Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Entomology 101

1,413 views

Published on

Bug hunting, web security, web hacking

Published in: Technology
  • Login to see the comments

Entomology 101

  1. 1. 1 Entomology 101 L o u i s N y f f e n e g g e r 
 L o u i s @ p e n t e s t e r l a b . c o m @ s n y f f / @ P e n t e s t e r L a b A n i n t r o d u c t i o n t o s t u d y i n g , c o l l e c t i n g a n d f i n d i n g b u g s . . .
  2. 2. 2 My job is to find, collect and study bugs to teach people how they can find, fix and exploit bugs.
  3. 3. 3 If you are like me, you are more likely to find bugs by learning existing patterns and derive from them than by trying to discover a completely new bug class.
  4. 4. 4 Collecting bugs Follow (security) mailing lists from known big projects: • Apache (announce@apache.org) • Ruby-on-Rails (rubyonrails-security@googlegroups.com) • ... Mailing lists Bug bounty programs/hunters sometime disclosed the bug discovered by bug bounty hunters: • Twitter account: https://twitter.com/disclosedh1 • Bugcrowd: inurl:https://bugcrowd.com/disclosures • H1 Hacktivity https://hackerone.com/hacktivity • Bug bounty write-ups from bug bounty hunters Bug bounty disclosures
  5. 5. 5 Collecting bugs Mailing lists
  6. 6. 6 Collecting bugs Follow security researchers and bounty hunters: • Too many to list • Too risky to list and forget someone • Try to find people who share information on bugs • Try to find people with a high signal/noise ratio Twitter • Conferences and local meetups • Project Zero trackers: https://bugs.chromium.org/p/project-zero/issues/list • Blogs (RSS) • Reddit /r/netsec • CTF • ... Other sources
  7. 7. 7 Studying bugs 1.Find the vulnerable version and the fixed version 2.Extract a diff to see the changes (literally a few clicks on GitHub) 3.Profit: • You now know what the vulnerable code looks like • You now know what the bug precisely is • You have an idea on the exploitability of the issue • You know how to properly (hopefully) fix this type of issues • You learn a little bit about the codebase Check the source code
  8. 8. 8 Studying bugs Check the source code Check the source code
  9. 9. 9 Studying bugs • It allows you to learn how to deploy software • Sometime it is just one command (thanks to docker/docker hub) • Study someone's exploit • Build your own exploit • Exploit the issue • Find more bugs in the same test environment Build a test environment
  10. 10. 10 Studying bugs • Try to find the same pattern in the same project • Try to find the same pattern in other project • Try to see what this pattern looks like in other languages/framework Extrapolate • Keep notes on the bug and source code • Keep the exploit (and tools to run it) • Maybe share this in a blog post Document your findings
  11. 11. 11 Studying bugs • Do a write-up/blog post • Do a talk at work/school/local meetup • Tweet about something people may not know/have realised Share
  12. 12. 12 Hunting for bugs • Bug Bounty programs (limited access to source code) • GitHub trending (https://github.com/trending) • DigitalOcean Marketplace (https://marketplace.digitalocean.com/) • HackerNews • ... Finding your targets • Build a test environment (with enhanced debugging if possible) • Get familiar with the source code (if available) • Pick few of the weird patterns for the language/framework used (based on your collecting) • Spend hours in front of a computers • Learn by actually searching for bugs! • Remember your goal is not to find bugs, it is to learn how to find bugs! Getting started
  13. 13. This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 13 Hunting for bugs Going deeper
  14. 14. 14 Hunting for bugs Going deeper With a constant 30% drop rate 70% 49% 34% 24% 16% 11% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #"
  15. 15. With a constant 50% drop rate 50% 25% 13% 6% 3% 1.5% This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 15 Hunting for bugs Going deeper
  16. 16. Optimizing based on your bug collection This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 16 Hunting for bugs Learn from your bug collection
  17. 17. This is an ✌ encrypted ✌ blob Does not look there for bugs This is base64-encoded serialized data but it is signed The signature is using RSA The key is strong The key is stored in a secure place The key is shared between all instances of the application " " " " " # # # # # #" 17 Hunting for bugs Impact on teams Impact of automation
  18. 18. 18 Quality bugs • Weirdness • Complexity of the exploitation • No one found it before • A somehow new pattern • High visibility What makes a bug great?
  19. 19. 19 What do with your bugs? • It feels good • It can be long and tedious • It can be a good way to gain exposure when looking for a job Responsible/Coordinated disclosure • Selling • Reporting via one or multiple Bug Bounty programs • Sending a patch • Bug hoarding Other ways
  20. 20. 20 Some of my favourite bugs CVE-2012-2661 CVE-2012-6081 CVE-2014-1266
  21. 21. 21 CVE-2012-2661 • Rails is supposed to prevent SQL injection by design • No public exploit available • First to release details on how to exploit it • Free ISO and course on how to exploit it on PentesterLab.com SQL Injection in Ruby-on-Rails • Rails has caching on the injectable part • Each query needs to be unique • Completely blind Exploitation
  22. 22. 22 CVE-2012-6081 • Used to hack Python and Debian's wiki • Brillant exploitation • Free ISO and course on how to exploit it on PentesterLab.com RCE in MoinMoin wiki • Directory traversal in upload (only in the filename's extension) • The payload can't contain any dots • File uploaded is tar'd (adds a limit of max 100 bytes to avoid @LongLink) • Payload needs to be a valid MoinMoin plugin (Python) Exploitation drawing.z if()else() import os def execute(p, r): exec"print>>r,os56popen(r56values['c'])56read()"
  23. 23. 23 CVE-2014-1266 • TLS verification bypass • Public Key pinning bypass • Targets a cipher that provides forward secrecy Apple goto fail; • Set up a malicious server with the legitimate certificate and any private key • Force the cipher to the vulnerable one • Get the victim to visit your site Exploitation
  24. 24. 24 Let’s get started! 
 Try to pick one bug per month and study it (code diff/test lab/exploit). I am convinced you will learn a tremendous amount about software security
  25. 25. And then you can do a talk at Ruxmon on this bug!
  26. 26. 26 Thanks for your time! Any questions? @snyff @PentesterLab

×