The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

download The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

of 94

  • date post

    15-Jan-2017
  • Category

    Technology

  • view

    4.500
  • download

    0

Embed Size (px)

Transcript of The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

  • detectifyThe Secret Life of a Bug Bounty Hunter

    Frans Rosn @fransrosen

  • detectify

    Frans Rosn"The Swedish Ninja"Knowledge Advisor @detectify ( twitter: @fransrosen )Blog at labs.detectify.comHackerOne #6 @ hackerone.com/thanksHighest paid out bounty on H1: $30k

  • detectify

    Rundown

    1. Background2. Approaching a target3. Free money4. Automation5. Browsers6. End

  • detectify

    How it started

  • detectify

    THEN I FREAKED OUT

    osv

  • detectify

    Thailand

  • detectify

    Thailand

  • detectify

    How it actually started

  • detectify

    Approaching a target

  • detectify

    SWFs

  • detectify

    By@nirgoldschlagerand@homakovhttp://homakov.blogspot.se/2013/02/hacking-facebook-with-oauth2-and-chrome.html

    http://www.breaksec.com/?p=6039

    Facebook Connect

  • detectify

    https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&client_id=298315034451 &response_type=token&redirect_uri=https://www.example.com/login

    Facebook Connect

  • detectify

    https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&client_id=298315034451 &response_type=token&redirect_uri=https://xxx.example.com/yyy

    No restrictions!

    Facebook Connect

  • detectify

    Open Redirect

    https://www.victim.com/account/logout?redirect_url=https://example.com\@www.victim.com

    https://www.linkedin.com/uas/login?session_redirect=https://example.com%252f@www.linkedin.com%2Fsettings

    https://vimeo.com/log_in?redirect=/%09/example.com

    https://test6473.zendesk.com/access/login?return_to=//example.com:%252525252f@test6473.zendesk.com/x

    https://trello.com/login?returnUrl=/\example.com

  • detectify

    Firefox

  • detectify

    Firefox

    Chrome:InvalidSafari:Domainnotfound

  • detectify

    Firefox

    Chrome:InvalidSafari:DomainnotfoundFirefox:example.com!

    http://example.com

  • detectify

    Firefox

    Chrome:InvalidSafari:DomainnotfoundFirefox:example.com!

    https://www.mozilla.org/en-US/security/advisories/mfsa2015-129/

    CVE-2015-7195

    http://example.com

  • detectify

    Firefox + Prezihttps://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com

  • detectify

    Firefox + Prezihttps://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com

    HTTP/1.1 301Location: //example.com%0a%23.prezi.com

  • detectify

    Firefox + Prezihttps://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com

    HTTP/1.1 301Location: //example.com%0a%23.prezi.com

    https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&response_type=token&redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com&client_id=298315034451

  • detectify

    Firefox + Prezihttps://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com

    HTTP/1.1 301Location: //example.com%0a%23.prezi.com

    https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&response_type=token&redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com&client_id=298315034451

    NOO!:(

  • detectify

    Firefox + Prezi

  • detectify

    Try the app + proxy

  • detectify

    Note during the walkthrough

    Structure of IDs Numeric? ID hashes visible cross accounts?

  • detectify

    Hashed IDs publicly availableUpdate other users / Get user info

    ID as hashes, but visible using Google.

    No check if user was in another company.

    Bounty $3,000

    https://hackerone.com/reports/23126

    https://hackerone.com/reports/23126

  • detectify

    3rd-party scripts

    (get)?(query|url|qs|hash)param

    location\.(hash|href|search)\.match

  • detectify

    3rd-party scripts

    k.type='text/javascript';var m,src=(m=location.href.match(/\bkxsrc=([^&]+)\b/)) && decodeURIComponent(m[1]);k.src=src||'https://cdn.krxd.net/controltag?confid=HrUwtkcl';

  • detectify

    3rd-party scripts

  • detectify

    Paywalls

  • detectify

    CSP bypass

    script-src 'self' https://ajax.googleapis.com

    https://html5sec.org/minichallenges/3

  • detectify

    CSP bypass

    script-src 'self' https://ajax.googleapis.com

    https://html5sec.org/minichallenges/3

  • detectify

    CSP bypass

    script-src 'self' https://cdn.mxpnl.com

  • detectify

    CSP bypass

    script-src 'self' https://cdn.mxpnl.com

  • detectify

    script-src 'self' https://www.googleadservices.com

    CSP bypass

  • detectify

    script-src 'self' https://www.googleadservices.com

    CSP bypass

  • detectify

    CSP bypass

  • detectify

    All ze subdomains!

  • detectify

    Subdomains

  • detectify

    Subdomains

  • detectify

    Subdomains

  • detectify

    Free money

  • detectify

    Facebook

  • detectify

    Facebook

  • detectify

    Facebook

  • detectify

    Facebook

    POST /rest/v1.1/me/transactions?http_envelope=1 HTTP/1.1Host: public-api.wordpress.com

    cart[blog_id]=44444444

  • detectify

    Facebook

  • detectify

    Facebook

  • detectify

    Google XXE

    https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/

  • detectify

    Google XXE

  • detectify

    Google XXE

  • detectify

    Google XXE

  • detectify

    Google XXE

  • detectify

    Google XXE

  • detectify

    Square hidden payload

  • detectify

    Square hidden payload

  • detectify

    Automation Mr Roboto

  • detectify

    Collect

    1. Collect all subdomains2. Sort by popularity3. Inject www between pop2 and pop14. Use to scan further + deeper5. Every day. On all targets.

  • detectify

    Subdomains

  • detectify

    Collect

    1. Make requests to all domains2. Save both headers + redirects + content timeout 10 curl -sD - "http://$p" -L --insecure --max-time 5 > $xx="streams/stream_pipe_$p"

  • detectify

    Retroactive searching

  • detectify

  • detectify

    Browser fun

  • detectify

    Safari the special lil snowflake

  • detectify

    Safari 6

  • detectify

    Safari 6

  • detectify

    Safari 6

    *pressenter*

  • detectify

    Safari 6

  • detectify

    Safari 6

  • detectify

    Safari 6

  • detectify

    Safari 6

  • detectify

    Safari 8

  • detectify

    Safari 8

  • detectify

    Safari 8

  • detectify

    Safari 8

  • detectify

    Safari 8

  • detectify

    Safari 8

  • detectify

    Safari 8

  • detectify

    Safari 8

  • detectify

    Safari

  • detectify

    Safari 9

    Nice!

  • detectify

    Safari 9 Host Header injection

  • detectify

    Safari 9 Host Header injection

  • detectify

    Safari 9 Host Header injection

  • detectify

    Safari 9 Host Header injection

  • detectify

    Safari 9 Host Header injection

  • detectify

    One more thing"Best X ever"

  • detectify

    Best report

    "ExploitableSelfXSSatswagger.oculusvr.comusingClickjackingGameandbypassingoffilter"

  • detectify

    Best report

    "ExploitableSelfXSSatswagger.oculusvr.comusingClickjackingGameandbypassingoffilter"

  • detectify

    Best response

  • detectify

    Best deal

  • detectify

    Best bug hunting day ever

  • detectify

    Best bug hunting day ever

  • detectifyThe Secret Life of a Bug Bounty Hunter

    Frans Rosn (@fransrosen) www.detectify.com