Entomology 101

S
1
Entomology
101
L o u i s N y f f e n e g g e r 

L o u i s @ p e n t e s t e r l a b . c o m
@ s n y f f / @ P e n t e s t e r L a b
A n i n t r o d u c t i o n t o
s t u d y i n g , c o l l e c t i n g a n d
f i n d i n g b u g s . . .
2
My job is to find, collect and study
bugs to teach people how they can
find, fix and exploit bugs.
3
If you are like me, you are more
likely to find bugs by learning
existing patterns and derive from
them than by trying to discover a
completely new bug class.
4
Collecting bugs
Follow (security) mailing lists from known big projects:
• Apache (announce@apache.org)
• Ruby-on-Rails (rubyonrails-security@googlegroups.com)
• ...
Mailing lists
Bug bounty programs/hunters sometime disclosed the bug discovered by bug bounty hunters:
• Twitter account: https://twitter.com/disclosedh1
• Bugcrowd: inurl:https://bugcrowd.com/disclosures
• H1 Hacktivity https://hackerone.com/hacktivity
• Bug bounty write-ups from bug bounty hunters
Bug bounty disclosures
5
Collecting bugs
Mailing lists
6
Collecting bugs
Follow security researchers and bounty hunters:
• Too many to list
• Too risky to list and forget someone
• Try to find people who share information on bugs
• Try to find people with a high signal/noise ratio
Twitter
• Conferences and local meetups
• Project Zero trackers: https://bugs.chromium.org/p/project-zero/issues/list
• Blogs (RSS)
• Reddit /r/netsec
• CTF
• ...
Other sources
7
Studying bugs
1.Find the vulnerable version and the fixed version
2.Extract a diff to see the changes (literally a few clicks on GitHub)
3.Profit:
• You now know what the vulnerable code looks like
• You now know what the bug precisely is
• You have an idea on the exploitability of the issue
• You know how to properly (hopefully) fix this type of issues
• You learn a little bit about the codebase
Check the source code
8
Studying bugs
Check the source code
Check the source code
9
Studying bugs
• It allows you to learn how to deploy software
• Sometime it is just one command (thanks to docker/docker hub)
• Study someone's exploit
• Build your own exploit
• Exploit the issue
• Find more bugs in the same test environment
Build a test environment
10
Studying bugs
• Try to find the same pattern in the same project
• Try to find the same pattern in other project
• Try to see what this pattern looks like in other languages/framework
Extrapolate
• Keep notes on the bug and source code
• Keep the exploit (and tools to run it)
• Maybe share this in a blog post
Document your findings
11
Studying bugs
• Do a write-up/blog post
• Do a talk at work/school/local meetup
• Tweet about something people may not know/have realised
Share
12
Hunting for bugs
• Bug Bounty programs (limited access to source code)
• GitHub trending (https://github.com/trending)
• DigitalOcean Marketplace (https://marketplace.digitalocean.com/)
• HackerNews
• ...
Finding your targets
• Build a test environment (with enhanced debugging if possible)
• Get familiar with the source code (if available)
• Pick few of the weird patterns for the language/framework used (based on your collecting)
• Spend hours in front of a computers
• Learn by actually searching for bugs!
• Remember your goal is not to find bugs, it is to learn how to find bugs!
Getting started
This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
13
Hunting for bugs
Going deeper
14
Hunting for bugs
Going deeper
With a constant
30% drop rate
70%
49%
34%
24%
16%
11%
This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
With a constant
50% drop rate
50%
25%
13%
6%
3%
1.5%
This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
15
Hunting for bugs
Going deeper
Optimizing based
on your bug
collection
This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
16
Hunting for bugs
Learn from your bug collection
This is an
✌
encrypted
✌
blob
Does not look
there for bugs
This is
base64-encoded
serialized data
but it is signed
The signature
is using
RSA
The key is
strong
The key is
stored in a
secure place
The key is shared
between all
instances of the
application
"
"
"
"
"
#
#
#
#
#
#"
17
Hunting for bugs
Impact on teams
Impact of automation
18
Quality bugs
• Weirdness
• Complexity of the exploitation
• No one found it before
• A somehow new pattern
• High visibility
What makes a bug great?
19
What do with your bugs?
• It feels good
• It can be long and tedious
• It can be a good way to gain exposure when looking for a job
Responsible/Coordinated disclosure
• Selling
• Reporting via one or multiple Bug Bounty programs
• Sending a patch
• Bug hoarding
Other ways
20
Some of my favourite bugs
CVE-2012-2661 CVE-2012-6081 CVE-2014-1266
21
CVE-2012-2661
• Rails is supposed to prevent SQL injection by design
• No public exploit available
• First to release details on how to exploit it
• Free ISO and course on how to exploit it on PentesterLab.com
SQL Injection in Ruby-on-Rails
• Rails has caching on the injectable part
• Each query needs to be unique
• Completely blind
Exploitation
22
CVE-2012-6081
• Used to hack Python and Debian's wiki
• Brillant exploitation
• Free ISO and course on how to exploit it on PentesterLab.com
RCE in MoinMoin wiki
• Directory traversal in upload (only in the filename's extension)
• The payload can't contain any dots
• File uploaded is tar'd (adds a limit of max 100 bytes to avoid @LongLink)
• Payload needs to be a valid MoinMoin plugin (Python)
Exploitation
drawing.z if()else()
import os
def execute(p, r):
exec"print>>r,os56popen(r56values['c'])56read()"
23
CVE-2014-1266
• TLS verification bypass
• Public Key pinning bypass
• Targets a cipher that provides forward secrecy
Apple goto fail;
• Set up a malicious server with the legitimate certificate and any private key
• Force the cipher to the vulnerable one
• Get the victim to visit your site
Exploitation
24
Let’s get started! 

Try to pick one bug per month and study it (code diff/test lab/exploit).
I am convinced you will learn a tremendous amount about software
security
And then you can do a talk at Ruxmon on this bug!
26
Thanks for your time!
Any questions?
@snyff
@PentesterLab
1 of 26

Recommended

Owasp tds by
Owasp tdsOwasp tds
Owasp tdssnyff
647 views36 slides
Ruxmon feb 2013 what happened to rails by
Ruxmon feb 2013   what happened to railsRuxmon feb 2013   what happened to rails
Ruxmon feb 2013 what happened to railssnyff
944 views30 slides
Finding Needles in Haystacks by
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
4.3K views38 slides
Ruxmon cve 2012-2661 by
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
632 views34 slides
Invoke-Obfuscation nullcon 2017 by
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
6.8K views220 slides
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015 by
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
1.1K views63 slides

More Related Content

What's hot

Adventures in Asymmetric Warfare by
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
2.8K views47 slides
How to discover 1352 Wordpress plugin 0days in one hour (not really) by
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
2.2K views37 slides
Defcon CTF quals by
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
1.5K views30 slides
BSides London 2017 - Hunt Or Be Hunted by
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
1.6K views30 slides
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To... by
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
1.7K views156 slides
Pwnstaller by
PwnstallerPwnstaller
PwnstallerWill Schroeder
2K views32 slides

What's hot(20)

Adventures in Asymmetric Warfare by Will Schroeder
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Will Schroeder2.8K views
How to discover 1352 Wordpress plugin 0days in one hour (not really) by Larry Cashdollar
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar2.2K views
Defcon CTF quals by snyff
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
snyff1.5K views
BSides London 2017 - Hunt Or Be Hunted by Alex Davies
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies1.6K views
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To... by CODE BLUE
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE1.7K views
Lares from LOW to PWNED by Chris Gates
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates6.4K views
Obfuscating The Empire by Ryan Cobb
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
Ryan Cobb5.5K views
BSides_Charm2015_Info sec hunters_gathers by Andrew McNicol
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol2.2K views
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2 by Chris Gates
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates7.6K views
Offensive Python for Pentesting by Mike Felch
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch1.1K views
JWT: jku x5u by snyff
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
snyff6.7K views
TeelTech - Advancing Mobile Device Forensics (online version) by Mike Felch
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felch614 views
Building an Empire with PowerShell by Will Schroeder
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder22.3K views
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015 by CODE BLUE
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
CODE BLUE1.1K views
Veil-PowerView - NovaHackers by VeilFramework
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
VeilFramework3.4K views
Introduction to Penetration Testing by Andrew McNicol
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol10.4K views
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu... by Daniel Bohannon
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon3.4K views

Similar to Entomology 101

Vulnerability, exploit to metasploit by
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
2.6K views41 slides
"Hands Off! Best Practices for Code Hand Offs" by
"Hands Off!  Best Practices for Code Hand Offs""Hands Off!  Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs"Naomi Dushay
1.1K views41 slides
PHP - Introduction to PHP Bugs - Debugging by
PHP -  Introduction to  PHP Bugs - DebuggingPHP -  Introduction to  PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - DebuggingVibrant Technologies & Computers
790 views83 slides
Introduction to the intermediate Python - v1.1 by
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Andrei KUCHARAVY
847 views116 slides
The Anatomy of Java Vulnerabilities (Devoxx UK 2017) by
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
882 views61 slides
The Web Application Hackers Toolchain by
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
4.5K views53 slides

Similar to Entomology 101(20)

Vulnerability, exploit to metasploit by Tiago Henriques
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques2.6K views
"Hands Off! Best Practices for Code Hand Offs" by Naomi Dushay
"Hands Off!  Best Practices for Code Hand Offs""Hands Off!  Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs"
Naomi Dushay1.1K views
Introduction to the intermediate Python - v1.1 by Andrei KUCHARAVY
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
Andrei KUCHARAVY847 views
The Anatomy of Java Vulnerabilities (Devoxx UK 2017) by Steve Poole
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole882 views
The Web Application Hackers Toolchain by jasonhaddix
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix4.5K views
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits by Harsh Bothra
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra748 views
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection by Neel Pathak
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak7.4K views
Best practices for using open source software in the enterprise by Marcel de Vries
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterprise
Marcel de Vries4K views
Hunting for the secrets in a cloud forest by SecuRing
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing259 views
Practical Malware Analysis: Ch 9: OllyDbg by Sam Bowne
Practical Malware Analysis: Ch 9: OllyDbgPractical Malware Analysis: Ch 9: OllyDbg
Practical Malware Analysis: Ch 9: OllyDbg
Sam Bowne4.7K views
Pentesting Tips: Beyond Automated Testing by Andrew McNicol
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol1.9K views
CNIT 126 Ch 9: OllyDbg by Sam Bowne
CNIT 126 Ch 9: OllyDbgCNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbg
Sam Bowne155 views
Leveling Up at JavaScript by Raymond Camden
Leveling Up at JavaScriptLeveling Up at JavaScript
Leveling Up at JavaScript
Raymond Camden2.1K views
libinjection: from SQLi to XSS  by Nick Galbreath by CODE BLUE
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
CODE BLUE6.8K views
Chelberg ptcuser 2010 by Clay Helberg
Chelberg ptcuser 2010Chelberg ptcuser 2010
Chelberg ptcuser 2010
Clay Helberg574 views
Donu’t Let Vulnerabilities Create a Hole in Your Organization by DevOps.com
Donu’t Let Vulnerabilities Create a Hole in Your OrganizationDonu’t Let Vulnerabilities Create a Hole in Your Organization
Donu’t Let Vulnerabilities Create a Hole in Your Organization
DevOps.com161 views

Recently uploaded

MVP and prioritization.pdf by
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdfrahuldharwal141
31 views8 slides
Data Integrity for Banking and Financial Services by
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial ServicesPrecisely
25 views26 slides
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
34 views35 slides
virtual reality.pptx by
virtual reality.pptxvirtual reality.pptx
virtual reality.pptxG036GaikwadSnehal
14 views15 slides
SAP Automation Using Bar Code and FIORI.pdf by
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdfVirendra Rai, PMP
23 views38 slides
Future of AR - Facebook Presentation by
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentationssuserb54b561
15 views27 slides

Recently uploaded(20)

Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely25 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Future of AR - Facebook Presentation by ssuserb54b561
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
ssuserb54b56115 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb14 views
Case Study Copenhagen Energy and Business Central.pdf by Aitana
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdf
Aitana16 views
HTTP headers that make your website go faster - devs.gent November 2023 by Thijs Feryn
HTTP headers that make your website go faster - devs.gent November 2023HTTP headers that make your website go faster - devs.gent November 2023
HTTP headers that make your website go faster - devs.gent November 2023
Thijs Feryn22 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi132 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays17 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院

Entomology 101

  • 1. 1 Entomology 101 L o u i s N y f f e n e g g e r 
 L o u i s @ p e n t e s t e r l a b . c o m @ s n y f f / @ P e n t e s t e r L a b A n i n t r o d u c t i o n t o s t u d y i n g , c o l l e c t i n g a n d f i n d i n g b u g s . . .
  • 2. 2 My job is to find, collect and study bugs to teach people how they can find, fix and exploit bugs.
  • 3. 3 If you are like me, you are more likely to find bugs by learning existing patterns and derive from them than by trying to discover a completely new bug class.
  • 4. 4 Collecting bugs Follow (security) mailing lists from known big projects: • Apache (announce@apache.org) • Ruby-on-Rails (rubyonrails-security@googlegroups.com) • ... Mailing lists Bug bounty programs/hunters sometime disclosed the bug discovered by bug bounty hunters: • Twitter account: https://twitter.com/disclosedh1 • Bugcrowd: inurl:https://bugcrowd.com/disclosures • H1 Hacktivity https://hackerone.com/hacktivity • Bug bounty write-ups from bug bounty hunters Bug bounty disclosures
  • 6. 6 Collecting bugs Follow security researchers and bounty hunters: • Too many to list • Too risky to list and forget someone • Try to find people who share information on bugs • Try to find people with a high signal/noise ratio Twitter • Conferences and local meetups • Project Zero trackers: https://bugs.chromium.org/p/project-zero/issues/list • Blogs (RSS) • Reddit /r/netsec • CTF • ... Other sources
  • 7. 7 Studying bugs 1.Find the vulnerable version and the fixed version 2.Extract a diff to see the changes (literally a few clicks on GitHub) 3.Profit: • You now know what the vulnerable code looks like • You now know what the bug precisely is • You have an idea on the exploitability of the issue • You know how to properly (hopefully) fix this type of issues • You learn a little bit about the codebase Check the source code
  • 8. 8 Studying bugs Check the source code Check the source code
  • 9. 9 Studying bugs • It allows you to learn how to deploy software • Sometime it is just one command (thanks to docker/docker hub) • Study someone's exploit • Build your own exploit • Exploit the issue • Find more bugs in the same test environment Build a test environment
  • 10. 10 Studying bugs • Try to find the same pattern in the same project • Try to find the same pattern in other project • Try to see what this pattern looks like in other languages/framework Extrapolate • Keep notes on the bug and source code • Keep the exploit (and tools to run it) • Maybe share this in a blog post Document your findings
  • 11. 11 Studying bugs • Do a write-up/blog post • Do a talk at work/school/local meetup • Tweet about something people may not know/have realised Share
  • 12. 12 Hunting for bugs • Bug Bounty programs (limited access to source code) • GitHub trending (https://github.com/trending) • DigitalOcean Marketplace (https://marketplace.digitalocean.com/) • HackerNews • ... Finding your targets • Build a test environment (with enhanced debugging if possible) • Get familiar with the source code (if available) • Pick few of the weird patterns for the language/framework used (based on your collecting) • Spend hours in front of a computers • Learn by actually searching for bugs! • Remember your goal is not to find bugs, it is to learn how to find bugs! Getting started
  • 13. This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 13 Hunting for bugs Going deeper
  • 14. 14 Hunting for bugs Going deeper With a constant 30% drop rate 70% 49% 34% 24% 16% 11% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #"
  • 15. With a constant 50% drop rate 50% 25% 13% 6% 3% 1.5% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 15 Hunting for bugs Going deeper
  • 16. Optimizing based on your bug collection This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 16 Hunting for bugs Learn from your bug collection
  • 17. This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 17 Hunting for bugs Impact on teams Impact of automation
  • 18. 18 Quality bugs • Weirdness • Complexity of the exploitation • No one found it before • A somehow new pattern • High visibility What makes a bug great?
  • 19. 19 What do with your bugs? • It feels good • It can be long and tedious • It can be a good way to gain exposure when looking for a job Responsible/Coordinated disclosure • Selling • Reporting via one or multiple Bug Bounty programs • Sending a patch • Bug hoarding Other ways
  • 20. 20 Some of my favourite bugs CVE-2012-2661 CVE-2012-6081 CVE-2014-1266
  • 21. 21 CVE-2012-2661 • Rails is supposed to prevent SQL injection by design • No public exploit available • First to release details on how to exploit it • Free ISO and course on how to exploit it on PentesterLab.com SQL Injection in Ruby-on-Rails • Rails has caching on the injectable part • Each query needs to be unique • Completely blind Exploitation
  • 22. 22 CVE-2012-6081 • Used to hack Python and Debian's wiki • Brillant exploitation • Free ISO and course on how to exploit it on PentesterLab.com RCE in MoinMoin wiki • Directory traversal in upload (only in the filename's extension) • The payload can't contain any dots • File uploaded is tar'd (adds a limit of max 100 bytes to avoid @LongLink) • Payload needs to be a valid MoinMoin plugin (Python) Exploitation drawing.z if()else() import os def execute(p, r): exec"print>>r,os56popen(r56values['c'])56read()"
  • 23. 23 CVE-2014-1266 • TLS verification bypass • Public Key pinning bypass • Targets a cipher that provides forward secrecy Apple goto fail; • Set up a malicious server with the legitimate certificate and any private key • Force the cipher to the vulnerable one • Get the victim to visit your site Exploitation
  • 24. 24 Let’s get started! 
 Try to pick one bug per month and study it (code diff/test lab/exploit). I am convinced you will learn a tremendous amount about software security
  • 25. And then you can do a talk at Ruxmon on this bug!
  • 26. 26 Thanks for your time! Any questions? @snyff @PentesterLab