Bug Bounty Hunter Methodology - Nullcon 2016

1

The Bug Hunter’s Methodology

2

Faraz Khan

● Bugcrowd Tech-OPS Team Member● Part time Hacker & Bug hunter● Writer at Securityidiots.com● Ex-Full time Penetration Tester

whoami

3

These Slides were originally developed and presented by Jason Haddix at Defcon 23 on August 6th

● Director of Technical Ops at Bugcrowd● Hacker & Bug hunter● #1 on all-time leaderboard bugcrowd 2014

Source of the Slides

@jhaddix

4

HackStuff

Better(and practically)

What this talk’s about...

And…LOTS of memes…. only some of them are funny

5

Step 1: Started with my bug hunting methodology Step 2: Parsed some of the top bug hunters’ research (web/mobile only for now)Step 3: Create kickass preso

Topics? BB philosophy shifts, discovery techniques, mapping methodology, common attack parameters, useful fuzz strings, bypass or

filter evasion techniques, new/awesome tooling

Note: All information is from Jason Haddix’s own methodology and public resource. No information from the Bugcrowd platform is obtained!

More Specifically

6

Philosophy

7

Differences from standard testing

Single-sourced Crowdsourced

● looking mostly for common-ish vulns

● not competing with others

● incentivized for count● payment based on sniff

test

● looking for vulns that aren’t as easy to find

● racing vs. time● competitive vs. others● incentivized to find

unique bugs● payment based on

impact not number of findings

8

Scenario while Standard Penetration Test

9

Scenario while Bounty Hunting

10

The regular methodologies

11

Discovery

12

Find the road less traveled^ means find the application (or parts of an application) less tested to avoid duplicate.

1. *.acme.com scope is your friend2. Find domains via Google (and others!)

a. Can be automated well via recon-ng and other tools.

3. Confirm the subdomain to be in Scope4. Port scan for obscure web servers or

services (on all domains)5. Find acquisitions and the bounty

acquisition rules6. Functionality changes or re-designs7. Mobile websites8. New mobile app versions

13

Tool: Recon-ng script (enumall.sh)

https://github.com/jhaddix/domain

14

LMGTFY

15

LMGTFY

16

DEMO: enumall.sh script

17

LMGTFY Google dorks on Exploit-Db

Link: https://www.exploit-db.com/google-hacking-database/

18

19

https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640

20

Port scanning is not just for Netpen!

A full port scan of all your new found targets will usually yield #win:

● separate webapps● extraneous services ● Facebook had Jenkins Script console with no auth● IIS.net had rdp open vulnerable to MS12_020

nmap -sS -A -PN -p- --script=http-title dontscanme.bro

^ syn scan, OS + service fingerprint, no ping, all ports, http titles

Port Scanning!

21

Mapping

22

Mapping tips

● Google● *Smart* Directory Brute Forcing

● RAFT lists (included in Seclists)● SVN Digger (included in Seclists)● Git Digger

● Platform Identification:● Wapplyzer (Chrome)● Builtwith (Chrome)● retire.js (cmd-line or Burp)● Check CVE’s

● Auxiliary● WPScan● CMSmap

23

Just what the hack is SecList?

SecLists is the security tester's companion. It's a collection of multiple types of lists used

during security assessments, collected in one place. List types include usernames,

passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

The goal is to enable a security tester to pull this repo onto a new testing box and have

access to every type of list that may be needed.

This project is maintained by Daniel Miessler and Jason Haddix.

https://github.com/danielmiessler/SecLists

24

DEMO: Wapplyzer

25

DEMO: wpscan

26

Directory Bruteforce Workflow

After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control.

Example:

GET http://www.acme.com - 200GET http://www.acme.com/backlog/ - 404GET http://www.acme.com/controlpanel/ - 401 hmm.. okGET http://www.acme.com/controlpanel/[bruteforce here now]

27

Auth and Session

28

Auth (better be quick)Auth Related (more in logic and priv sections)

● Make sure they are in scope before submitting● User/pass discrepancy flaw● Registration page harvesting● Login page harvesting● Password reset page harvesting● No account lockout● Weak password policy● Password not required for account updates● Password reset tokens (no expiry or re-use)

29

Session (better be quick)

Session Related

● Failure to invalidate old cookies● No new cookies on login/logout/timeout● Never ending cookie length● Easily reversible cookie (base64 most often)

30

Tactical Fuzzing - XSS

31

XSS

Core Idea: Does the page functionality display something to the users?

For time sensitive testing the 80/20 rule applies. Many testers use Polyglot payloads. You probably have too!

32

XSS

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--

></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)

33

XSS

'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)

><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"

></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http:

//i.imgur.com/P8mL8.jpg">

Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)

34

XSS

“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//

Multi-context polyglot payload (Mathias Karlsson)

http://polyglot.innerht.ml/

35

XSS

36

Other XSS Observations

Input Vectors

Customizable Themes & Profiles via CSS

Event or meeting names

URI based

Imported from a 3rd party (think Facebook integration)

JSON POST Values (check returning content type)

File Upload names

Uploaded files (swf, HTML, ++)

Custom Error pages

fake params - ?realparam=1&foo=bar’+alert(/XSS/)+’

Login and Forgot password forms

37

SWF Parameter XSS

38

DEMO: Flashbang

39

Tactical Fuzzing - SQLi

40

SQL Injection

Core Idea: Does the page look like it might need to call on stored data?

There exist some SQLi polyglots, i.e;

SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/

Works in single quote context, works in double quote context, works in “straight into query” context! (Mathias Karlsson)

41

SQL Injection

You can also leverage the large database of fuzzing lists from Seclists here:

42

SQL Injection Observations

Blind is predominant, Error based is highly unlikely.

‘%2Bbenchmark(3200,SHA1(1))%2B’‘+BENCHMARK(40000000,SHA1(1337))+’

SQLMap is king!

● Use -l to parse a Burp log file.● Use Tamper Scripts for blacklists.● SQLMapper Burp plugin works well to instrument SQLmap quickly.

Lots of injection in web services!

Common Parameters or Injection points

ID

Currency Values

Item number values

sorting parameters (i.e order, sort, etc)

JSON and XML values

Cookie values (really?)

Custom headers (look for possible integrations with CDN’s or WAF’s)

REST based Services

43

Burp Suite Extension

Burp allows you to use a range of addons/extensions which can be added from BAPP Store, you download and add manually or you can program your own script and add to Burp.

There are many cool Burp Extensions you can add to your collection to help you automate many manual tasks and make your life easier.

Example:- Autorize

- CO2

- Reflected Parameters

44

DEMO: Adding Burp Extension

45

DEMO: SQLMapper

46

SQLmap All Tamper Scripts

https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423

--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

47

SQLmap Targeted Tamper ScriptsGeneral: tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,

charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,

randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL:

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,

percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,

space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL:

tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,

halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,

nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,

space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,

versionedmorekeywords,xforwardedfor

48

Best SQL injection resourcesDBMS Specific Resources

mySQL PentestMonkey's mySQL injection cheat sheetReiners mySQL injection Filter Evasion Cheatsheet

MSSQL EvilSQL's Error/Union/Blind MSSQL CheatsheetPentestMonkey's MSSQL SQLi injection Cheat Sheet

ORACLE PentestMonkey's Oracle SQLi Cheatsheet

POSTGRESQL PentestMonkey's Postgres SQLi Cheatsheet

Others Access SQLi CheatsheetPentestMonkey's Ingres SQL Injection Cheat Sheetpentestmonkey's DB2 SQL Injection Cheat Sheetpentestmonkey's Informix SQL Injection Cheat SheetSQLite3 Injection Cheat sheetRuby on Rails (Active Record) SQL Injection Guide

49

SSRF - A new face in Picture

50

SSRF (Server-Side Script Request Forgery)

Core Idea : Is there any external resource accessed by any parameter which could be controlled by us.

Polyglot : www.yoursite.com/your_resource

Simply capture the IP from which your resource is accessed. There we start, once we get the IP and we confirm that the resource is accessed by server-side, we are up with our game for SSRF.

51

SSRF Tools - Testing & ExploitationTools

Burp Scanner, other few scanners in market….

Testing

As we know SSRF does not need automated fuzzing, because once we confirm a resource is accessible from the Server-Side we can confirm SSRF/XFPA.

Exploitation

Once we have confirmed SSRF, we can move on to further exploitation which includes the following but not limited to:

1. Internal Server/Port Scan2. Access to File System3. SSRF via 306 Redirects4. Exploitation via other known Protocols

52

DEMO: SSRF

53

XXE - XML eXternal Entity

54

XML External Entity Injection

Core Idea : Trial & Error, find any XML upload request or any request which takes XML in input body.

Not very commonly we finds an application functionality which is dealing with XML inputs. But if we do, we might get lucky to find an XXE.

Here’s how it works, if the XML is getting parsed by the application and the External entities in the DTD (Document Type declaration) is resolved then it may lead to XXE. You can also try converting a JSON endpoint request to XML and try XML Injections.

55

XXE Tools - Testing & Exploitation

As the vulnerability is in its early stages we do not have any specific tool that totally concentrate on finding or exploiting XXE, but as per automated scanning/finding we have Burp scanner, other updated automated vulnerability scanner which are able to find XXE.

Simple Payload

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

<!ELEMENT foo ANY >

<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>

Exploitation:

Can be used to read system files + Other attacks SSRF is capable of.

56

DEMO: XXE

57

Tactical Fuzzing - FI & Uploads

58

Local file inclusionCore Idea: Does it (or can it) interact with the server file system?

Liffy is new and cool here but you can also use Seclists: Common Parameters or Injection points

file=

location=

locale=

path=

display=

load=

read=

retrieve=

59

Malicious File Upload ++

File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:

● content type spoofing● extension trickery● File in the hole! presentaion - http://goo.gl/VCXPh6

60

Malicious File Upload ++

This is an important and common attack vector in this type of testing

A file upload functions need a lot of protections to be adequately secure.

Attacks:

● Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or...

● Execute XSS via same types of files. Images as well!● Attack the parser to DoS the site or XSS via storing payloads in metadata or file header● Bypass security zones and store malware on target site via file polyglots

61

CSRF

62

CSRF

Everyone knows CSRF but the TLDR here is find sensitive functions and attempt to CSRF.

Burps CSRF PoC is fast and easy for this:

63

CSRF

Many sites will have CSRF protection, focus on CSRF bypass!

Common bypasses:

● Remove CSRF token from request● Remove CSRF token parameter value● Add bad control chars to CSRF parameter value● Use a second identical CSRF param● Change POST to GET

Check this out...

64

CSRF

Debasish Mandal wrote a python tool to automate finding CSRF bypasses called Burpy.

Step 1: Enable logging in Burp. Crawl a site with Burp completely executing all functions.

Step 2: Create a template...

65

DEMO: Burpy

66

CSRF

Or focus on pages without the token in Burp:

https://github.com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_detect.py

67

CSRFCSRF Common Critical functions

Add / Upload file Password change

Email change Transfer Money / Currency

Delete File Profile edit

CSRF N/A functions

Logout CSRF Public Forms

Forms that don’t make any change

68

Privilege, Transport, Logic

69

PrivilegeOften logic, priv, auth bugs are blurred.

Testing user priv: Here is how it should be:1. admin has power2. user has few permissions

And we are looking for functions which are only meant for the admin and are accessible by user.

70

Privilege1. Find site functionality that is restricted to certain

user types2. Try accessing those functions with lesser/other

user roles3. Try to directly browse to views with sensitive

information as a lesser priv user

Autorize Burp plugin is pretty neat here...

https://github.com/Quitten/Autorize

Common Functions or Views

Add user function

Delete user function

start project / campaign / etc function

change account info (pass, CC, etc) function

customer analytics view

payment processing view

any view with PII

71

DEMO: Autorize

72

Insecure direct object referencesIDORs are common place in bounties, and hard to catch with scanners.

Find any and all UIDs● increment● decrement● negative values● Attempt to perform sensitive functions

substituting another UID○ change password○ forgot password○ admin only functions

73

Idor’s

Common Functions , Views, or Files

Everything from the CSRF Table, trying cross account attacks

Sub: UIDs, user hashes, or emails

Images that are non-public

Receipts

Private Files (pdfs, ++)

Shipping info & Purchase Orders

Sending / Deleting messages

74

LogicLogic flaws that are tricky, mostly manual:

● substituting hashed parameters● step manipulation● use negatives in quantities● authentication bypass● application level DoS● Timing attacks

75

76

A simple logic Flaw

An online cute dog contest, the dog with the best average of likes wins.

1. Anyone can register and take part.2. Once a dog is registered, people can start liking or disliking

that dog.3. Everyone dislikes each other’s dogs to win the contest4. The dog with the best average wins the contest.5. Registration and votings gets closed 5 minutes before the

results are announced.

What is the Logic Flaw over here?

77

Auxiliary

78

The vulns formerly known as “noise”

● Content Spoofing or HTML injection● Referer leakage● security headers● path disclosure● clickjacking● ++

79

Things to take with you…

1. Crowdsourced testing is different enough to pay attention to2. Crowdsourcing focuses on the 20% because the 80% goes quick3. Data analysis can yield the most successfully attacked areas4. A 15 minute web test, done right, could yield a majority of your critical vulns5. Add polyglots to your toolbelt 6. Use SecLists to power your scanners7. Remember to periodically refresh your game with the wisdom of other techniques and

other approaches

Follow these ninjas who I profiled: https://twitter.com/Jhaddix/lists/bninjas

80

Meme Count:

14

81

Attribution and Thanks

82

Tim Tomes - Recon-ng

Joe Giron - RFI params

Soroush Dalili - File in the Hole preso

Mathias Karlsson - polyglot research

Ashar Javed - polyglot/xss research

Ryan Dewhurst & Wpscan Team

Bitquark - for being a ninja, bsqli string

rotlogix - liffy LFI scanner

Arvind Doraiswamy - HTTPs, CSRF Burp Plugins

Barak Tawily - Autorize burp plugin

the RAFT list authors

Ferruh Mavituna - SVNDigger

Jaime Filson aka wick2o - GitDigger

Robert Hansen aka rsnake - polyglot / xss

Dan Crowley - polyglot research

Daniel Miessler - methodology, slide, and data contributions

My awesome team at Bugcrowd ( Ashley,Grant,Shpend,Fatih, Dan, Sean,Jay, Patrik ++)

Nullcon & All the bug hunting community!!!