Bug Bounty for - Beginners
- 2. about.me
Infosec analyst at iViZ techno sol. Pvt. Ltd.
Passionate Capture The Flag(CTF) player.
Started bug bounty recently, listed on few Security
Acknowledgement Pages, few $$$, few t-shirts.
Member of n|u community past 2 years 6 months.
- 3. todays talk
Prerequisites
Highlights
Initial Approach
Tools to tune
Automating on localhost.
Bug Submission/Reporting.
Demo…..
- 4. prerequisites
patience……… of course, YES!!!
Ninja Skills, NO!!!
Operating System and web browser, a matter of argument, so you
select!!!
Have you read any of these?
OWASP Testing Guide v3
The Web Application Hacker’s Handbook- 2nd Edition
RFC 2616 – HTTP/1.1
- 5. bug bounty program: highlights
Not limited to web applications, even networks and products.
Must be a Responsible Disclosure.
Lots of $$$ , gifts, t-shirts.
Test your: <script>alert(“Bounty”);</script>
- 6. initial approach
Did you read the scope?
Reconnaissance:
CMS, default pages, paths, plugins( robots.txt, phpinfo.php, .htaccess)
Various subdomains
Identify services
Understand the logic of any functionality.
Say No to SCANNERS!!!
- 8. tools to tune
Web Proxy (Burp Suite, Fiddler, OWASP ZAP many others)
Must have firefox addons:
web developer
tamper Data
wappalyzer
foxyproxy
user agent switcher
live http headers
ClickJacking Defense (https://addons.mozilla.org/en-
us/firefox/addon/clickjacking-defense-declar/)
and the counting goes on……………………
- 9. automating on localhost
Install web server on your local system.(WAMP, XAMPP)
Download and install product(CMS) on your local web server.
Time to input and sleep :
Wfuzz
intellifuzz-xss(By @matthewdfuller)
Sqlmap
IronWASP( By @lavakumark)
- 10. Few techniques to bypass security measures
Brute-force
IP based blocking, user-agent based blocking.
Account locked, yet account accessible.
Cross-site request forgery
Token missing.
Token not time-boxed.
Token not validated.
Token not random.
UI Redressing/ClickJacking
Drag and Drop [ Discovered by ahamed nafeez(@skeptic_fx) ]
Content Extraction (deprecated in modern browsers).
- 11. Bug Submission
Subject: Responsible Disclosure.
Nature/Description of the Bug.
Impact.
Testing Environment: OS, Browsers, Tools(if any).
Proof Of Concept: Video(avi/flv), Screenshot.
- 13. Stored XSS through SVG
What is SVG?
Supports modern browser.
Dis-section of the payload.
XML CDATA - All text in an XML document will be parsed by the
parser, But text inside a CDATA section will be ignored by the parser.
To avoid errors script code can be defined as CDATA.
- 14. references / links
http://www.computersecuritywithethicalhacking.blogspot.in/
https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_im
age_that_called_me.pdf
http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html
http://www.riyazwalikar.com
http://www.amolnaik4.blogspot.com
- 15. DEMO – Stored XSS on FACEBOOK
BY
Riyaz Ahemed Walikar
@riyazwalikar
http://www.riyazwalikar.com
- 16. QUESTIONS ?
THANK YOU!!!
twitter: @mehimansu
e-mail: me.himansu@gmail.com