Bug Bounty for - Beginners

download Bug Bounty for - Beginners

of 16

  • date post

    15-Jan-2017
  • Category

    Technology

  • view

    4.650
  • download

    0

Embed Size (px)

Transcript of Bug Bounty for - Beginners

Bug Bounty for - Beginners

Bug Bounty for - BeginnersHIMANSHu KumAR Das

about.meInfosec analyst at iViZ techno sol. Pvt. Ltd.

Passionate Capture The Flag(CTF) player.

Started bug bounty recently, listed on few Security Acknowledgement Pages, few $$$, few t-shirts.

Member of n|u community past 2 years 6 months.

todays talkPrerequisites

Highlights

Initial Approach

Tools to tune

Automating on localhost.

Bug Submission/Reporting.

Demo..

prerequisitespatience of course, YES!!!

Ninja Skills, NO!!!

Operating System and web browser, a matter of argument, so you select!!!

Have you read any of these?OWASP Testing Guide v3The Web Application Hackers Handbook- 2nd EditionRFC 2616 HTTP/1.1

bug bounty program: highlightsNot limited to web applications, even networks and products.

Must be a Responsible Disclosure.

Lots of $$$ , gifts, t-shirts.

Test your: alert(Bounty);

initial approachDid you read the scope?

Reconnaissance:CMS, default pages, paths, plugins( robots.txt, phpinfo.php, .htaccess)Various subdomainsIdentify services

Understand the logic of any functionality.

Say No to SCANNERS!!!

tools to tuneWeb Proxy (Burp Suite, Fiddler, OWASP ZAP many others)Must have firefox addons:web developertamper Datawappalyzerfoxyproxyuser agent switcherlive http headersClickJacking Defense (https://addons.mozilla.org/en-us/firefox/addon/clickjacking-defense-declar/)and the counting goes on

automating on localhostInstall web server on your local system.(WAMP, XAMPP)

Download and install product(CMS) on your local web server.

Time to input and sleep :Wfuzzintellifuzz-xss(By @matthewdfuller)SqlmapIronWASP( By @lavakumark)

Few techniques to bypass security measuresBrute-forceIP based blocking, user-agent based blocking.Account locked, yet account accessible.Cross-site request forgeryToken missing.Token not time-boxed.Token not validated.Token not random.UI Redressing/ClickJackingDrag and Drop [ Discovered by ahamed nafeez(@skeptic_fx) ]Content Extraction (deprecated in modern browsers).

Bug SubmissionSubject: Responsible Disclosure.

Nature/Description of the Bug.

Impact.

Testing Environment: OS, Browsers, Tools(if any).

Proof Of Concept: Video(avi/flv), Screenshot.

DEMO

Stored XSS through SVGWhat is SVG?

Supports modern browser.

Dis-section of the payload.XML CDATA - All text in an XML document will be parsed by the parser, But text inside a CDATA section will be ignored by the parser.To avoid errors script code can be defined as CDATA.

references / linkshttp://www.computersecuritywithethicalhacking.blogspot.in/

https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf

http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html

http://www.riyazwalikar.com

http://www.amolnaik4.blogspot.com

DEMO Stored XSS on FACEBOOKBY

Riyaz Ahemed Walikar@riyazwalikarhttp://www.riyazwalikar.com

twitter: @mehimansue-mail: me.himansu@gmail.com QUESTIONS ? THANK YOU!!!