The Game of Bug Bounty Hunting

Money, Drama, Action and Fame

By, Abhinav Mishra | 0ctac0der

Let’s get a bit friendly first

Me?

Abhinav Mishra | @0ctac0der | Bug Bounty Hunter | Freelancer . Have Quest?

And you?

Name? | What are you? | Security Exp? | Bug Hunter?

In the meantime, copy the content to your laptops. Install VirtualBox and copy the Kali ISO. Run Kali Linux as a virtual machine. Help your neighbors (yes, this applies even if he is a guy)

What’s on the plate?

● All you need to know about bug bounty and platforms ○ History & present | Who can do it? What are the skill needed? Where to start from?○ About Hackerone. | About BugCrowd. ○ Penetration Testing and Bug Bounties

● Need Some Motivation?

○ How much money are we talking about? MONEY○ Where do you stand? Where do I stand?

● Bug Hunter’s Avenue ○ How do I do it? Building your approach?

○ Choose your Goose (to get golden eggs) and Let’s do it …. ACTION○ Resources and Tools I use (suggest), Blogs and People to follow

● Best submissions H1 (those I love ) Fame● Dark Side: Mishaps, Blunders and some (ugly) famous reports :) - DRAMA

Bug Bounties

What is it? Hack → Report → Get Paid

History of Bug Bounties:

Read more & Image credit : https://cobalt.io/blog/the-history-of-bug-bounty-programs/

Present Status of Bug Bounty Programs

● Most Famous Platforms:○ HackerOne - Founded in 2012 ○ BugCrowd - Founded in 2012

● Worldwide 488+ Public Programs (as per BugCrowd List)● What you get? Cash | Bitcoins | Swag | Hall Of Fame● Who can participate?

○ Technically? Anyone.

● What are the skills required?○ Web/Mobile/Infra hacking skills, reporting skills, sharp mind, out of the “room” thinking (because

the box is too small)

● Where to start?○ Process is very simple. Register to BB platforms → Choose program → Hack → Report

Lifecycle of Bug Bounty Submission

About HackerOne, BugCrowd & Public programs

● Two most popular Bug Bounty Platforms. ● Provide a great platform for white hats to sharpen the skills and earn cash. ● Public and Private programs to participate. ● Individual bug bounty platforms: Facebook, Google, Microsoft. ● List of all bug bounty programs:

○ BugCrowd Maintained List○ FireBounty List

● Openbugbounty : Link

Bug Bounty Motivation #1 (Money)

Let’s have a tea break… 10 min.If we started at right time, it should be 11.45 AM now.

Approach

What To Do

● The earlier, the better● Be the user first● Understand the logic, to break it● Have custom methods, payloads● Not just XSS, CSRF, IDOR, SQLi…● Reporting is the money multiplier● Be professional

What Not To Do

● XSS : ctrl c → ctrl v everywhere ● Low fruits are never the best ● The easy way is not the right way● Half filled submissions● Only OWASP Top 10? ● Irresponsible in responsible

disclosures. ● Don’t do #Beg-Bounty

Enough. So what next?

Next 1 Hour:

● Exploring the scope of a program. Building the approach. ● Lookout for low hanging fruits. ● Some cool tricks to speed up the hunting● Tools and scripts which might help ● Reporting .. how to do this?● Attack scenario and Exploit

After that (for 0.5 Hours):● Choose your target● Hunt for bugs, let’s see who is going to buy us a drink.

Action Begins Here...

● Exploring the scope○ Read the “Rules of Engagement” and “Program Description”○ Knockpy www.mydomain.com or Recon-ng Link○ If scope is “*.mydomain.com” then do “Inurl:mydomain.com -www”○ Mobile apps? Reverse engg to find URLs.○ Mobile websites… https://m.mydomain.com

● Port scan, service detection & low hanging fruits ○ Do not miss the server

■ Port scanning: nmap is your buddy nmap -sS -A -PN -p mydomain.com○ Publicly accessible grails console, fuzz for hidden files or insecure urls.

■ Wfuzz, google

Low hanging fruits….

Remember everyone is looking for it, but the only the one wins.

● Finding XSS ○ - Inject to find XSS Link○ - Unicode transformation issues- By @tbmnull - PDF here

● CSRF: (Ref: https://whitton.io/)

Low hanging fruits…. Chase #2

● SSL issues (SSLscan), ● Wordpress bugs (WPScan)

○ Wpscan --url “www.mydomain.com/blog”● Fuzzing (Wfuzz)

○ Wfuzz -c -z file,”SecList” --hc 404 https://www.mydomain.com/admin/FUZZ● Session related vulnerabilities

○ Fixation, Reuse, Expiration○ Insecure cookies, no account lockouts○ Password reset bugs: token reuse, token generation etc.○ Auto session logout on all devices? And mobile app?○ Account enumeration, Clickjacking, Info disclosures

Bug Bounty Motivation #2

Let’s have a tea break… 10 min.If we started at right time, it should be 1.30 PM now.

Slightly higher

● SQLi | Sample report: Link● Insecure direct object reference (Game of “Eena Meena Deeka“) | Sample

report: Link● XXE vulnerabilities | Sample report: Link (My personal fav)● Remote code execution | Sample report: Link● Priv Esc or Authorization bypass | Sample report: HackerOne Link● Server Side request forgery (SSRF) | Sample report: HackerOne Link● HTTP response splitting | Sample report: HackerOne Link

Out of the “room” findings (Fame)

Refer these incredible findings:

● Uber Bug Bounty: Turning Self-XSS into Good-XSS : Link● How I hacked Hotmail : Link● Command injection which got me "6000$" from #Google : Link● Content Types and XSS: Facebook Studio : Link

Time is the “BOSS”

Any specific vulnerability that you want to know how to hunt?

Bug Bounty Motivation #3

Let’s have a tea break… 10 min.If we started at right time, it should be 2.45 PM now.

Choose your Goose (for golden eggs)

What now? (30 Min)

● Register on any platform (BugCrowd or HackerOne) or Choose a public program if you want.

● Hunt for bugs. ● Ask questions. Push yourself to go beyond just salary :)

At the same time:● Follow the bounty rules. ● Follow the responsible disclosures. Do not public the bug (if you get lucky).● Reporting is the hidden secret.

Bug Bounty Motivation #4

Let’s have a tea break… 10 min.If we started at right time, it should be 3.30 PM now.

The Dark side (Drama)

Case 1. The unexpected “Facebook” and an over-curious hacker.

The story from Wes’s point of view: Link

The Dark side Part 2

Case 2. A desperate, unprofessional, greedy, abusive report, deserve this.

Where to go next?

Resources:

● How to become a Bug Bounty Hunter (BugCrowd)● Researcher Resources - Tutorials (BugCrowd)● The Bug Hunters Methodology (Jason Haddix)● Researcher Resources - Tutorials (BugCrowd)

Public Bug Reports:● Bug Bounty POC. All Bug Bounty POC write ups by Security Researchers. Link● the unofficial HackerOne disclosure timeline. (HackerOne Reports) Link● Public Pentest reports : Link

Where to go next?

Blogs to Follow:

● BugCrowd Blog● HackerOne Blog● Jack Whitton’s Blog● Hack 2 Learn. Master the art of Cross Site Scripting. Brute Logic’s Blog● Bug Bounty Findings by Meals. Meal’s Blog

Remember, all the resources, tools, blogs, examples shown by me in this session are one of those hundreds (if not thousand) which are there on internet. The best way to find is, do not remain AFK

"Computers are useless. They can only give you answers." - Pablo Picasso

If we started at right time, it should be 4 PM now.