Self XSS at swagger.oculusvr.com using Clickjacking Game and bypassing of filter"
  89. 89. detectify Best report "Exploitable Self XSS at swagger.oculusvr.com using Clickjacking Game and bypassing of filter"
  90. 90. detectify Best response
  91. 91. detectify Best deal
  92. 92. detectify Best bug hunting day ever
  93. 93. detectify Best bug hunting day ever
  94. 94. detectify The Secret Life of a Bug Bounty Hunter Frans Rosén (@fransrosen) – www.detectify.com

×