Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nullcon 2017

download Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nullcon 2017

If you can't read please download the document

  • date post

    19-Mar-2017
  • Category

    Technology

  • view

    1.388
  • download

    0

Embed Size (px)

Transcript of Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nullcon 2017

Bug Bounty Reports - How Do They Work?Adam Bacchus, Chief Bounty Officer - HackerOneNullcon - March 2017

#AGENDAIntroKnow your audienceThe ReportSecurity Team 101The Good, The Bad, The UglyResourcesNext StepsQ & A

Intro#Lets get it started

WorkPentester (~4 yrs)Google (~4 years)Snapchat (~1 year)HackerOne (~1 year)

PlayGamingPlaying with fireAdam Bacchus

#

Bug bounty platform where you can find organizations to hack onUber, Twitter, Snapchat, Starbucks tons more100,000+ hackers to learn from, like our buddy geekboy :)$14 mill USD ( 934m) in bounties paid to hackers!HackerOne#

Why does this matter?

#

Why does this matter?...better bug reports...

#

better bug reports result in a quicker turnaround time from the security team responding to your request

Why does this matter?...better bug reports......better relationships...

#

youll also learn how to build better reputation and relationships with security teams

Why does this matter?...better bug reports......better relationships......better bounties!

#

and in the end, this will all result in higher chances of getting bigger bounties!

Some Quick Terminology#

Vulnerability#weakness of software, hardware, or online service that can be exploited

Report#an awesome write-up of the bug youve found

Vulnerability Disclosure#the process by which an organization receives and disseminates information about vulnerabilities in their products or online services

Bug Bounty Program#vulnerability disclosure, but with monetary incentives

Security Team#the people reading and responding to your bug reports, handling vulnerability management, paying out bounties, etc.

Know Your Audience#

#

I don't believe in elitism. I don't think the audience is this dumb person lower than me.I am the audience.

Quentin Tarantino

Scope#What is it?

Scope#In scope: List of websites, apps, IoT, etc. that are okay to hack

Scope#Out of scope: Stay away!

Scope#Why are things out of scope?Infrastructure cant handle scansSecurity team already knows it needs workSecurity team is starting small and working their way upHosted by a third party; security team doesnt control it

Scope#What if I find a new scope?

Scope#Dont be afraid to ask!

But keep expectations low - they might not be ready for the new scope yet.

This is huge - *always* ask first before going crazy on an unlisted scope. You might end up wasting your entire weekend on a domain that ends up not even belonging to the organization!

SLA - Service Level Agreement#an official commitment that prevails between a service provider and the customer. Particular aspects of the service quality, availability, responsibilities are agreed between the service provider and the service user.

A Service For Hackers#Thats right - a vulnerability disclosure/bug bounty program is a service, to you, the hacker.

What should a security team provide?#How much time for...

What should a security team provide?#How much time for

...first response

What should a security team provide?#How much time for

...first response...bounty decision

What should a security team provide?#How much time for

...first response...bounty decision...remediation

What if the security team doesnt have SLAs?#

(didnt we see this slide already?)#Dont be afraid to ask!

Whats your normal turnaround time on X?

What are typical SLAs?#

First Response = 3 business days

What are typical SLAs?#

First Response = 3 business daysBounty Decision = 1 - 3 weeks after triage

What are typical SLAs?#

First Response = 3 business daysBounty Decision = 1 - 3 weeks after triageRemediation depends on severityCritical = 1-2 daysHigh = 1-2 weeksMedium = 4-8 weeksLow = 3 months

What NOT to do#Send reportFive minutes later... update plz!Ten minutes later bounty plz!

The Report#

Reproduction Steps#

Specific, detailed, step by step instructions on how to reproduce the vulnerability.

Reproduction Steps - The Wrong Way#1. You got an XSS on the name BOOM!!!2. Wheres my bounty?

Reproduction Steps - The Right Way#While logged in, navigate to your profile at Click the Edit button in the upper rightChange your first name to >Click SaveNavigate to your profile at , the XSS should fire

Exploitability#How would a real attack work? Think like an attacker!

Exploitability#If an attack isnt exploitable, how much does a security team care about it?

Exploitability - The Wrong Way - Clickjacking#Navigate to X-Frame-Options header is missing???Profit?

Exploitability - The Right Way - Clickjacking#Navigate to X-Frame-Options header is missingYou can use clickjacking to trick a user into deleting their account. See attached HTML file for a PoC.

Exploitability - The Wrong Way - Server Info#Your server at is showing banner information and is out of date.???Profit?

Exploitability - The Right Way - Server Info#Your server at is running an outdated version of .Ive verified its vulnerable to a known XSS which can be used to steal and hijack users sessions. Here are the repro steps.

Impact#We know how to reproWe know exploitability / attack vectorSo now what?

Impact#What happens if this vulnerability gets exploited?

What does the security team care about most?

#Put yourself in the organizations shoesIndustryComplianceWhat they care aboutHealthcareHealth Insurance Portability and Accountability Act (HIPAA)PII (Personally Identifiable Information), e.g. patient dataeCommerce / RetailPayment Card Industry Data Security Standard (PCI-DSS)User data, especially credit card infoGovernment (U.S.)The Federal Information Security Management Act (FISMA)Employee info, classified infoFinanceGramm-Leach-Bliley Act (GLBA), PCI-DSSConsumer and investor financial dataEducationFamily Educational Rights and Privacy Act (FERPA)Student recordsTechnologyIt depends!It depends!

#Put yourself in the organizations shoesUser information disclosure of first and last name. Where is the impact bigger?

or...

#Put yourself in the organizations shoesUser information disclosure of first and last name. Where is the impact bigger?

or...

Impact - The Wrong Way#You have an XSS

Profit?

Impact - The Right Way#Heres a PoC to steal session info via XSSExploiting this against a regular user would allow access to view and modify their name, address, birthdate, as well as transfer all money out of their account.

Impact#What is CIA?

Confidentiality - Integrity - Availability

Confidentiality#...information is not made available or disclosed to unauthorized individuals, entities, or processes.

Integrity#Ensuring data cannot be modified in an unauthorized or undetected manner.

Availability#Information must be available when it is needed.

Impact - CIA#Think about how your vulnerability impacts the Confidentiality, Integrity, and Availability of the organizations assets.

The Bar#What is it?

The Bar#

The Bar#The minimum severity vulnerability that qualifies for a program.

The Bar#Every organization cares about different things.

Its all about context.

The Bar#Ask yourself:

If I were the security team, is this important enough that Id want to bother a developer to fix it?

The Bar#So youve found clickjacking on a page with only static content?

The Bar - Open Redirects#Is Open Redirect technically a vulnerability?Yes.Does company XYZ care?Probably not.Why not?

The Bar - Logout XSRF#Is Logout XSRF technically a vulnerability?Yes.Does company XYZ care?Probably not.Why not?

The Bar#Vulns can be 100% accurate, but so what?

(this slide AGAIN!?)#Dont be afraid to ask!

Do you care about vulnerabilities like X?

Public Disclosure#What is it?

After the bug is fixed, the security team and hacker agree to disclose the report as an example for the bug bounty community.

The Good, The Bad, The Ugly#Bug Bounty Reports IRL

Reports IRL - The Good, The Bad, The Ugly#Lets take a look at some real life examples...

The Good - hackerone.com/reports/143717#Report: Changing any Uber users passwordBounty: $10,000 USD

Lets check it out!

Another good report, if theres time: https://hackerone.com/reports/149907

The Bad - hackerone.com/reports/156098#Report: XSS At "pages.et.uber.com"Bounty: um...

The Bad - hackerone.com/reports/156098#

The Bad - hackerone.com/reports/156098#

The Bad - hackerone.com/reports/156098#

The Ugly - hackerone.com/reports/137723#Report: vulnerabilitieBounty: we get to laugh at the report?

Lets check it out!

Resources#

Resources#Web Application Hackers HandbookWeb Hacking 101Google Bughunter UniversityGoogle GruyereBurp SuiteBug Bounty Reports - How Do They Work?

Hacktivity! https://hackerone.com/hacktivity

#

Recap#

Quick Recap#Know your audience!Think from the security teams perspectiveI am the audienceRepro + Exploitability + ImpactAsk questions, get clarity

Any questions?#

Thank You#Adam Bacchus adam@hackerone.com @sushihack linkedin.com/in/adambacchus/ facebook.com/sushihack

#