This document provides an introduction to studying, collecting, and finding bugs. It discusses how to collect bugs by following security mailing lists, bug bounty programs, security researchers on Twitter. It also discusses how to study bugs by analyzing code diffs between vulnerable and patched versions, building test environments, and documenting findings. The document then covers hunting for bugs by finding targets on sites like GitHub and HackerNews, setting up test environments, and optimizing hunting strategies based on collected bugs. Finally, it discusses responsible disclosure of bugs and some of the author's favorite bugs.

1. 1
Entomology
101
L o u i s N y f f e n e g g e r
L o u i s @ p e n t e s t e r l a b . c o m
@ s n y f f / @ P e n t e s t e r L a b
A n i n t r o d u c t i o n t o
s t u d y i n g , c o l l e c t i n g a n d
f i n d i n g b u g s . . .

2. 2
My job is to find, collect and study
bugs to teach people how they can
find, fix and exploit bugs.

3. 3
If you are like me, you are more
likely to find bugs by learning
existing patterns and derive from
them than by trying to discover a
completely new bug class.

4. 4
Collecting bugs
Follow (security) mailing lists from known big projects:
• Apache (announce@apache.org)
• Ruby-on-Rails (rubyonrails-security@googlegroups.com)
• ...
Mailing lists
Bug bounty programs/hunters sometime disclosed the bug discovered by bug bounty hunters:
• Twitter account: https://twitter.com/disclosedh1
• Bugcrowd: inurl:https://bugcrowd.com/disclosures
• H1 Hacktivity https://hackerone.com/hacktivity
• Bug bounty write-ups from bug bounty hunters
Bug bounty disclosures

5. 5
Collecting bugs
Mailing lists

6. 6
Collecting bugs
Follow security researchers and bounty hunters:
• Too many to list
• Too risky to list and forget someone
• Try to find people who share information on bugs
• Try to find people with a high signal/noise ratio
Twitter
• Conferences and local meetups
• Project Zero trackers: https://bugs.chromium.org/p/project-zero/issues/list
• Blogs (RSS)
• Reddit /r/netsec
• CTF
• ...
Other sources

7. 7
Studying bugs
1.Find the vulnerable version and the fixed version
2.Extract a diff to see the changes (literally a few clicks on GitHub)
3.Profit:
• You now know what the vulnerable code looks like
• You now know what the bug precisely is
• You have an idea on the exploitability of the issue
• You know how to properly (hopefully) fix this type of issues
• You learn a little bit about the codebase
Check the source code

8. 8
Studying bugs
Check the source code
Check the source code

9. 9
Studying bugs
• It allows you to learn how to deploy software
• Sometime it is just one command (thanks to docker/docker hub)
• Study someone's exploit
• Build your own exploit
• Exploit the issue
• Find more bugs in the same test environment
Build a test environment

10. 10
Studying bugs
• Try to find the same pattern in the same project
• Try to find the same pattern in other project
• Try to see what this pattern looks like in other languages/framework
Extrapolate
• Keep notes on the bug and source code
• Keep the exploit (and tools to run it)
• Maybe share this in a blog post
Document your findings

11. 11
Studying bugs
• Do a write-up/blog post
• Do a talk at work/school/local meetup
• Tweet about something people may not know/have realised
Share

12. 12
Hunting for bugs
• Bug Bounty programs (limited access to source code)
• GitHub trending (https://github.com/trending)
• DigitalOcean Marketplace (https://marketplace.digitalocean.com/)
• HackerNews
• ...
Finding your targets
• Build a test environment (with enhanced debugging if possible)
• Get familiar with the source code (if available)
• Pick few of the weird patterns for the language/framework used (based on your collecting)
• Spend hours in front of a computers
• Learn by actually searching for bugs!
• Remember your goal is not to find bugs, it is to learn how to find bugs!
Getting started

13. This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
13
Hunting for bugs
Going deeper

14. 14
Hunting for bugs
Going deeper
With a constant
30% drop rate
70%
49%
34%
24%
16%
11%
This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"

15. With a constant
50% drop rate
50%
25%
13%
6%
3%
1.5%
This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
15
Hunting for bugs
Going deeper

16. Optimizing based
on your bug
collection
This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
16
Hunting for bugs
Learn from your bug collection

17. This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
17
Hunting for bugs
Impact on teams
Impact of automation

18. 18
Quality bugs
• Weirdness
• Complexity of the exploitation
• No one found it before
• A somehow new pattern
• High visibility
What makes a bug great?

19. 19
What do with your bugs?
• It feels good
• It can be long and tedious
• It can be a good way to gain exposure when looking for a job
Responsible/Coordinated disclosure
• Selling
• Reporting via one or multiple Bug Bounty programs
• Sending a patch
• Bug hoarding
Other ways

20. 20
Some of my favourite bugs
CVE-2012-2661 CVE-2012-6081 CVE-2014-1266

21. 21
CVE-2012-2661
• Rails is supposed to prevent SQL injection by design
• No public exploit available
• First to release details on how to exploit it
• Free ISO and course on how to exploit it on PentesterLab.com
SQL Injection in Ruby-on-Rails
• Rails has caching on the injectable part
• Each query needs to be unique
• Completely blind
Exploitation

22. 22
CVE-2012-6081
• Used to hack Python and Debian's wiki
• Brillant exploitation
• Free ISO and course on how to exploit it on PentesterLab.com
RCE in MoinMoin wiki
• Directory traversal in upload (only in the filename's extension)
• The payload can't contain any dots
• File uploaded is tar'd (adds a limit of max 100 bytes to avoid @LongLink)
• Payload needs to be a valid MoinMoin plugin (Python)
Exploitation
drawing.z if()else()
import os
def execute(p, r):
exec"print>>r,os56popen(r56values['c'])56read()"

23. 23
CVE-2014-1266
• TLS verification bypass
• Public Key pinning bypass
• Targets a cipher that provides forward secrecy
Apple goto fail;
• Set up a malicious server with the legitimate certificate and any private key
• Force the cipher to the vulnerable one
• Get the victim to visit your site
Exploitation

24. 24
Let’s get started!
Try to pick one bug per month and study it (code diff/test lab/exploit).
I am convinced you will learn a tremendous amount about software
security

25. And then you can do a talk at Ruxmon on this bug!

26. 26
Thanks for your time!
Any questions?
@snyff
@PentesterLab