The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

94
detectify The Secret Life of a Bug Bounty Hunter Frans Rosén @fransrosen

Transcript of The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

Page 1: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectifyThe Secret Life of a Bug Bounty Hunter

Frans Rosén @fransrosen

Page 2: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Frans Rosén"The Swedish Ninja"Knowledge Advisor @detectify ( twitter: @fransrosen )Blog at labs.detectify.comHackerOne #6 @ hackerone.com/thanksHighest paid out bounty on H1: $30k

Page 3: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Rundown

1. Background2. Approaching a target3. Free money4. Automation5. Browsers6. End

Page 4: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

How it started

Page 5: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

THEN I FREAKED OUT

osv…

Page 6: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Thailand

Page 7: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Thailand

Page 8: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

How it actually started

Page 9: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Approaching a target

Page 10: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

SWFs

Page 11: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

By@nirgoldschlagerand@homakovhttp://homakov.blogspot.se/2013/02/hacking-facebook-with-oauth2-and-chrome.html

http://www.breaksec.com/?p=6039

Facebook Connect

Page 12: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&client_id=298315034451 &response_type=token&redirect_uri=https://www.example.com/login

Facebook Connect

Page 13: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&client_id=298315034451 &response_type=token&redirect_uri=https://xxx.example.com/yyy

No restrictions!

Facebook Connect

Page 14: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Open Redirect

https://www.victim.com/account/logout?redirect_url=https://example.com\@www.victim.com

https://www.linkedin.com/uas/login?session_redirect=https://example.com%[email protected]%2Fsettings

https://vimeo.com/log_in?redirect=/%09/example.com

https://test6473.zendesk.com/access/login?return_to=//example.com:%[email protected]/x

https://trello.com/login?returnUrl=/\example.com

Page 15: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Firefox…

Page 16: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Firefox…

Chrome:InvalidSafari:Domainnotfound

Page 17: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Firefox…

Chrome:InvalidSafari:DomainnotfoundFirefox:example.com!

Page 18: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Firefox…

Chrome:InvalidSafari:DomainnotfoundFirefox:example.com!

https://www.mozilla.org/en-US/security/advisories/mfsa2015-129/

CVE-2015-7195

Page 19: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Firefox + Prezi…https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com

Page 20: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Firefox + Prezi…https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com

HTTP/1.1 301Location: //example.com%0a%23.prezi.com

Page 21: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Firefox + Prezi…https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com

HTTP/1.1 301Location: //example.com%0a%23.prezi.com

https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&response_type=token&redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com&client_id=298315034451

Page 22: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Firefox + Prezi…https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com

HTTP/1.1 301Location: //example.com%0a%23.prezi.com

https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&response_type=token&redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com&client_id=298315034451

NOO!:(

Page 23: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Firefox + Prezi…

Page 24: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Try the app + proxy

Page 25: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Note during the walkthrough

Structure of IDs Numeric? ID hashes visible cross accounts?

Page 26: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Hashed IDs publicly availableUpdate other users / Get user info

ID as hashes, but visible using Google.

No check if user was in another company.

Bounty $3,000

https://hackerone.com/reports/23126

Page 27: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

3rd-party scripts

(get)?(query|url|qs|hash)param

location\.(hash|href|search)\.match

Page 28: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

3rd-party scripts

k.type='text/javascript';var m,src=(m=location.href.match(/\bkxsrc=([^&]+)\b/)) && decodeURIComponent(m[1]);k.src=src||'https://cdn.krxd.net/controltag?confid=HrUwtkcl';

Page 29: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

3rd-party scripts

Page 30: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Paywalls

Page 31: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

CSP bypass

script-src 'self' https://ajax.googleapis.com

https://html5sec.org/minichallenges/3

Page 32: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

CSP bypass

script-src 'self' https://ajax.googleapis.com

https://html5sec.org/minichallenges/3

<script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>

Page 33: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

CSP bypass

script-src 'self' https://cdn.mxpnl.com

Page 34: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

CSP bypass

script-src 'self' https://cdn.mxpnl.com

Page 35: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

script-src 'self' https://www.googleadservices.com

CSP bypass

Page 36: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

script-src 'self' https://www.googleadservices.com

CSP bypass

Page 37: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

CSP bypass

Page 38: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

All ze subdomains!

Page 39: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Subdomains

Page 40: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Subdomains

Page 41: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Subdomains

Page 42: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Free money

Page 43: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Facebook

Page 44: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Facebook

Page 45: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Facebook

Page 46: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Facebook

POST /rest/v1.1/me/transactions?http_envelope=1 HTTP/1.1Host: public-api.wordpress.com

cart[blog_id]=44444444

Page 47: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Facebook

Page 48: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Facebook

Page 49: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Google XXE

https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/

Page 50: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Google XXE

Page 51: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Google XXE

Page 52: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Google XXE

Page 53: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Google XXE

Page 54: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Google XXE

Page 55: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Square hidden payload

Page 56: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Square hidden payload

Page 57: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Automation – Mr Roboto

Page 58: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Collect

1. Collect all subdomains2. Sort by popularity3. Inject www between pop2 and pop14. Use to scan further + deeper5. Every day. On all targets.

Page 59: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Subdomains

Page 60: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Collect

1. Make requests to all domains2. Save both headers + redirects + content timeout 10 curl -sD - "http://$p" -L --insecure --max-time 5 > $xx="streams/stream_pipe_$p"

Page 61: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Retroactive searching

Page 62: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Page 63: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Browser fun

Page 64: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari – the special lil’ snowflake ❄

Page 65: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 6…

Page 66: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 6…

Page 67: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 6…

*pressenter*

Page 68: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 6…

Page 69: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 6…

Page 70: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 6…

Page 71: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 6…

Page 72: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 8…

Page 73: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 8…

Page 74: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 8…

Page 75: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 8…

Page 76: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 8…

Page 77: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 8…

Page 78: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 8…

Page 79: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 8…

Page 80: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari <= 8 Mixed Content UXSS1.Find URL with Mixed Content

2.Use fragment payload to inject clickable link in console

3.SE to get user to open Inspect and click link

4.???

5.PROFI-XSS-T!!!

Page 81: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 9

Nice!

Page 82: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 9 Host Header injection

Page 83: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 9 Host Header injection

Page 84: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 9 Host Header injection

Page 85: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 9 Host Header injection

Page 86: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Safari 9 Host Header injection

Page 87: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

One more thing"Best X ever"

Page 88: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Best report

"ExploitableSelfXSSatswagger.oculusvr.comusingClickjackingGameandbypassingoffilter"

Page 89: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Best report

"ExploitableSelfXSSatswagger.oculusvr.comusingClickjackingGameandbypassingoffilter"

Page 90: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Best response

Page 91: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Best deal

Page 92: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Best bug hunting day ever

Page 93: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectify

Best bug hunting day ever

Page 94: The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

detectifyThe Secret Life of a Bug Bounty Hunter

Frans Rosén (@fransrosen) – www.detectify.com