SlideShare a Scribd company logo

Bug Bounty for - Beginners

Download as PPTX, PDF
H
Himanshu Kumar Das

The document provides an introduction to bug bounty programs for beginners. It outlines some prerequisites like patience and basic security knowledge. It highlights rewards available in bug bounty programs like money and gifts. The document recommends initial approaches like understanding the testing scope and performing reconnaissance on domains and subdomains. It also provides tips on tools for testing like web proxies and Firefox addons. Automated testing on a local web server is discussed along with techniques for bug submission and reporting. A demo of a stored XSS bug in Facebook is presented at the end.

Related slideshows

The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
 
1 of 16
Bug Bounty for - Beginners HIMANSHU KUMAR DAS
about.me  Infosec analyst at iViZ techno sol. Pvt. Ltd.  Passionate Capture The Flag(CTF) player.  Started bug bounty recently, listed on few Security Acknowledgement Pages, few $$$, few t-shirts.  Member of n|u community past 2 years 6 months.
todays talk  Prerequisites  Highlights  Initial Approach  Tools to tune  Automating on localhost.  Bug Submission/Reporting.  Demo…..
prerequisites  patience……… of course, YES!!!  Ninja Skills, NO!!!  Operating System and web browser, a matter of argument, so you select!!!  Have you read any of these?  OWASP Testing Guide v3  The Web Application Hacker’s Handbook- 2nd Edition  RFC 2616 – HTTP/1.1
bug bounty program: highlights  Not limited to web applications, even networks and products.  Must be a Responsible Disclosure.  Lots of $$$ , gifts, t-shirts.  Test your: <script>alert(“Bounty”);</script>
initial approach  Did you read the scope?  Reconnaissance:  CMS, default pages, paths, plugins( robots.txt, phpinfo.php, .htaccess)  Various subdomains  Identify services  Understand the logic of any functionality.  Say No to SCANNERS!!!
Bug Bounty for - Beginners
tools to tune  Web Proxy (Burp Suite, Fiddler, OWASP ZAP many others)  Must have firefox addons:  web developer  tamper Data  wappalyzer  foxyproxy  user agent switcher  live http headers  ClickJacking Defense (https://addons.mozilla.org/en- us/firefox/addon/clickjacking-defense-declar/)  and the counting goes on……………………
automating on localhost  Install web server on your local system.(WAMP, XAMPP)  Download and install product(CMS) on your local web server.  Time to input and sleep :  Wfuzz  intellifuzz-xss(By @matthewdfuller)  Sqlmap  IronWASP( By @lavakumark)
Few techniques to bypass security measures  Brute-force  IP based blocking, user-agent based blocking.  Account locked, yet account accessible.  Cross-site request forgery  Token missing.  Token not time-boxed.  Token not validated.  Token not random.  UI Redressing/ClickJacking  Drag and Drop [ Discovered by ahamed nafeez(@skeptic_fx) ]  Content Extraction (deprecated in modern browsers).
Bug Submission  Subject: Responsible Disclosure.  Nature/Description of the Bug.  Impact.  Testing Environment: OS, Browsers, Tools(if any).  Proof Of Concept: Video(avi/flv), Screenshot.
DEMO
Stored XSS through SVG  What is SVG?  Supports modern browser.  Dis-section of the payload.  XML CDATA - All text in an XML document will be parsed by the parser, But text inside a CDATA section will be ignored by the parser.  To avoid errors script code can be defined as CDATA.
references / links  http://www.computersecuritywithethicalhacking.blogspot.in/  https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_im age_that_called_me.pdf  http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html  http://www.riyazwalikar.com  http://www.amolnaik4.blogspot.com
DEMO – Stored XSS on FACEBOOK BY Riyaz Ahemed Walikar @riyazwalikar http://www.riyazwalikar.com
QUESTIONS ? THANK YOU!!! twitter: @mehimansu e-mail: me.himansu@gmail.com

More Related Content

Bug Bounty for - Beginners

  • 1. Bug Bounty for - Beginners HIMANSHU KUMAR DAS
  • 2. about.me  Infosec analyst at iViZ techno sol. Pvt. Ltd.  Passionate Capture The Flag(CTF) player.  Started bug bounty recently, listed on few Security Acknowledgement Pages, few $$$, few t-shirts.  Member of n|u community past 2 years 6 months.
  • 3. todays talk  Prerequisites  Highlights  Initial Approach  Tools to tune  Automating on localhost.  Bug Submission/Reporting.  Demo…..
  • 4. prerequisites  patience……… of course, YES!!!  Ninja Skills, NO!!!  Operating System and web browser, a matter of argument, so you select!!!  Have you read any of these?  OWASP Testing Guide v3  The Web Application Hacker’s Handbook- 2nd Edition  RFC 2616 – HTTP/1.1
  • 5. bug bounty program: highlights  Not limited to web applications, even networks and products.  Must be a Responsible Disclosure.  Lots of $$$ , gifts, t-shirts.  Test your: <script>alert(“Bounty”);</script>
  • 6. initial approach  Did you read the scope?  Reconnaissance:  CMS, default pages, paths, plugins( robots.txt, phpinfo.php, .htaccess)  Various subdomains  Identify services  Understand the logic of any functionality.  Say No to SCANNERS!!!
  • 8. tools to tune  Web Proxy (Burp Suite, Fiddler, OWASP ZAP many others)  Must have firefox addons:  web developer  tamper Data  wappalyzer  foxyproxy  user agent switcher  live http headers  ClickJacking Defense (https://addons.mozilla.org/en- us/firefox/addon/clickjacking-defense-declar/)  and the counting goes on……………………
  • 9. automating on localhost  Install web server on your local system.(WAMP, XAMPP)  Download and install product(CMS) on your local web server.  Time to input and sleep :  Wfuzz  intellifuzz-xss(By @matthewdfuller)  Sqlmap  IronWASP( By @lavakumark)
  • 10. Few techniques to bypass security measures  Brute-force  IP based blocking, user-agent based blocking.  Account locked, yet account accessible.  Cross-site request forgery  Token missing.  Token not time-boxed.  Token not validated.  Token not random.  UI Redressing/ClickJacking  Drag and Drop [ Discovered by ahamed nafeez(@skeptic_fx) ]  Content Extraction (deprecated in modern browsers).
  • 11. Bug Submission  Subject: Responsible Disclosure.  Nature/Description of the Bug.  Impact.  Testing Environment: OS, Browsers, Tools(if any).  Proof Of Concept: Video(avi/flv), Screenshot.
  • 12. DEMO
  • 13. Stored XSS through SVG  What is SVG?  Supports modern browser.  Dis-section of the payload.  XML CDATA - All text in an XML document will be parsed by the parser, But text inside a CDATA section will be ignored by the parser.  To avoid errors script code can be defined as CDATA.
  • 14. references / links  http://www.computersecuritywithethicalhacking.blogspot.in/  https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_im age_that_called_me.pdf  http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html  http://www.riyazwalikar.com  http://www.amolnaik4.blogspot.com
  • 15. DEMO – Stored XSS on FACEBOOK BY Riyaz Ahemed Walikar @riyazwalikar http://www.riyazwalikar.com
  • 16. QUESTIONS ? THANK YOU!!! twitter: @mehimansu e-mail: me.himansu@gmail.com