Successfully reported this slideshow.

Entomology 101

2

Share

Feb. 28, 2020
2 likes 1,595 views
Upcoming SlideShare
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
Loading in …3
×
1 of 26
1 of 26

Entomology 101

Feb. 28, 2020
2 likes 1,595 views

2

Share

Download to read offline

Technology

Bug hunting, web security, web hacking

Bug hunting, web security, web hacking

Technology

Recommended

More Related Content

Similar to Entomology 101

Infecting the Embedded Supply Chain
Priyanka Aash
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON
Web Hacking With Burp Suite 101
Zack Meyers
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Security Bootcamp
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
Web App Vulnerability Assessments
jaredperry
How to secure your web applications with NGINX
Wallarm
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
6 ways to hack your JavaScript application by Viktor Turskyi
OdessaJS Conf
[2.1] Web application Security Trends - Omar Ganiev
OWASP Russia
Tw noche geek quito webappsec
Thoughtworks
Defending against Java Deserialization Vulnerabilities
Luca Carettoni
I got 99 trends and a # is all of them
Roberto Suggi Liverani
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
Information Security Engineering
Md. Hasan Basri (Angel)
Web Application Security
Colin English
Anatomy of Java Vulnerabilities - NLJug 2018
Steve Poole
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JSFestUA
DiUS Computing Lca Rails Final
Robert Postill

More from snyff

JWT: jku x5u
snyff
Code that gets you pwn(s|'d)
snyff
Entrepreneurship for hackers
snyff
Jwt == insecurity?
snyff
Finding Needles in Haystacks
snyff
Defcon CTF quals
snyff
Ruxmon cve 2012-2661
snyff
Ln monitoring repositories
snyff
Owasp tds
snyff
Ruxmon feb 2013 what happened to rails
snyff
Harder Faster Stronger
snyff

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
System Identification: Tutorials Presented at the 5th IFAC Symposium on Identification and System Parameter Estimation, F.R. Germany, September 1979 Elsevier Books Reference
(4/5)
Free
Energy Conservation in Buildings: The Achievement of 50% Energy Saving: An Environmental Challenge? Elsevier Books Reference
(4/5)
Free
Young Men and Fire: Twenty-fifth Anniversary Edition Norman Maclean
(4.5/5)
Free
Longitude: The True Story of a Lone Genius Who Solved the Greatest Scientific Problem of His Time Dava Sobel
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
Driven: The Race to Create the Autonomous Car Alex Davies
(4.5/5)
Free
Dignity in a Digital Age: Making Tech Work for All of Us Ro Khanna
(4/5)
Free
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free

Entomology 101

  1. 1. 1 Entomology 101 L o u i s N y f f e n e g g e r 
 L o u i s @ p e n t e s t e r l a b . c o m @ s n y f f / @ P e n t e s t e r L a b A n i n t r o d u c t i o n t o s t u d y i n g , c o l l e c t i n g a n d f i n d i n g b u g s . . .
  2. 2. 2 My job is to find, collect and study bugs to teach people how they can find, fix and exploit bugs.
  3. 3. 3 If you are like me, you are more likely to find bugs by learning existing patterns and derive from them than by trying to discover a completely new bug class.
  4. 4. 4 Collecting bugs Follow (security) mailing lists from known big projects: • Apache (announce@apache.org) • Ruby-on-Rails (rubyonrails-security@googlegroups.com) • ... Mailing lists Bug bounty programs/hunters sometime disclosed the bug discovered by bug bounty hunters: • Twitter account: https://twitter.com/disclosedh1 • Bugcrowd: inurl:https://bugcrowd.com/disclosures • H1 Hacktivity https://hackerone.com/hacktivity • Bug bounty write-ups from bug bounty hunters Bug bounty disclosures
  5. 5. 5 Collecting bugs Mailing lists
  6. 6. 6 Collecting bugs Follow security researchers and bounty hunters: • Too many to list • Too risky to list and forget someone • Try to find people who share information on bugs • Try to find people with a high signal/noise ratio Twitter • Conferences and local meetups • Project Zero trackers: https://bugs.chromium.org/p/project-zero/issues/list • Blogs (RSS) • Reddit /r/netsec • CTF • ... Other sources
  7. 7. 7 Studying bugs 1.Find the vulnerable version and the fixed version 2.Extract a diff to see the changes (literally a few clicks on GitHub) 3.Profit: • You now know what the vulnerable code looks like • You now know what the bug precisely is • You have an idea on the exploitability of the issue • You know how to properly (hopefully) fix this type of issues • You learn a little bit about the codebase Check the source code
  8. 8. 8 Studying bugs Check the source code Check the source code
  9. 9. 9 Studying bugs • It allows you to learn how to deploy software • Sometime it is just one command (thanks to docker/docker hub) • Study someone's exploit • Build your own exploit • Exploit the issue • Find more bugs in the same test environment Build a test environment
  10. 10. 10 Studying bugs • Try to find the same pattern in the same project • Try to find the same pattern in other project • Try to see what this pattern looks like in other languages/framework Extrapolate • Keep notes on the bug and source code • Keep the exploit (and tools to run it) • Maybe share this in a blog post Document your findings
  11. 11. 11 Studying bugs • Do a write-up/blog post • Do a talk at work/school/local meetup • Tweet about something people may not know/have realised Share
  12. 12. 12 Hunting for bugs • Bug Bounty programs (limited access to source code) • GitHub trending (https://github.com/trending) • DigitalOcean Marketplace (https://marketplace.digitalocean.com/) • HackerNews • ... Finding your targets • Build a test environment (with enhanced debugging if possible) • Get familiar with the source code (if available) • Pick few of the weird patterns for the language/framework used (based on your collecting) • Spend hours in front of a computers • Learn by actually searching for bugs! • Remember your goal is not to find bugs, it is to learn how to find bugs! Getting started
  13. 13. This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 13 Hunting for bugs Going deeper
  14. 14. 14 Hunting for bugs Going deeper With a constant 30% drop rate 70% 49% 34% 24% 16% 11% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #"
  15. 15. With a constant 50% drop rate 50% 25% 13% 6% 3% 1.5% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 15 Hunting for bugs Going deeper
  16. 16. Optimizing based on your bug collection This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 16 Hunting for bugs Learn from your bug collection
  17. 17. This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 17 Hunting for bugs Impact on teams Impact of automation
  18. 18. 18 Quality bugs • Weirdness • Complexity of the exploitation • No one found it before • A somehow new pattern • High visibility What makes a bug great?
  19. 19. 19 What do with your bugs? • It feels good • It can be long and tedious • It can be a good way to gain exposure when looking for a job Responsible/Coordinated disclosure • Selling • Reporting via one or multiple Bug Bounty programs • Sending a patch • Bug hoarding Other ways
  20. 20. 20 Some of my favourite bugs CVE-2012-2661 CVE-2012-6081 CVE-2014-1266
  21. 21. 21 CVE-2012-2661 • Rails is supposed to prevent SQL injection by design • No public exploit available • First to release details on how to exploit it • Free ISO and course on how to exploit it on PentesterLab.com SQL Injection in Ruby-on-Rails • Rails has caching on the injectable part • Each query needs to be unique • Completely blind Exploitation
  22. 22. 22 CVE-2012-6081 • Used to hack Python and Debian's wiki • Brillant exploitation • Free ISO and course on how to exploit it on PentesterLab.com RCE in MoinMoin wiki • Directory traversal in upload (only in the filename's extension) • The payload can't contain any dots • File uploaded is tar'd (adds a limit of max 100 bytes to avoid @LongLink) • Payload needs to be a valid MoinMoin plugin (Python) Exploitation drawing.z if()else() import os def execute(p, r): exec"print>>r,os56popen(r56values['c'])56read()"
  23. 23. 23 CVE-2014-1266 • TLS verification bypass • Public Key pinning bypass • Targets a cipher that provides forward secrecy Apple goto fail; • Set up a malicious server with the legitimate certificate and any private key • Force the cipher to the vulnerable one • Get the victim to visit your site Exploitation
  24. 24. 24 Let’s get started! 
 Try to pick one bug per month and study it (code diff/test lab/exploit). I am convinced you will learn a tremendous amount about software security
  25. 25. And then you can do a talk at Ruxmon on this bug!
  26. 26. 26 Thanks for your time! Any questions? @snyff @PentesterLab

×