My Bug Hunting With Open Source

•

3 likes•1,780 views

This talk is going to talk about how I got 50 CVE's in a week. I used to play bug bounties and other security penetration testing challenges. After realization I started contributing to Open Source Community and found several critical bugs and got proper satisfaction for the work. Then I met like minded people and started bug hunter with Code Vigilant (http://codevigilant.com), Project for Securing Open Source Software.

Technology

My Bug Hunting With Open Source
Madhu Akula
Information Security Enthusiastic

root@localhost:~# whoami
in.linkedin.com/in/madhuakula fb.com/madhu.akula twitter.com/madhuakula
● Network Security Consultant @Payatu
● Chapter lead at null
● Cr3w Member at Nullcon
● Contributor @ Codevigilant
● Bug Huner & Opensource Contributor
● Never ending Learner !

Agenda
My journey so far in the world of
bug finding
This is all about how I have done and
how you can also do

History
Started hunting for bugs on several bug bounty programs for

Realization
● It's enough
● I'm wasting everyday 2hrs
● Luck is the best kick
● Started as noob and got some experience with
app security
● Increased friends network

CVE-2014-4329
CVE-2014-4722
CVE-2014-4853

After some days...
● I am not the only person thinking this, Found
something similar

What is Code Vigilnat
● A community collaboration effort to make
opensource software’s secure.
● Finding bugs and responsibly disclosing them
to respective author and preferable getting
software updated.
● Responsible disclosure on website after
sufficient interval.

About Code Vigilant
Anant Shrivastava Prajal Kulkarni
Chaitu Madhu Akula

Target A EcoSystem
● We Picked WordPress Ecosystem which meant
– WordPress Plugins (current focus)
– WordPress Themes (current Focus)
– WordPress Core (future check)
● Pick an ecosystem which you think is near and
dear to you and the language which you can
easily understand.

Why
● 60 million websites world wide
● Current stable release 4.0

Expectation
We are seeking for more volunteers to come
forward and help us make opensource
softwares a more secure plateform.

For 'U'
● Appeal to use codevigilant plateform
●
You find flaws
– Either join our team and do continuous contribution
• You get an author’s page at codevigilant
• If you get any bounty for the bug you keep it.
– Send Details as one off cases of finding
● We will do co-ordination with third party
● We will try to get it patched or remove it from internet if not patched.
● We will publish advisory on website with yours and co-ordinator’s
name in advisory.

For 'U'
● If you want a open source product tested
contact us and we will see what we can do
about it.
● If you want quick test’s you can think about
donating to the project.

Code Vigilant
● http://www.codevigilant.com
● https://github.com/Codevigilant
● https://facebook.com/Codevigilant
● https://twitter.com/Codevigilant

An ideal addition to your personal elibrary. With the aid of this indispensable reference book, you may quickly gain a grasp of Python, Java, JavaScript, C, C++, CSS, Data Science, HTML, LINUX and PHP. It can be challenging to understand the programming language's distinctive advantages and charms. Many programmers who are familiar with a variety of languages frequently approach them from a constrained perspective rather than enjoying their full expressivity. Some programmers incorrectly use Programmatic features, which can later result in serious issues. The programmatic method of writing programs—the ideal approach to use programming languages—is explained in this book. This book is for all programmers, whether you are a novice or an experienced pro. Its numerous examples and well paced discussions will be especially beneficial for beginners. Those who are already familiar with programming will probably gain more from this book, of course. I want you to be prepared to use programming to make a big difference.

The Game of Bug Bounty Hunting - Money, Drama, Action and Fame

Abhinav Mishra

Linux Commands, C, C++, Java and Python Exercises For Beginners

Manjunath.R -

An approachable manual for new and experienced programmers that introduces the programming languages C, C++, Java, and Python. This book is for all programmers, whether you are a novice or an experienced pro. It is designed for an introductory course that provides beginning engineering and computer science students with a solid foundation in the fundamental concepts of computer programming. It also offers valuable perspectives on important computing concepts through the development of programming and problem-solving skills using the languages C, C++, Java, and Python. The beginner will find its carefully paced exercises especially helpful. Of course, those who are already familiar with programming are likely to derive more benefits from this book. After reading this book you will find yourself at a moderate level of expertise in C, C++, Java and Python, from which you can take yourself to the next levels. The command-line interface is one of the nearly all well built trademarks of Linux. There exists an ocean of Linux commands, permitting you to do nearly everything you can be under the impression of doing on your Linux operating system. However, this, at the end of time, creates a problem: because of all of so copious commands accessible to manage, you don't comprehend where and at which point to fly and learn them, especially when you are a learner. If you are facing this problem, and are peering for a painless method to begin your command line journey in Linux, you've come to the right place-as in this book, we will launch you to a hold of well liked and helpful Linux commands. This book gives a thorough introduction to the C, C++, Java, and Python programming languages, covering everything from fundamentals to advanced concepts. It also includes various exercises that let you put what you learn to use in the real world.

Leading an open source project as a startup

Nicolas Garnier

Leading An Open Source Project As A Startup

Mailjet

Mobile Web Compatibility @ Code Camp Cluj

Ioana Chiorean

Tenants for Going at DevSecOps Speed - LASCON 2023

Matt Tesauro

You’re tasked with ‘doing DevSecOps’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tool outputs for all your different apps let alone shrink the pile of work already on your plate? In this talk, we’ll discuss the key decision points and requirements to set up a program that moves as fast as it needs to without your team burning out. Learn how to keep moving forward while keeping your sanity. After learning to be nimble from dealing with teams that are doing 75 production deployments per week, the surviving ideas have been distilled into a collection of tenants. We’ll cover: How to handle CI/CD tests versus traditional security assessments? How to best manage SLAs? How to keep data for auditors and regulatory requirements while also doing continuous testing? Understanding health checks versus continuous testing versus manual testing. How to deal with false positives, risk acceptances and the lifecycle of a security issue? By using these tenants, security assessments at one company grew from 44 to 414 in 2 years or 9.4 times all while losing some headcount. Time to turn chaos into calm and distress into success.

Lvl.upswee meng ng

Preparing for the WebGeek DevCup

bryanbibat

BugBounty Roadmap with Mohammed Adam

Mohammed Adam

Michael Widenius

CodeFest

Services, tools & practices for a software house

Paris Apostolopoulos

Pentester++

CTruncer

Year Zero

leifdreizler

The benefits of contributing to open source

Jonathan Bossenger

OPEN SOURCE HORROR STORIES (AND LESSONS LEARNED)

FINOS

Gil Yehuda, Oath: Open Source Horror Stories (and lessons learned). Open Source is not just about unicorns and rainbows where nice developers give you free code and fix it for you. This talk will feature a few cringeworthy but real-world stories of open source situations gone bad. We’ll talk about cases where people published things they should not have, licenses with terms you’d never agree with, employees who forget who signs their paychecks, DMCA takedowns that kill your code, and situations where you now own someone else’s mistakes. Names and some details will be withheld to protect the innocent and guilty alike. But each case points to a policy which you should put in place to protect your projects and your interests in the world of open source. At the end of this talk you’ll see why many companies manage an open source program the way they do.

Open Source Horror Stories and Lessons Learned

Open Source Strategy Forum

5 unspoke rules of contributing to open source software

Mike Nelson

Buddy navigator

Rishabh Gupta

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Neo4j

Similar to My Bug Hunting With Open Source

Contributing to an Open Source Project 101

POSSCON

C, C++, Java, Python, PHP, JavaScript and Linux For Beginners

Manjunath.R -

The Game of Bug Bounty Hunting - Money, Drama, Action and Fame

Abhinav Mishra

Linux Commands, C, C++, Java and Python Exercises For Beginners

Manjunath.R -

Leading an open source project as a startup

Nicolas Garnier

Leading An Open Source Project As A Startup

Mailjet

Mobile Web Compatibility @ Code Camp Cluj

Ioana Chiorean

Tenants for Going at DevSecOps Speed - LASCON 2023

Matt Tesauro

Lvl.upswee meng ng

Preparing for the WebGeek DevCup

bryanbibat

BugBounty Roadmap with Mohammed Adam

Mohammed Adam

Michael Widenius

CodeFest

Services, tools & practices for a software house

Paris Apostolopoulos

Pentester++

CTruncer

Year Zero

leifdreizler

The benefits of contributing to open source

Jonathan Bossenger

OPEN SOURCE HORROR STORIES (AND LESSONS LEARNED)

FINOS

Open Source Horror Stories and Lessons Learned

Open Source Strategy Forum

5 unspoke rules of contributing to open source software

Mike Nelson

Buddy navigator

Rishabh Gupta

Similar to My Bug Hunting With Open Source (20)

Contributing to an Open Source Project 101

C, C++, Java, Python, PHP, JavaScript and Linux For Beginners

The Game of Bug Bounty Hunting - Money, Drama, Action and Fame

Linux Commands, C, C++, Java and Python Exercises For Beginners

Leading an open source project as a startup

Leading An Open Source Project As A Startup

Mobile Web Compatibility @ Code Camp Cluj

Tenants for Going at DevSecOps Speed - LASCON 2023

Lvl.up

Preparing for the WebGeek DevCup

BugBounty Roadmap with Mohammed Adam

Michael Widenius

Services, tools & practices for a software house

Pentester++

Year Zero

The benefits of contributing to open source

OPEN SOURCE HORROR STORIES (AND LESSONS LEARNED)

Open Source Horror Stories and Lessons Learned

5 unspoke rules of contributing to open source software

Buddy navigator

Recently uploaded

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Neo4j

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Neo4j

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

Microsoft - Power Platform_G.Aspiotis.pdf

Uni Systems S.M.S.A.

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

SOFTTECHHUB

As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.

How to Get CNIC Information System with Paksim Ga.pptx

danishmna97

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

Alex Pruden

This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second). Paper: https://eprint.iacr.org/2023/1886

Recently uploaded (20)

GridMate - End to end testing is a critical piece to ensure quality and avoid...

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Essentials of Automations: The Art of Triggers and Actions in FME

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Microsoft - Power Platform_G.Aspiotis.pdf

The Art of the Pitch: WordPress Relationships and Sales

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Climate Impact of Software Testing at Nordic Testing Days

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

Removing Uninteresting Bytes in Software Fuzzing

20240605 QFM017 Machine Intelligence Reading List May 2024

Epistemic Interaction - tuning interfaces to provide information for AI support

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

How to Get CNIC Information System with Paksim Ga.pptx

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

My Bug Hunting With Open Source

1. My Bug Hunting With Open Source Madhu Akula Information Security Enthusiastic

2. root@localhost:~# whoami in.linkedin.com/in/madhuakula fb.com/madhu.akula twitter.com/madhuakula ● Network Security Consultant @Payatu ● Chapter lead at null ● Cr3w Member at Nullcon ● Contributor @ Codevigilant ● Bug Huner & Opensource Contributor ● Never ending Learner !

3. Agenda My journey so far in the world of bug finding This is all about how I have done and how you can also do

4. History Started hunting for bugs on several bug bounty programs for

5. History Started with Duplicates...

6. Digging into deep

9. Realization ● It's enough ● I'm wasting everyday 2hrs ● Luck is the best kick ● Started as noob and got some experience with app security ● Increased friends network

10. Then what's next ???

11. CVE-2014-4329 CVE-2014-4722 CVE-2014-4853

12. After some days... ● I am not the only person thinking this, Found something similar

13. What is Code Vigilnat ● A community collaboration effort to make opensource software’s secure. ● Finding bugs and responsibly disclosing them to respective author and preferable getting software updated. ● Responsible disclosure on website after sufficient interval.

14. About Code Vigilant Anant Shrivastava Prajal Kulkarni Chaitu Madhu Akula

15. Target A EcoSystem ● We Picked WordPress Ecosystem which meant – WordPress Plugins (current focus) – WordPress Themes (current Focus) – WordPress Core (future check) ● Pick an ecosystem which you think is near and dear to you and the language which you can easily understand.

16. Why ● 60 million websites world wide ● Current stable release 4.0

17. Why Wordpress ?

18. Let's Find Zero Days

19. Feedback

20. Let's Automate

21. Result More than 50 CVE's in 1 Week

22. Expectation We are seeking for more volunteers to come forward and help us make opensource softwares a more secure plateform.

23. For 'U' ● Appeal to use codevigilant plateform ● You find flaws – Either join our team and do continuous contribution • You get an author’s page at codevigilant • If you get any bounty for the bug you keep it. – Send Details as one off cases of finding ● We will do co-ordination with third party ● We will try to get it patched or remove it from internet if not patched. ● We will publish advisory on website with yours and co-ordinator’s name in advisory.

24. For 'U' ● If you want a open source product tested contact us and we will see what we can do about it. ● If you want quick test’s you can think about donating to the project.

25. Code Vigilant ● http://www.codevigilant.com ● https://github.com/Codevigilant ● https://facebook.com/Codevigilant ● https://twitter.com/Codevigilant

26. Thanks

My Bug Hunting With Open Source

Recommended

Recommended

More Related Content

Similar to My Bug Hunting With Open Source

Similar to My Bug Hunting With Open Source (20)

Recently uploaded

Recently uploaded (20)

My Bug Hunting With Open Source