View
62
Download
0
Category
Tags:
Preview:
Citation preview
By Ben Sadeghipour
Twtiter.com/NahamSec
BenSadeghi@gmail.com
http://nahamsec.com
WHEN I GROW UP I WANT TO BE A (BUG) BOUNTY HUNTER
WHO AM I• STUDENT AT CSUS.
• SECURITY ANALYST AT BUGCROWD .
• FREELANCER AND INDEPENDENT REEARCHER SINCE 2014.
WHY BUG BOUNTIES?• As a Student:
• Gives you a chance to work with great successful and new companies.
• You can put your work on your resume.
• Job offer(s).
• Make money on your own schedule
• As a company:
• Less security breaches (hopefully)
• More researchers from across the world.
• More experience.
• Unique bugs.
WHERE CAN I START?• Books:
• The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws Paperback – September 27, 2011 ($35)
• The Mobile Application Hacker's Handbook Paperback – February 24, 2015 ($54)
• Android Hacker's Handbook ($30)
• iOs Hacker's Handbook ($30)
• Twitter – Great communication tool between researchers.
• Online bug bounty communities:
• Bugcrowd
• HackerOne
• CrowdCurity
• Synack
TOOLS• Firefox Extensions:
• Tamper Data is a Firefox Extension which gives you the power to view, record and even modify outgoing HTTP
• Live http Headers
• User agent switcher - To test mobile versions of sites
• Hackbar: It helps us In SQL as well as XSS, also it encode & decode the string, ASCII conversion
• Burp Suite
• WHAT DOESN’T IT DO?
• Conferences – Great networking tool
• DefCon ~$150 (VEGAS)
• BlackHat (VEGAS)
• APPSEC (Varies)
BUGCROWD• Managed or unmanaged programs.
• 16,000+ Researchers from all over the world.
• ~160 Bounties.
• 40,000+ Submissions.
• Max Single Payout: $13,000.
• Bugcrowd Forum
• Lots of Private Programs (!)
HACKERONE• “Security Inbox”.
• 1,374 Hackers thanked.
• 84 Public programs.
• $2.78M Bounties paid.
• ~9,000 Bugs fixed
• Internet bug bounty:
• PHP
• Ruby
• Apache.
• Etc.
• Private Programs(!)
SYNACK• Who knows?
• Ex-NSA
• Everything is unknown
• Don’t like to share
CROWDCURITY• CrowdCurity
• Web application security
• Main focus on bitcoin
• ~1700 Researchers
• No public data.
WHO HAS A BUG BOUNTY?WHO DOESN’T (obviously Sony!)
• https://bugcrowd.com/list-of-bug-bounty-programs
POPULAR YOU SAY?• Why?
• Yahoo pays a minimum of $50 and up to $15,000
• Google pays a minimum of $100 and up to $20,000
• Facebook pays a minimum of $500 and no max payout
• Github Pays a minimum of $500
QUANTITY VS QUALITY?• Most programs have an accurate reputation system:
• Google.
• Yahoo.
• BugCrowd (accuracy).
• HackerOne (reputation).
• Better reputation = more opportunities:
• Private events.
• Private Programs.
MAXIMIZING YOUR PAYOUT• Don’t doubt yourself.
• You may still be the first to find it.
• Check Everything!
• Every parameter
• Every POST request
• User input validation
• Forms
• Profile pages.
• Filters (Can you bypass it?)
• Don’t go for the low hanging fruits:
• Higher payout for critical vulnerabilities.
• You may find some low severity bugs while looking for more critical ones
• Less chances of duplicates.
METHODOLOGY• Pick a target.
• Pick an application.
• Pick a vulnerability type.
• Google:
• site:tw.*.yahoo.com -news -sports -knowledge -house -travel -money -fashion -dictionary -charity -autos -emarketing -maps -serviceplus -screen -tech -mail -talk -bid -uwant -stock -mall -buy -myblog -movies -games -safely -bigdeals -finance -info -mobile -help
PICK UP A PATTERN• Look for the same parameter, functionality, file type or file name in the same or other subdomains of
the website.
• 3 SQL Injection on Yahoo by using Google.
• Site:hk.*.yahoo.com + inurl:”id” + filetype:html
• Try the same vulnerability with other programs.
• Profit!
PICKING UP A PATTERN?
(Not my sponsors. Just vulnerable to the same bug)
MAKING A REPORT• Be very specific.
• Provide step-by-step instructions.
• Include all the details needed in order to reproduce the issue.
• Provide an attack scenario.
• Why is it a big deal?
• Can you access major private data?
• Are you targeting a single use?
• Provide screenshots if needed.
• If you create a video, make it accurate, quick, and professional.
• Ask for permission before you decide to publish your findings.
ACHIEVEMENTS FROM BUG BOUNTIES• Connections.
• Free services from different companies.
• Job offer(s).
• Some cash.
• Lots of experience.
LEARN FROM YOUR PEERS!• Read on how others are approaching different vulnerabilities:
• @NahamSec (http://nahamsec.com)
• @Securatary (http://uzbey.com/bbp-funding)
• @FransRosen (http://detectify.com)
• @BitQuark (http://bitquark.co.uk)
• @Fin1te (http://fin1te.net)
• More awesome researchers:
• http://Bugcrowd.com/leaderboard
• https://www.crowdcurity.com/hall-of-fame
• http://Hackerone.com/thanks
QUESTIONS?• Ben Sadeghipour (@NahamSec)
• http://nahamsec.com
Recommended