This document summarizes a presentation on hunting security bugs in modern web applications. It introduces the speaker and their background in bug bounty hunting. It then covers popular web application technologies, frameworks, and content management systems. The rest of the document outlines various types of security vulnerabilities that can be found, including injection flaws, authentication issues, cross-site scripting, access control failures, and insecure direct object references. Specific methodologies are provided for finding each vulnerability, such as testing authentication, session management, and input validation. The benefits of responsible vulnerability discovery and reporting are also mentioned.

1. Welcome to Myanmar Cyber Conference

2. Hunting Security Bugs in Modern Web
Applications
Presented by
Toe Khaing Oo

3. What is it exactly?
● Modern Web Application Technologies
● Security vulnerabilities of modern web
application
● How attackers do
● Recognizing the risks
● Bug Hunting for fun and profits

4. Who am I
● Student
● Self-taught Hacker
● Freelance Web Developer
● Instructor at Cyber Wings
● Bug Bounty Hunter at BugCrowd Inc
(https://bugcrowd.com/toekhaing)
● Contributor at OWASP Myanmar
● Organizer at Myanmar Cyber Conference

5. Modern Web Application Technology : Overview
● Client – Server Architecture
● MVC Architecture
● RESTful API
● Users
● Storage
● Caching

6. Popular Web Framework
● CodeIgniter (PHP)
● Laravel (PHP)
● Rails (Ruby)
● Django (Python)
● Angular (JavaScript)
● React (JavaScript)
● ExpressJS (JavaScript)

7. Popular CMS

8. What is Web Application Security?
● Information Security deals with Security of web
application
● Protecting Information by Preventing, Detecting
and Responding to attacks
● Making safe for users on the web

9. Bug Hunting 101
● Finding vulnerabilities which are not easy to find
● Exploiting
● Determining the risks and impact
● Examining Proof of Concept
● Reporting

10. Benefits
● Better Profile
● Hall Of Fame,
Responsible
Disclosure,
Acknowledgments
● Swags (T-Shirts,
Stickers, etc)
● Bug Bounty ($$$)

11. Bug Hunting Methodologies
● Mapping the Application
● Analyzing the Application
● Testing Authentication Mechanism
● Testing the Session Management Mechanism
● Testing client-side controls
● Testing for Input-Based Vulnerabilities
● Testing Access Controls
● Testing for Logic Flaws

12. Mapping the Target
● Explore Visible Content (view source code)
● Check Public Resources (CSS, JS, SWF)
● Discover Hidden Content
● Brute force directories
● Tools
CMS Map (https://github.com/Dionach/CMSmap)
What Web (https://github.com/urbanadventurer/WhatWeb)
Nikto (https://github.com/sullo/nikto)

13. Analyzing the Application
● Identify the Technologies Used
● Identify its functions
● Identify Data Entry
● Map attack surface

14. OWASP Top Ten Vulnerabilities

15. Hunting for A1 : Injection
● ‘and 1=1 | ‘or 1=1
● Neither easy nor difficult
● Frameworks & CMS have
already prevented
● POST method - possible
● Blind test is better
● XML Injection
● Don’t forget API
http://site.com/api/v1/user/’%20or%20’1’=’1

16. A2 : Broken Authentication & Session
Management
● Guess login credentials
● Check Error Messages
"Login for User foo: invalid password"
"Login failed, invalid user ID”
"Login failed; account disabled"
"Login failed; this user is not active"
● Password Reset Function
● OAuth
● Session Restore
● Session Manipulation
● Session Expiration

17. A3 : Cross Site Scripting (XSS)
● XSS attacks allow a user to
inject client side scripts
into the browsers of other
users
● Most frameworks support
auto escape HTML
characters
● Auto-sanitization and
Context-Sensitivity

18. Hunting for XSS Vulnerability : 1
● Still easy to find
● JavaScript code in search
box (input box)
eg: <script>alert(‘XSS’)</script>
● Stored XSS in User
Information such as
Username, First Name,
LastName and even
Email.

19. Hunting for XSS Vulnerability : 2
● DOM XSS
● SWF
● File Upload XSS
● Tools
XSSER
(https://github.com/epsylon/xsser)
Magento XSS

20. Hunting for XSS : 3
● Flash XSS (SWF)
/zeroclipboard.swf?id="))}catch(e)
{alert(1);}//&width=500&height=500
/player.swf?playerready=alert(document.cookie)
/player.swf?tracecall=alert(document.cookie)
/banner.swf?clickTAG=javascript:alert(1);
/swfupload.swf?movieName="]);}catch(e){}if(!
self.a)self.a=!alert(1);//
video-js.swf?readyFunction=alert
%28document.domain%2b'%20XSSed!'%29

21. A4 : Access Control
● All sites require to control access policy
● Most of them are bad coding
● Need to access as possible as you can
● Directories, File Permissions, User Permissions
● Test with Multiple Accounts

22. IDOR
● Insecure Direct Object References
● Mostly found in API
● Profile Page, Settings Page, etc
● Check Bypass Methods – Nulled Characters

23. Remote Code Execution (RCE)
● Execute Commands on the web server.
● Difficult to find but not at all
● Need strongly understanding of web
application’s architecture, what
frameworks and how it works
● Template Injection Type
example
- add input field {{ 7*7 }} and returns 49.
- $(sleep 20) in text area and the result
come out at 20 seconds
- Image Upload RCE (ImageMagick)
- struct2 RCE

24. A5 : Security Misconfiguration
● Test for Default Credentials
(Apache Tomcat, JBoss)
● Subdomain TakeOver
● Test for latest CVE (Heartbleed, Poodle, Apache
Struct2, etc)

25. A6 : Sensitive Data Exposure
● Config File (eg : Github config)
● Path Disclosure (Low Impact)
● Source Code Disclosure
● Log file exposed (debug.log , error_log,
access.log)

26. CSRF
● Cross Site Request Forgery
● Modern Web Frameworks have
built-in CSRF protection
● Test for Bypass methods
● Bypass methods
- Nulled Characters
- bypass with *
- Bypass CSRF protection via
XSS

27. URL Redirect
● Unvalidated Redirects &
Forwards
● Can find with Google Dorks
- “redirect_url”
- “URL?=”
- “return?=”
More dorks
https://github.com/epsylon/ufonet/blob/master/botnet/dorks.txt

28. Known Vulnerabilities
● CVE, CWE, Metasploit Modules
● Mostly in CMS
● For example;
- Drupal SQL injection
(Drupageddon)
- Joomla JCE
- Zpanel Exploit
- JBoss
● More Info
http://exploit-db.com
https://wpvulndb.com/

29. Business Logic Flaws
● Misuse a business rules of an application
● Shopping cart check out, payment transaction, etc
● Parameter manipulation
● Business process/logic bypass

30. Reporting
● Title/Vulnerable Information
● Specify Target
● Vulnerable URL/Parameter
● Description
● Impact
● Proof of Concept (POC)
● Remediation (if possible)

31. The End
Thanks for your attention