nbt con december-2014-slides
TRANSCRIPT
![Page 1: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/1.jpg)
Bug Bounty 101
(Web Applications)BEN SADEGHIPOUR (@NAHAMSEC)
HTTP://NAHAMSEC.COM
![Page 2: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/2.jpg)
Why bug bounties?
Chances of finding bugs to put on your
resume.
Possibility of getting a job in the industry.
Opportunity to make money while
attending college.
Less security breaches (hopefully).
Better and more secure apps.
More researchers from all over the
world.
More experience.
More bugs.
![Page 3: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/3.jpg)
What are some popular programs?
![Page 4: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/4.jpg)
Google:
Min. payout: $1337
Acquisitions’ min. payout: $100
Max. payout: $20,000
What are some popular programs?
![Page 5: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/5.jpg)
Google XXE (Costume XML)
![Page 6: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/6.jpg)
Google XXE
![Page 7: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/7.jpg)
Yahoo:
Min. payout: $50
Max. payout: $15,000
What are some popular programs?
![Page 8: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/8.jpg)
Flickr SQL Injection
PAYLOAD: order_id=-116564954 union select
group_concat(table_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15 from
information_schema.tables– -
![Page 9: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/9.jpg)
Did I say SQL Injection?
Remote Command executionPAYLOAD: order_id=-116564954 union select
load_file(“/etc/passwd“),2,3,4,5,6,7,8,9,10,11,12,13,14
,15– -
![Page 10: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/10.jpg)
Facebook:
Min. payout: $500
Max. payout: Unknown (Million dollars?)
Not enough details published by
researcher
What are some popular programs?
![Page 11: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/11.jpg)
Microsoft (Online services):
Started on September 23, 2014
Min. payout: $500
Max. payout: Unknown
What are some popular programs?
![Page 12: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/12.jpg)
GitHub
PayPal and Magento
Square
cPanel/WHMCS
Complete list:
https://bugcrowd.com/list-of-bug-bounty-programs
What are some popular programs?
![Page 13: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/13.jpg)
What are some popular platforms?
![Page 14: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/14.jpg)
What are some popular platforms?
BugCrowd
Managed or unmanaged programs
13,300 Researchers from all over the world
155 Bounties.
30,000+ Submissions.
Max Single Payout: $13,000.
![Page 15: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/15.jpg)
What are some popular platforms?
CrowdCurity
Web application security
Main focus on bitcoin
~1500 Researchers
![Page 16: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/16.jpg)
What are some popular platforms?
SYNACK
Customer details: unknown.
Number of researchers: unknown .
Requires a written and a practical test.
Focused on Web application as well as:
Host
Mobile
Reverse Engineering
Hardware
![Page 17: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/17.jpg)
What are some popular platforms?
HackerOne
“Security Inbox”.
1,004 Hackers thanked.
71 Public programs.
$1.58M Bounties paid.
4,987 Bugs fixed
Internet bug bounty:
PHP
Ruby
Apache.
Etc.
![Page 18: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/18.jpg)
The Basics of Bug Bounties.
Read the program rules.
Scope of the program.
Payout per based on bug type.
Requirements
How to get an account on their
platform?
Respect the program’s decisions.
Respect other researchers.
Quality vs Quantity.
Reputation in the industry.
Don’t make any threats.
Don’t ask for money or “swag” if it’s
not mentioned in the rules.
Don’t compare two programs.
Two programs = different budgets.
Don’t lie while comparing two
programs.
Don’t audit without permission.
Legal issues.
![Page 19: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/19.jpg)
Quality vs Quantity
Most programs have an accurate reputation system
Google.
PayPal.
BugCrowd (accuracy).
HackerOne (reputation).
Better reputation = more opportunities:
Private events.
Private Programs.
![Page 20: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/20.jpg)
More isn’t always better.
Total points VS. Accuracy
![Page 21: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/21.jpg)
Maximizing your payout
Don’t doubt yourself.
You may still be the first to find it.
Check Everything!
Every parameter
Every POST request
User input validation
Forms
Profile pages.
Filters (Can you bypass it?)
Don’t go for the low hanging fruits:
Higher payout for critical vulnerabilities.
You may find some low severity bugs while looking for more critical ones.
Less chances of duplicates.
![Page 22: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/22.jpg)
Methodology
Pick a target.
Pick an application.
Pick a vulnerability type.
Google:
site:tw.*.yahoo.com -news -sports -
knowledge -house -travel -money -
fashion -dictionary -charity -autos -
emarketing -maps -serviceplus -
screen -tech -mail -talk -bid -uwant -
stock -mall -buy -myblog -movies -
games -safely -bigdeals -finance -
info -mobile -help
![Page 23: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/23.jpg)
Pick up a pattern
Look for the same parameter, functionality, file type or file name in
the same or other subdomains of the website.
3 SQL Injection on Yahoo by using Google.
Site:hk.*.yahoo.com + inurl:”id” + filetype:html
Try the same idea with other programs.
Profit!
![Page 24: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/24.jpg)
Picking up a pattern?
(Not my sponsors. Just vulnerable to the same bug)
![Page 25: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/25.jpg)
Ruby on Rails
File Name Enumeration:
\../\../\../\../\../\../etc/passwd
Possbile Full path disclosure (FPD)
File not found vs 404?
CVE-2014-7829
![Page 26: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/26.jpg)
Making a Report
Be very specific.
Provide step-by-step instructions.
Include all the details needed in order to reproduce the issue.
Provide an attack scenario.
Why is it a big deal?
Can you access major private data?
Are you targeting a single use?
Provide screenshots if needed.
If you create a video, make it accurate, quick, and professional
![Page 27: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/27.jpg)
Good vs. Bad
Don’t copy and paste others’ published reports
Program #1 by reporter #1 (18 days ago)
![Page 28: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/28.jpg)
Good vs. Bad
Program #2, Reporter #2 (Reported 11 days ago)
![Page 29: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/29.jpg)
Original report
Original report on HackerOne (Reported a month ago)
![Page 30: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/30.jpg)
Details!
http://blog.bugcrowd.com
![Page 31: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/31.jpg)
Public Disclosure
Ask for permission before you publish anything
Varies with each program
BugCrowd – Just ask for each program.
HackerOne – Request public disclosure.
Email.
Some may decide not to disclose the vulnerability due to sensitive information.
Example Yahoo:
Configurations
Path
Internal IP addresses
Username/Password
![Page 32: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/32.jpg)
Future of Bug Bounties
More and more companies will start to offer bounties (hopefully!)
Amazon
Apple
eBay
Sony (Surprise!!)
More companies offering money and not “swag”.
Less free bugs.
![Page 33: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/33.jpg)
Achievements from Bug Bounties
Connections.
Free services from different companies.
Job offer(s).
Some cash.
Lots of experience.
![Page 34: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/34.jpg)
Learn from your peers!
Read on how others are approaching different vulnerabilities:
@Securatary (http://uzbey.com/bbp-funding)
@FransRosen (http://detectify.com)
@BitQuark (http://bitquark.co.uk)
@Fin1te (http://fin1te.net)
More awesome researchers:
http://Bugcrowd.com/leaderboard
https://www.crowdcurity.com/hall-of-fame
http://Hackerone.com/thanks
![Page 35: Nbt con december-2014-slides](https://reader034.vdocument.in/reader034/viewer/2022052509/55a20a3b1a28aba0368b4649/html5/thumbnails/35.jpg)
Questions?BEN SADEGHIPOUR (@NAHAMSEC)
HTTP://NAHAMSEC.COM