Nbt con december-2014-slides

Bug Bounty 101
(Web Applications)
BEN SADEGHIPOUR (@NAHAMSEC)
HTTP://NAHAMSEC.COM

Why bug bounties?
 Chances of finding bugs to put on your
resume.
 Possibility of getting a job in the
industry.
 Opportunity to make money while
attending college.
 Less security breaches (hopefully).
 Better and more secure apps.
 More researchers from all over the
world.
 More experience.
 More bugs.

What are some popular programs?

 Google:
 Min. payout: $1337
 Acquisitions’ min. payout: $100
Max. payout: $20,000

Yahoo:
Min. payout: $50
Max. payout: $15,000

Flickr SQL Injection
 PAYLOAD: order_id=-116564954 union select
group_concat(table_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15 from
information_schema.tables– -

Did I say SQL Injection?
Remote Command execution
PAYLOAD: order_id=-116564954 union select
load_file(“/etc/passwd“),2,3,4,5,6,7,8,9,10,11,12,13,14
,15– -

Facebook:
Min. payout: $500
Max. payout: Unknown (Million dollars?)
Not enough details published by
researcher

 Microsoft (Online services):
Started on September 23, 2014
Min. payout: $500
Max. payout: Unknown

 GitHub
 PayPal and Magento
 Twitter
 Square
 cPanel/WHMCS
Complete list:
https://bugcrowd.com/list-of-bug-bounty-programs

What are some popular platforms?

 BugCrowd
 Managed or unmanaged programs
 13,300 Researchers from all over the world
 155 Bounties.
 30,000+ Submissions.
 Max Single Payout: $13,000.

 CrowdCurity
 Web application security
 Main focus on bitcoin
 ~1500 Researchers

 SYNACK
 Customer details: unknown.
 Number of researchers: unknown .
 Requires a written and a practical test.
 Focused on Web application as well as:
 Host
 Mobile
 Reverse Engineering
 Hardware

 HackerOne
 “Security Inbox”.
 1,004 Hackers thanked.
 71 Public programs.
 $1.58M Bounties paid.
 4,987 Bugs fixed
 Internet bug bounty:
 PHP
 Ruby
 Apache.
 Etc.

The Basics of Bug Bounties.
 Read the program rules.
 Scope of the program.
 Payout per based on bug type.
 Requirements
 How to get an account on their
platform?
 Respect the program’s decisions.
 Respect other researchers.
 Quality vs Quantity.
 Reputation in the industry.
 Don’t make any threats.
 Don’t ask for money or “swag” if it’s
not mentioned in the rules.
 Don’t compare two programs.
 Two programs = different budgets.
 Don’t lie while comparing two
programs.
 Don’t audit without permission.
 Legal issues.

Quality vs Quantity
 Most programs have an accurate reputation system
 Google.
 PayPal.
 Facebook
 BugCrowd (accuracy).
 HackerOne (reputation).
 Better reputation = more opportunities:
 Private events.
 Private Programs.

More isn’t always better.
Total points VS. Accuracy

Maximizing your payout
 Don’t doubt yourself.
 You may still be the first to find it.
 Check Everything!
 Every parameter
 Every POST request
 User input validation
 Forms
 Profile pages.
 Filters (Can you bypass it?)
 Don’t go for the low hanging fruits:
 Higher payout for critical vulnerabilities.
 You may find some low severity bugs while looking for more critical ones.
 Less chances of duplicates.

Methodology
 Pick a target.
 Pick an application.
 Pick a vulnerability type.
 Google:
 site:tw.*.yahoo.com -news -sports -
knowledge -house -travel -money -
fashion -dictionary -charity -autos -
emarketing -maps -serviceplus -
screen -tech -mail -talk -bid -uwant -
stock -mall -buy -myblog -movies -
games -safely -bigdeals -finance -
info -mobile -help

Pick up a pattern
 Look for the same parameter, functionality, file type or file name in
the same or other subdomains of the website.
 3 SQL Injection on Yahoo by using Google.
 Site:hk.*.yahoo.com + inurl:”id” + filetype:html
 Try the same idea with other programs.
 Profit!

Picking up a pattern?
(Not my sponsors. Just vulnerable to the same bug)

Ruby on Rails
 File Name Enumeration:
 ../../../../../../etc/passwd
 Possbile Full path disclosure (FPD)
 File not found vs 404?
 CVE-2014-7829

Making a Report
 Be very specific.
 Provide step-by-step instructions.
 Include all the details needed in order to reproduce the issue.
 Provide an attack scenario.
 Why is it a big deal?
 Can you access major private data?
 Are you targeting a single use?
 Provide screenshots if needed.
 If you create a video, make it accurate, quick, and professional

Good vs. Bad
 Don’t copy and paste others’ published reports
 Program #1 by reporter #1 (18 days ago)

Good vs. Bad
 Program #2, Reporter #2 (Reported 11 days ago)

Original report
 Original report on HackerOne (Reported a month ago)

Details!
http://blog.bugcrowd.com

Public Disclosure
 Ask for permission before you publish anything
 Varies with each program
 BugCrowd – Just ask for each program.
 HackerOne – Request public disclosure.
 Email.
 Some may decide not to disclose the vulnerability due to sensitive
information.
 Example Yahoo:
 Configurations
 Path
 Internal IP addresses
 Username/Password

Future of Bug Bounties
 More and more companies will start to offer bounties (hopefully!)
 Amazon
 Apple
 eBay
 Sony (Surprise!!)
 More companies offering money and not “swag”.
 Less free bugs.

Achievements from Bug Bounties
 Connections.
 Free services from different companies.
 Job offer(s).
 Some cash.
 Lots of experience.

Learn from your peers!
 Read on how others are approaching different vulnerabilities:
 @Securatary (http://uzbey.com/bbp-funding)
 @FransRosen (http://detectify.com)
 @BitQuark (http://bitquark.co.uk)
 @Fin1te (http://fin1te.net)
 More awesome researchers:
 http://Bugcrowd.com/leaderboard
 https://www.crowdcurity.com/hall-of-fame
 http://Hackerone.com/thanks

Questions?
BEN SADEGHIPOUR (@NAHAMSEC)
HTTP://NAHAMSEC.COM

Nbt con december-2014-slides

Related slideshows

More Related Content

Nbt con december-2014-slides