Bug Bounty #Defconlucknow2016

download Bug Bounty #Defconlucknow2016

If you can't read please download the document

  • date post

    15-Feb-2017
  • Category

    Internet

  • view

    1.229
  • download

    0

Embed Size (px)

Transcript of Bug Bounty #Defconlucknow2016

PowerPoint Presentation

Bug BountyShubham Gupta & Yash Pandya

1

About Us

2

Shubham GuptaJust another random guy interested in security

Web Application Hacker

Security Consultant at Pyramid Cyber Security & Forensic

Ive been got acknowledgement by more than 100 companies like as Google, Microsoft, Twitter, Yahoo, Adobe. Among top 100 bug hunter in Hackerone.

Penetration tester

3

Yash Pandya 23 yr old Electronics and communication engineer from Gujarat .

ihave experience in R&D on Embedded systems , networking, image processing, Robotics ,RTOS and Web application security.

Working as a Senior Security tester at IGATE GLOBAL Solutions.

Ive been got acknowledgement by more than 100 companies like as Google, Microsoft, Yahoo, Apple, AT&T.

My primary goal is to give contribution towards open source technologies and make cyber space more secure and safer.

4

AgendaIntroduction Why bug hunting?How to do bug hunting?Quick TipsPOCPros and Cons of bug hunting.Q&A

5

INTRODUCTION

6

A Brief History of Bug Bounty Programs.

- 1995 (Net Scape)

- 2004 (FIREFOX)

- 2005

- 2007

- 2010

- 2011

- 2012

- 2013

-2013(Cobalt)

- 2013 (Synack)

7

Now even a College dropout or even school boy can do that seating at home so BIG THANKS TO BUGBOUNTY PROGRAMME!!! :D

In 2015 few researchers set a great example for community by earning 5,00,000$/year without doing any job.

BYE BYE !!!!

2015 was really challenging year for BUGBOUNTY Hunters.Because > was not gonna work :P .

8

In 2015 bug hunters Proved that

Bug hunters going to do anything to earn more money in 2015 because of that they started thinking out of the box scenarios.

Some of the creative and impressive bugs reported in 2015 are as below:

Svg File upload xss. CSV Injections EL Injections. Sub domain takeover Same Origin bypass

9

Bug bounty hunters dream hall of fame companies

10

Why to invest time in hunting bugs rather then development?

11

Why bug hunting?Chances of finding bugs to put on your cv.

Possibility of getting job.

lots of money in very less time

Cool T-shirts, Hoodies, Mugs and many more swags

Recognition

ConnectionsLess security breaches

Enjoyment

Person will Learn to work hard because of Competition

12

Types of bugs. Web Vulnerabilities.

Software Products Vulnerabilities

Browser Vulnerabilities

Network Vulnerabilities

Mobile app Vulnerabilities.

Hardware Vulnerabilities.

13

How to kickoff for hunting bugs?

14

How to do bug hunting? Bug hunting is all about Exploring Weaknesses and Experimentation.

It requires 30% programming knowledge and 70% logical out of box thinking.

Try each and every Combination to exploit bug . Dig dipper. Try more to find logical bugs it will increase your chance for higher payouts and reduce chances for Duplicates.

15

OWASP Testing Guide / Web Application Hackers handbook. Public reports and papers from .

https://packetstormsecurity.com/http://h1.nobbd.de/https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640

Tools Burp/ZAP/Fiddeler. Ironowasp. Appwatch Appie

16

QUICK TIPS

17

Quick Tips Dont use scanner.

Use Google Dorks. EX: inurl: src|path|link|url filetype:asp|aspx|jsp|jspa|php

Make your own.

Create Google alerts for recent changes in Bug bounty programmes or for any other security related blogs.

18

Look out for information disclosure which are quick to find:https://www.site.com/.htaccess if you are lucky then you will get access of .htaccess. Now go and report this bug and earn some $$ . Go to https://www.site.com/server-status GO to https://www.site.com/.svn/entries .Try for Directory traversal using python script and using it try to find RCE .

IDOR by changing id parameters in request .

Unauthorized access of Data. Ex: Try to access pics or conversations or files which is deleted using api.

19

Try to Complete CTF, online hacking Challenges.

Attend Webinars, Security Conferences.

Make Good relations with other security researchers and try to learn something from them.

Try to report Exploitable bugs .Dont waste your and others time by reporting Non-Exploitable issues.

Try to test each platform IOS, ANDROID, SOFTWARE , Web Applications.

Read as much as you can.

20

POC

21

Svg XSS

One of the most unique bug of 2015 and easy to find.

Most of the web based projects include svg for a clear and interactive user experience.

22

To verify this answer I created an svg file with an XSS vector below and started testing the websites that allow images .

23

24

Most of the site is vulnerable for svg xss.

25

I was like

26

5 IDOR in GOOGLES ACQUISITIONTitle: IDOR : DELTE any user's Pagerduty services from stack driver. URL: https://app.stackdriver.com/settings/notifications/pagerduty/

Steps to reproduce:

1. go to https://app.stackdriver.com/settings/notifications/pagerduty/2. Add service3. click on delete service4. capture the request using burp suite5. From Captured request change notification_method_id=any value6. Remove x-CsrfToken value from request.7. submit the request

you can successfully delete pagerduty service of any user.

27

Request: GET /api/settings/policies-by-notification-method?notification_method_id=821&notification_method_type=pagerduty HTTP/1.1Host: app.stackdriver.com User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate X-CSRFToken: sNLQRp560GcTsDf228EWmzhoAfRt3XMg Referer: https://app.stackdriver.com/settings/notifications/pagerduty/ Cookie: __utma=25593471.1715845722.1411286450.1444643859.1445864251.5; csrftoken=sNLQRp560GcTsDf228EWmzhoAfRt3XMg;

28

Some time you can be lucky

29

Subdomain Takeover in Avant

Parth thanks for writing that code

30

31

Insecure Internal Storage

32

DOS AND DONTS

33

Dos and Donts When dont pay dont invest much time.Dont be a script kiddie always dig dipper.Play by your own rulesLearn about the most common eligible vulnerabilities, how to find them, and how to increase your chances of receiving rewards. Become an effective hunter and start reporting bugs for cash in no time.

34

Thanks

35

What to do with bug bounties?

36

Spend like a billionaire

37

Do the donation this is How you become a true billionaire

38

39

40