SQUASHING BUGSIntroduction to Bug

Bounties

SESSION OUTLINE Introduction to Bug Bounties 2:05-2:15 How to find bugs hands-on 2:15-2:35 How to use popular bug bounty programs 2:35-2.45 Case evaluation: Facebook page takeover bug 2:45-2:255

Conclusions and surprises 2:55 onwards

INTRODUCTION

BUG BOUNTY A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.

These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.

Bug bounty programs have been implemented by Facebook, Yahoo!, Google, Reddit, Square and Microsoft.

REWARDS Hall of fame(s) $$$ Study grants and scholarships for research Recognition

FAQS & MISCONCEPTIONS I do not have any of those fancy security research tools I do not have excellent coding knowledge How do I begin and where do I begin?

WHAT YOU NEED Be able to read and understand code Keep an open eye for different attack possibilities Keep updated with the latest attacks and see their POCs (Proof of Concept)

Differentiate between bugs and false positives (https://www.facebook.com/notes/facebook-bug-bounty/commonly-submitted-false-positives/744066222274273 )

Don’t give up!

FLOW Know about bugs! Refer OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Use a testing guide! OWASP Testing Project

(https://www.owasp.org/images/1/19/OTGv4.pdf ) Follow researchers and their updates!

FAMOUS RESEARCHERS http://www.breaksec.com/?page_id=6002 http://homakov.blogspot.in/ https://bitquark.co.uk/blog/ https://nealpoole.com/blog/ http://nahamsec.com/ http://stephensclafani.com/ http://insertco.in/articles arunsureshkumar.me

PRACTICE AT http://www.dvwa.co.uk/ https://www.vulnhub.com/ https://github.com/WebGoat/WebGoat

HANDS ONSearch “Google dorks” to find vulnerable websites. Sample strings: Inurl:admin_login.php site:.pkSQL Injection string to be entered in username and password fields: ' or 1=1--

BURP SUITE Burp Suite: Burp Suite is an integrated platform for performing security

testing of applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

(It is one of the most awesome tools i have ever come across. there are a lot of features you can use, just make sure you understand each and every function from burp suite). I’m sure you know all the functionality will make your task way easier if it is related to security. But be sure to manually validate your findings as it does report false positives.

Download: http://portswigger.net/burp/download.html

USING BUG BOUNTY

PLATFORMS

FACEBOOK WHITEHAThttps://www.facebook.com/whitehat

HACKERONEhttps://hackerone.com/internet-bug-bounty

GITHUB SECURITYhttps://bounty.github.com/

INTERNET BUG BOUNTYhttps://internetbugbounty.org/

PAYTMhttps://paytm.com/offer/bug-bounty/

OLAhttps://www.olacabs.com/whitehat

MOBIKWIKhttps://www.mobikwik.com/bug-bounty

OTHERS http://bugsheet.com/directory https://www.mozilla.org/en-US/security/bug-bounty/ https://bugcrowd.com/

SOME TERMS USED IN CLASS IDOR: Insecure Direct Object Reference

https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Rate Limiting: http://www.websecresearch.com/2014/05/a-way-to-bypass-rate-limiting.html

RESOURCES TO SCAN WEBSITES

https://hackertarget.com/joomla-security-scan/ https://hackertarget.com/wordpress-security-scan/ https://hackertarget.com/drupal-security-scan/ https://pentest-tools.com/website-vulnerability-scanning/discover-hidden-directories-and-files https://www.magereport.com/ https://pentest-tools.com/information-gathering/find-subdomains-of-domain http://savanttools.com/test-frame https://bugcrowd.com/resources https://www.ssllabs.com/ssltest/ http://www.kitterman.com/spf/validate.html https://forum.bugcrowd.com/t/researcher-resources-tools/167 https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102

RESOURCES Tamper Data: Tamper Data is a Firefox Extension which gives you the power to

view, record and even modify outgoing HTTP requests. If you are not familiar with then just take a look at it once, It is very helpful in identifying the CSRF issues as well as Finding IDOR.Download: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

Live http Headers: To be very frank I rarely use this extension, as it has exactly the same function as in tamper data the only difference is that, you can capture and reply within the same session.Download: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/

Default user agent switcher: It gives your ability to change your user agent. Basically i use it to find mobile version of any site. And you may utilize it whenever you want to see the mobile version of any website. mostly developers host mobile version on m.xyzdomain.com, but sometimes website load mobile version after detecting the user agent. With this extension you can change user agent as mobile and view mobile version of the sites.Download: https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

Hackbar: It helps us In SQL as well as XSS, also it encode & decode the string, ASCII conversion. This extension will help you in exploiting sql injections, XSS holes. If you know what you’re doing, this extension will help you do it faster. If you want to learn SQL exploitation, you can also use this extension, but you will probably also need a book, a lot of Google and a brain :)Download: https://addons.mozilla.org/en-US/firefox/addon/hackbar/

FREEBIES http://www.autodesk.com/education/free-software/all https://aws.amazon.com/grants/ https://education.github.com/pack

LINKS TO CASE STUDIES Facebook Page Takeover Bug:

http://arunsureshkumar.me/index.php/2016/09/16/facebook-page-takeover-zero-day-vulnerability/

Ola Free Rides Bug: https://blog.appknox.com/major-bug-in-ola-app-can-make-you-either-rich-or-poor/

CONTACTAvi Sharma – 7830993535 – sharma.avi14@stu.upes.ac.in

THANK YOU