nbt con december-2014-slides
TRANSCRIPT
Bug Bounty 101
(Web Applications)BEN SADEGHIPOUR (@NAHAMSEC)
HTTP://NAHAMSEC.COM
Why bug bounties?
Chances of finding bugs to put on your
resume.
Possibility of getting a job in the industry.
Opportunity to make money while
attending college.
Less security breaches (hopefully).
Better and more secure apps.
More researchers from all over the
world.
More experience.
More bugs.
What are some popular programs?
Google:
Min. payout: $1337
Acquisitions’ min. payout: $100
Max. payout: $20,000
What are some popular programs?
Google XXE (Costume XML)
Google XXE
Yahoo:
Min. payout: $50
Max. payout: $15,000
What are some popular programs?
Flickr SQL Injection
PAYLOAD: order_id=-116564954 union select
group_concat(table_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15 from
information_schema.tables– -
Did I say SQL Injection?
Remote Command executionPAYLOAD: order_id=-116564954 union select
load_file(“/etc/passwd“),2,3,4,5,6,7,8,9,10,11,12,13,14
,15– -
Facebook:
Min. payout: $500
Max. payout: Unknown (Million dollars?)
Not enough details published by
researcher
What are some popular programs?
Microsoft (Online services):
Started on September 23, 2014
Min. payout: $500
Max. payout: Unknown
What are some popular programs?
GitHub
PayPal and Magento
Square
cPanel/WHMCS
Complete list:
https://bugcrowd.com/list-of-bug-bounty-programs
What are some popular programs?
What are some popular platforms?
What are some popular platforms?
BugCrowd
Managed or unmanaged programs
13,300 Researchers from all over the world
155 Bounties.
30,000+ Submissions.
Max Single Payout: $13,000.
What are some popular platforms?
CrowdCurity
Web application security
Main focus on bitcoin
~1500 Researchers
What are some popular platforms?
SYNACK
Customer details: unknown.
Number of researchers: unknown .
Requires a written and a practical test.
Focused on Web application as well as:
Host
Mobile
Reverse Engineering
Hardware
What are some popular platforms?
HackerOne
“Security Inbox”.
1,004 Hackers thanked.
71 Public programs.
$1.58M Bounties paid.
4,987 Bugs fixed
Internet bug bounty:
PHP
Ruby
Apache.
Etc.
The Basics of Bug Bounties.
Read the program rules.
Scope of the program.
Payout per based on bug type.
Requirements
How to get an account on their
platform?
Respect the program’s decisions.
Respect other researchers.
Quality vs Quantity.
Reputation in the industry.
Don’t make any threats.
Don’t ask for money or “swag” if it’s
not mentioned in the rules.
Don’t compare two programs.
Two programs = different budgets.
Don’t lie while comparing two
programs.
Don’t audit without permission.
Legal issues.
Quality vs Quantity
Most programs have an accurate reputation system
Google.
PayPal.
BugCrowd (accuracy).
HackerOne (reputation).
Better reputation = more opportunities:
Private events.
Private Programs.
More isn’t always better.
Total points VS. Accuracy
Maximizing your payout
Don’t doubt yourself.
You may still be the first to find it.
Check Everything!
Every parameter
Every POST request
User input validation
Forms
Profile pages.
Filters (Can you bypass it?)
Don’t go for the low hanging fruits:
Higher payout for critical vulnerabilities.
You may find some low severity bugs while looking for more critical ones.
Less chances of duplicates.
Methodology
Pick a target.
Pick an application.
Pick a vulnerability type.
Google:
site:tw.*.yahoo.com -news -sports -
knowledge -house -travel -money -
fashion -dictionary -charity -autos -
emarketing -maps -serviceplus -
screen -tech -mail -talk -bid -uwant -
stock -mall -buy -myblog -movies -
games -safely -bigdeals -finance -
info -mobile -help
Pick up a pattern
Look for the same parameter, functionality, file type or file name in
the same or other subdomains of the website.
3 SQL Injection on Yahoo by using Google.
Site:hk.*.yahoo.com + inurl:”id” + filetype:html
Try the same idea with other programs.
Profit!
Picking up a pattern?
(Not my sponsors. Just vulnerable to the same bug)
Ruby on Rails
File Name Enumeration:
\../\../\../\../\../\../etc/passwd
Possbile Full path disclosure (FPD)
File not found vs 404?
CVE-2014-7829
Making a Report
Be very specific.
Provide step-by-step instructions.
Include all the details needed in order to reproduce the issue.
Provide an attack scenario.
Why is it a big deal?
Can you access major private data?
Are you targeting a single use?
Provide screenshots if needed.
If you create a video, make it accurate, quick, and professional
Good vs. Bad
Don’t copy and paste others’ published reports
Program #1 by reporter #1 (18 days ago)
Good vs. Bad
Program #2, Reporter #2 (Reported 11 days ago)
Original report
Original report on HackerOne (Reported a month ago)
Details!
http://blog.bugcrowd.com
Public Disclosure
Ask for permission before you publish anything
Varies with each program
BugCrowd – Just ask for each program.
HackerOne – Request public disclosure.
Email.
Some may decide not to disclose the vulnerability due to sensitive information.
Example Yahoo:
Configurations
Path
Internal IP addresses
Username/Password
Future of Bug Bounties
More and more companies will start to offer bounties (hopefully!)
Amazon
Apple
eBay
Sony (Surprise!!)
More companies offering money and not “swag”.
Less free bugs.
Achievements from Bug Bounties
Connections.
Free services from different companies.
Job offer(s).
Some cash.
Lots of experience.
Learn from your peers!
Read on how others are approaching different vulnerabilities:
@Securatary (http://uzbey.com/bbp-funding)
@FransRosen (http://detectify.com)
@BitQuark (http://bitquark.co.uk)
@Fin1te (http://fin1te.net)
More awesome researchers:
http://Bugcrowd.com/leaderboard
https://www.crowdcurity.com/hall-of-fame
http://Hackerone.com/thanks
Questions?BEN SADEGHIPOUR (@NAHAMSEC)
HTTP://NAHAMSEC.COM