Entomology 101

S
snyff
1 Entomology 101 L o u i s N y f f e n e g g e r 
 L o u i s @ p e n t e s t e r l a b . c o m @ s n y f f / @ P e n t e s t e r L a b A n i n t r o d u c t i o n t o s t u d y i n g , c o l l e c t i n g a n d f i n d i n g b u g s . . .
2 My job is to find, collect and study bugs to teach people how they can find, fix and exploit bugs.
3 If you are like me, you are more likely to find bugs by learning existing patterns and derive from them than by trying to discover a completely new bug class.
4 Collecting bugs Follow (security) mailing lists from known big projects: • Apache (announce@apache.org) • Ruby-on-Rails (rubyonrails-security@googlegroups.com) • ... Mailing lists Bug bounty programs/hunters sometime disclosed the bug discovered by bug bounty hunters: • Twitter account: https://twitter.com/disclosedh1 • Bugcrowd: inurl:https://bugcrowd.com/disclosures • H1 Hacktivity https://hackerone.com/hacktivity • Bug bounty write-ups from bug bounty hunters Bug bounty disclosures
5 Collecting bugs Mailing lists
6 Collecting bugs Follow security researchers and bounty hunters: • Too many to list • Too risky to list and forget someone • Try to find people who share information on bugs • Try to find people with a high signal/noise ratio Twitter • Conferences and local meetups • Project Zero trackers: https://bugs.chromium.org/p/project-zero/issues/list • Blogs (RSS) • Reddit /r/netsec • CTF • ... Other sources
7 Studying bugs 1.Find the vulnerable version and the fixed version 2.Extract a diff to see the changes (literally a few clicks on GitHub) 3.Profit: • You now know what the vulnerable code looks like • You now know what the bug precisely is • You have an idea on the exploitability of the issue • You know how to properly (hopefully) fix this type of issues • You learn a little bit about the codebase Check the source code
8 Studying bugs Check the source code Check the source code
9 Studying bugs • It allows you to learn how to deploy software • Sometime it is just one command (thanks to docker/docker hub) • Study someone's exploit • Build your own exploit • Exploit the issue • Find more bugs in the same test environment Build a test environment
10 Studying bugs • Try to find the same pattern in the same project • Try to find the same pattern in other project • Try to see what this pattern looks like in other languages/framework Extrapolate • Keep notes on the bug and source code • Keep the exploit (and tools to run it) • Maybe share this in a blog post Document your findings
11 Studying bugs • Do a write-up/blog post • Do a talk at work/school/local meetup • Tweet about something people may not know/have realised Share
12 Hunting for bugs • Bug Bounty programs (limited access to source code) • GitHub trending (https://github.com/trending) • DigitalOcean Marketplace (https://marketplace.digitalocean.com/) • HackerNews • ... Finding your targets • Build a test environment (with enhanced debugging if possible) • Get familiar with the source code (if available) • Pick few of the weird patterns for the language/framework used (based on your collecting) • Spend hours in front of a computers • Learn by actually searching for bugs! • Remember your goal is not to find bugs, it is to learn how to find bugs! Getting started
This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 13 Hunting for bugs Going deeper
14 Hunting for bugs Going deeper With a constant 30% drop rate 70% 49% 34% 24% 16% 11% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #"
With a constant 50% drop rate 50% 25% 13% 6% 3% 1.5% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 15 Hunting for bugs Going deeper
Optimizing based on your bug collection This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 16 Hunting for bugs Learn from your bug collection
This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 17 Hunting for bugs Impact on teams Impact of automation
18 Quality bugs • Weirdness • Complexity of the exploitation • No one found it before • A somehow new pattern • High visibility What makes a bug great?
19 What do with your bugs? • It feels good • It can be long and tedious • It can be a good way to gain exposure when looking for a job Responsible/Coordinated disclosure • Selling • Reporting via one or multiple Bug Bounty programs • Sending a patch • Bug hoarding Other ways
20 Some of my favourite bugs CVE-2012-2661 CVE-2012-6081 CVE-2014-1266
21 CVE-2012-2661 • Rails is supposed to prevent SQL injection by design • No public exploit available • First to release details on how to exploit it • Free ISO and course on how to exploit it on PentesterLab.com SQL Injection in Ruby-on-Rails • Rails has caching on the injectable part • Each query needs to be unique • Completely blind Exploitation
22 CVE-2012-6081 • Used to hack Python and Debian's wiki • Brillant exploitation • Free ISO and course on how to exploit it on PentesterLab.com RCE in MoinMoin wiki • Directory traversal in upload (only in the filename's extension) • The payload can't contain any dots • File uploaded is tar'd (adds a limit of max 100 bytes to avoid @LongLink) • Payload needs to be a valid MoinMoin plugin (Python) Exploitation drawing.z if()else() import os def execute(p, r): exec"print>>r,os56popen(r56values['c'])56read()"
23 CVE-2014-1266 • TLS verification bypass • Public Key pinning bypass • Targets a cipher that provides forward secrecy Apple goto fail; • Set up a malicious server with the legitimate certificate and any private key • Force the cipher to the vulnerable one • Get the victim to visit your site Exploitation
24 Let’s get started! 
 Try to pick one bug per month and study it (code diff/test lab/exploit). I am convinced you will learn a tremendous amount about software security
And then you can do a talk at Ruxmon on this bug!
26 Thanks for your time! Any questions? @snyff @PentesterLab
1 of 26

Entomology 101

Download to read offline
Technology

Bug hunting, web security, web hacking

S
snyff

Recommended

Owasp tds by
Owasp tdsOwasp tds
Owasp tdssnyff
647 views36 slides
Ruxmon feb 2013 what happened to rails by
Ruxmon feb 2013 what happened to railsRuxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff
944 views30 slides
Finding Needles in Haystacks by
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
4.3K views38 slides
Ruxmon cve 2012-2661 by
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
632 views34 slides
Invoke-Obfuscation nullcon 2017 by
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
6.8K views220 slides
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015 by
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
1.1K views63 slides

More Related Content

What's hot

Adventures in Asymmetric Warfare by
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
2.8K views47 slides
How to discover 1352 Wordpress plugin 0days in one hour (not really) by
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
2.2K views37 slides
Defcon CTF quals by
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
1.5K views30 slides
BSides London 2017 - Hunt Or Be Hunted by
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
1.6K views30 slides
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To... by
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
1.7K views156 slides
Pwnstaller by
PwnstallerPwnstaller
PwnstallerWill Schroeder
2K views32 slides

What's hot(20)

Adventures in Asymmetric Warfare by Will Schroeder
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Will Schroeder2.8K views
How to discover 1352 Wordpress plugin 0days in one hour (not really) by Larry Cashdollar
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar2.2K views
Defcon CTF quals by snyff
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
snyff1.5K views
BSides London 2017 - Hunt Or Be Hunted by Alex Davies
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies1.6K views
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To... by CODE BLUE
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE1.7K views
Pwnstaller by Will Schroeder
PwnstallerPwnstaller
Pwnstaller
Will Schroeder2K views
My tryst with sourcecode review by Anant Shrivastava
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava2.6K views
Lares from LOW to PWNED by Chris Gates
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates6.4K views
Obfuscating The Empire by Ryan Cobb
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
Ryan Cobb5.5K views
BSides_Charm2015_Info sec hunters_gathers by Andrew McNicol
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol2.2K views
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2 by Chris Gates
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates7.6K views
Offensive Python for Pentesting by Mike Felch
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch1.1K views
Web2.0 : an introduction by Anant Shrivastava
Web2.0 : an introductionWeb2.0 : an introduction
Web2.0 : an introduction
Anant Shrivastava3.6K views
JWT: jku x5u by snyff
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
snyff6.7K views
TeelTech - Advancing Mobile Device Forensics (online version) by Mike Felch
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felch614 views
Building an Empire with PowerShell by Will Schroeder
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder22.3K views
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015 by CODE BLUE
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
CODE BLUE1.1K views
Veil-PowerView - NovaHackers by VeilFramework
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
VeilFramework3.4K views
Introduction to Penetration Testing by Andrew McNicol
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol10.4K views
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu... by Daniel Bohannon
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon3.4K views

Similar to Entomology 101

Vulnerability, exploit to metasploit by
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
2.6K views41 slides
"Hands Off! Best Practices for Code Hand Offs" by
"Hands Off! Best Practices for Code Hand Offs""Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs"Naomi Dushay
1.1K views41 slides
PHP - Introduction to PHP Bugs - Debugging by
PHP - Introduction to PHP Bugs - DebuggingPHP - Introduction to PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - DebuggingVibrant Technologies & Computers
790 views83 slides
Introduction to the intermediate Python - v1.1 by
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Andrei KUCHARAVY
847 views116 slides
The Anatomy of Java Vulnerabilities (Devoxx UK 2017) by
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
882 views61 slides
The Web Application Hackers Toolchain by
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
4.5K views53 slides

Similar to Entomology 101(20)

Vulnerability, exploit to metasploit by Tiago Henriques
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques2.6K views
"Hands Off! Best Practices for Code Hand Offs" by Naomi Dushay
"Hands Off! Best Practices for Code Hand Offs""Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs"
Naomi Dushay1.1K views
PHP - Introduction to PHP Bugs - Debugging by Vibrant Technologies & Computers
PHP - Introduction to PHP Bugs - DebuggingPHP - Introduction to PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - Debugging
Vibrant Technologies & Computers790 views
Introduction to the intermediate Python - v1.1 by Andrei KUCHARAVY
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
Andrei KUCHARAVY847 views
The Anatomy of Java Vulnerabilities (Devoxx UK 2017) by Steve Poole
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole882 views
The Web Application Hackers Toolchain by jasonhaddix
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix4.5K views
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits by Harsh Bothra
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra748 views
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection by Neel Pathak
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak7.4K views
Best practices for using open source software in the enterprise by Marcel de Vries
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterprise
Marcel de Vries4K views
Hunting for the secrets in a cloud forest by SecuRing
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing259 views
Practical Malware Analysis: Ch 9: OllyDbg by Sam Bowne
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbg
Sam Bowne4.7K views
Pentesting Tips: Beyond Automated Testing by Andrew McNicol
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol1.9K views
CNIT 126 Ch 9: OllyDbg by Sam Bowne
CNIT 126 Ch 9: OllyDbgCNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbg
Sam Bowne155 views
Leveling Up at JavaScript by Raymond Camden
Leveling Up at JavaScriptLeveling Up at JavaScript
Leveling Up at JavaScript
Raymond Camden2.1K views
Testers, get into security bug bounties! by eusebiu daniel blindu
Testers, get into security bug bounties!Testers, get into security bug bounties!
Testers, get into security bug bounties!
eusebiu daniel blindu3.1K views
libinjection: from SQLi to XSS  by Nick Galbreath by CODE BLUE
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
CODE BLUE6.8K views
Rails tools by Reuven Lerner
Rails toolsRails tools
Rails tools
Reuven Lerner566 views
Chelberg ptcuser 2010 by Clay Helberg
Chelberg ptcuser 2010Chelberg ptcuser 2010
Chelberg ptcuser 2010
Clay Helberg574 views
On non existent 0-days, stable binary exploits and by Alisa Esage Шевченко
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
Alisa Esage Шевченко3.9K views
Donu’t Let Vulnerabilities Create a Hole in Your Organization by DevOps.com
Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDonu’t Let Vulnerabilities Create a Hole in Your Organization
Donu’t Let Vulnerabilities Create a Hole in Your Organization
DevOps.com161 views

Recently uploaded

MVP and prioritization.pdf by
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdfrahuldharwal141
31 views8 slides
Data Integrity for Banking and Financial Services by
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial ServicesPrecisely
25 views26 slides
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
34 views35 slides
virtual reality.pptx by
virtual reality.pptxvirtual reality.pptx
virtual reality.pptxG036GaikwadSnehal
14 views15 slides
SAP Automation Using Bar Code and FIORI.pdf by
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdfVirendra Rai, PMP
23 views38 slides
Future of AR - Facebook Presentation by
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentationssuserb54b561
15 views27 slides

Recently uploaded(20)

MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14131 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely25 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum34 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal14 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP23 views
Future of AR - Facebook Presentation by ssuserb54b561
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
ssuserb54b56115 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH41 views
Design Driven Network Assurance by Network Automation Forum
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network Assurance
Network Automation Forum15 views
Democratising digital commerce in India-Report by Kapil Khandelwal (KK)
Democratising digital commerce in India-ReportDemocratising digital commerce in India-Report
Democratising digital commerce in India-Report
Kapil Khandelwal (KK)18 views
Future of Indian ConsumerTech by Kapil Khandelwal (KK)
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTech
Kapil Khandelwal (KK)22 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb14 views
Case Study Copenhagen Energy and Business Central.pdf by Aitana
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdf
Aitana16 views
Vertical User Stories by Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez14 views
HTTP headers that make your website go faster - devs.gent November 2023 by Thijs Feryn
HTTP headers that make your website go faster - devs.gent November 2023HTTP headers that make your website go faster - devs.gent November 2023
HTTP headers that make your website go faster - devs.gent November 2023
Thijs Feryn22 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi132 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays17 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining58 views
Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil400 views
Melek BEN MAHMOUD.pdf by MelekBenMahmoud
Melek BEN MAHMOUD.pdfMelek BEN MAHMOUD.pdf
Melek BEN MAHMOUD.pdf
MelekBenMahmoud14 views
PRODUCT PRESENTATION.pptx by angelicacueva6
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptx
angelicacueva615 views

Entomology 101

  • 1. 1 Entomology 101 L o u i s N y f f e n e g g e r 
 L o u i s @ p e n t e s t e r l a b . c o m @ s n y f f / @ P e n t e s t e r L a b A n i n t r o d u c t i o n t o s t u d y i n g , c o l l e c t i n g a n d f i n d i n g b u g s . . .
  • 2. 2 My job is to find, collect and study bugs to teach people how they can find, fix and exploit bugs.
  • 3. 3 If you are like me, you are more likely to find bugs by learning existing patterns and derive from them than by trying to discover a completely new bug class.
  • 4. 4 Collecting bugs Follow (security) mailing lists from known big projects: • Apache (announce@apache.org) • Ruby-on-Rails (rubyonrails-security@googlegroups.com) • ... Mailing lists Bug bounty programs/hunters sometime disclosed the bug discovered by bug bounty hunters: • Twitter account: https://twitter.com/disclosedh1 • Bugcrowd: inurl:https://bugcrowd.com/disclosures • H1 Hacktivity https://hackerone.com/hacktivity • Bug bounty write-ups from bug bounty hunters Bug bounty disclosures
  • 6. 6 Collecting bugs Follow security researchers and bounty hunters: • Too many to list • Too risky to list and forget someone • Try to find people who share information on bugs • Try to find people with a high signal/noise ratio Twitter • Conferences and local meetups • Project Zero trackers: https://bugs.chromium.org/p/project-zero/issues/list • Blogs (RSS) • Reddit /r/netsec • CTF • ... Other sources
  • 7. 7 Studying bugs 1.Find the vulnerable version and the fixed version 2.Extract a diff to see the changes (literally a few clicks on GitHub) 3.Profit: • You now know what the vulnerable code looks like • You now know what the bug precisely is • You have an idea on the exploitability of the issue • You know how to properly (hopefully) fix this type of issues • You learn a little bit about the codebase Check the source code
  • 8. 8 Studying bugs Check the source code Check the source code
  • 9. 9 Studying bugs • It allows you to learn how to deploy software • Sometime it is just one command (thanks to docker/docker hub) • Study someone's exploit • Build your own exploit • Exploit the issue • Find more bugs in the same test environment Build a test environment
  • 10. 10 Studying bugs • Try to find the same pattern in the same project • Try to find the same pattern in other project • Try to see what this pattern looks like in other languages/framework Extrapolate • Keep notes on the bug and source code • Keep the exploit (and tools to run it) • Maybe share this in a blog post Document your findings
  • 11. 11 Studying bugs • Do a write-up/blog post • Do a talk at work/school/local meetup • Tweet about something people may not know/have realised Share
  • 12. 12 Hunting for bugs • Bug Bounty programs (limited access to source code) • GitHub trending (https://github.com/trending) • DigitalOcean Marketplace (https://marketplace.digitalocean.com/) • HackerNews • ... Finding your targets • Build a test environment (with enhanced debugging if possible) • Get familiar with the source code (if available) • Pick few of the weird patterns for the language/framework used (based on your collecting) • Spend hours in front of a computers • Learn by actually searching for bugs! • Remember your goal is not to find bugs, it is to learn how to find bugs! Getting started
  • 13. This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 13 Hunting for bugs Going deeper
  • 14. 14 Hunting for bugs Going deeper With a constant 30% drop rate 70% 49% 34% 24% 16% 11% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #"
  • 15. With a constant 50% drop rate 50% 25% 13% 6% 3% 1.5% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 15 Hunting for bugs Going deeper
  • 16. Optimizing based on your bug collection This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 16 Hunting for bugs Learn from your bug collection
  • 17. This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 17 Hunting for bugs Impact on teams Impact of automation
  • 18. 18 Quality bugs • Weirdness • Complexity of the exploitation • No one found it before • A somehow new pattern • High visibility What makes a bug great?
  • 19. 19 What do with your bugs? • It feels good • It can be long and tedious • It can be a good way to gain exposure when looking for a job Responsible/Coordinated disclosure • Selling • Reporting via one or multiple Bug Bounty programs • Sending a patch • Bug hoarding Other ways
  • 20. 20 Some of my favourite bugs CVE-2012-2661 CVE-2012-6081 CVE-2014-1266
  • 21. 21 CVE-2012-2661 • Rails is supposed to prevent SQL injection by design • No public exploit available • First to release details on how to exploit it • Free ISO and course on how to exploit it on PentesterLab.com SQL Injection in Ruby-on-Rails • Rails has caching on the injectable part • Each query needs to be unique • Completely blind Exploitation
  • 22. 22 CVE-2012-6081 • Used to hack Python and Debian's wiki • Brillant exploitation • Free ISO and course on how to exploit it on PentesterLab.com RCE in MoinMoin wiki • Directory traversal in upload (only in the filename's extension) • The payload can't contain any dots • File uploaded is tar'd (adds a limit of max 100 bytes to avoid @LongLink) • Payload needs to be a valid MoinMoin plugin (Python) Exploitation drawing.z if()else() import os def execute(p, r): exec"print>>r,os56popen(r56values['c'])56read()"
  • 23. 23 CVE-2014-1266 • TLS verification bypass • Public Key pinning bypass • Targets a cipher that provides forward secrecy Apple goto fail; • Set up a malicious server with the legitimate certificate and any private key • Force the cipher to the vulnerable one • Get the victim to visit your site Exploitation
  • 24. 24 Let’s get started! 
 Try to pick one bug per month and study it (code diff/test lab/exploit). I am convinced you will learn a tremendous amount about software security
  • 25. And then you can do a talk at Ruxmon on this bug!
  • 26. 26 Thanks for your time! Any questions? @snyff @PentesterLab