SlideShare a Scribd company logo

Ekoparty 2017 - The Bug Hunter's Methodology

bugcrowd, profile picture
bugcrowd

The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.

Internet
1 of 58
Downloaded 181 times
1
2
3
4
5
6
7
8
9
Most read
10
11
12
Most read
13
14
15
16
17
18
19
20
21
22
23
24
25
Most read
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
The Bug Hunter’s Methodology
Let’s talk about goals... - Goal of this talk is to: - Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications - You probably already do a lot of these things... - Cover common vuln classes/types/categories from a high level - Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities - Hopefully everyone can learn at least one new thing from this... - Profit
$whoami - Hi, my name is Grant - Manager of Solutions Architecture at Bugcrowd - Previously an Application Security Engineer - Been around bug bounties a lot - In doing so, seen a lot of bugs, and the ways people find them - ASE, bug hunter, setting up/managing programs - Music on the side
About this workshop - Built off of Jason Haddix’s How To Shot Web talk given at DefCon 23 - Further added to by Jason Haddix’s Bug Hunter’s Methodology V2 talk at Bugcrowd’s LevelUp 2017 online-conference - I’ll be adding a few things of my own… - Consider this sort of a Tools of Titans for bug hunting - Incredible tools built by the community - Standing on the shoulders of giants - As best I can, I’ll give appropriate credit
One step back… bug bounties? - Bug bounties aren’t new, but they are growing - Netscape; growing into new spaces - #equifax - There’s an increasing incentive to find issues in the wild before they’re exploited - Part of a larger space called “crowdsourced security” - Advantages to bug bounties AKA crowdsourced security - Competition #firstToFind - Pay based on findings, and impact - Incentivized to find innovative, unique issues - But really, it’s as simple as… - 2 > 1; 500 > 2; … - More eyes tend to equal more results - Hone skills; have fun; hiring; #cash
Other... - Common guides/methodologies - AKA suggested “light” reading… - Once again, not just limited to bounties/responsible disclosure
Our Journey (we’ve got a long road ahead…) - Discovery - Mapping - Auth/Session - XSS - SQLi - File upload/AFI/LFI - CSRF - IDOR - SSRF - And much, much more!!!
Let’s get down to business #nextSlide
Discovery - Q: what’s the value in discovery? - A: a lot. - Specifically, because we want to find things that are less tested than flagship site (fresher attack surface = easier to find issues = more critical issues = more profit) - Scope - Today we’re going to assume open scope… - Always check scope - Where do we start? - *.tesla.com -- tons of amazing tools to help us here
Using search engines... - Use search engines to do the work for you… - (automated via recon-ng, etc) - Even better: enumall.py - Wrapper around recon-ng - google/bing/baidu/netcraft - Also does brute force - More on this later!
But wait, there’s more! - Sublist3r - Another subdomain finder/scraper - Each tool has its own merits (hits some different search engines) - Why not both? - Enter brutesubs by Anshuman - Sublist3r + enumall.py - + altdns - Some configuration required
On subdomain bruteforcing - A comparison of common subdomain brute forcing tools - using a 1,136,964 line subdomain dictionary - subbrute: errored out - gobuster: 21m15s; found 87 - massdns: 1m24s; found 213 - dns-parallel-prober: 42m2s; found 43 - blacksheepwall: 256m9s; found 61 - Credit: @jhaddix - Takeaway: - Massdns is pretty quick - Best tool for quickly getting a list of subdomains via brute force - Distributes resolvers (not all are reliable though)
That one million line file... - all.txt - Created by @jhaddix - A marriage of virtually every subdomain list ever (bitquark’s research, deep magic, etc) - THE definitive subdomain list - gist.github.com/jhaddix
Now that we have a ton of subdomains... How do we work through them quickly? - Screenshots! - Quickly see what’s on each host - Eyewitness - HTTPScreenshot - Aquatone - Can also do discovery - Relatively new - Only supported in Kali
Let’s not forget about - Mergers and acquisitions - (depending on scope; always check the scope -- ex: Google or Tesla) - Check: - Wikipedia - Crunchbase, etc - And iterate from there... - ASNs - (again, scope) - Reading up on disclosures - May be able to find these same issues on other parts of the app - See trends and ideas for what other people have found
Another discovery tool - Intrigue.io - OSINT framework; simple to integrate - DNS subdomain bruteforce - Web spider - nmap - API; over 45 built in tasks
Don’t forget port scanning - Why? - Ex1: facebook had an open jenkins script console with no auth - Ex2: exposed tomcat or coldfusion admin panels with default creds - And so on... - But what if there’s A LOT to scan… e.g. 65k hosts? - Masscan - 11m4s to scan 65k hosts for top 1000 ports
Github - Search Github for usernames/passwords/keys that developers might have left up. - Happens far more often than you’d think...
Mapping - Directory brute forcing - All about the lists -- and GoBuster - RAFT lists (included in seclists brute force) - Robots disallowed ^ - SVN Digger ^ - Git Digger
On brute forcing directories... After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control. Example: GET http://www.acme.com - 200 GET http://www.acme.com/backlog/ - 404 GET http://www.acme.com/controlpanel/ - 401 hmm.. ok GET http://www.acme.com/controlpanel/[bruteforce past here now]
What about brute forcing parameters? #whynot - parameth - tool with some heuristics to - help discover params - backslash-powered-scanner by portswigger - nice list of 2500 top alexa params
Mapping [2] - Platform identification: - Wapplyzer (chrome) - Extension; shows info on the tech stack for the site (based on headers, etc) - Builtwith (chrome) - ^ - retire.js (command line or Burp) - Notes any outdated libraries - VulnerScanner - github.com/vulnersCom/burp-vulners-scanner - Auxiliary: - If you find they're using a CMS… - WPScan - CMSmap
Remember... - None of this, despite how great these tools are, replaces actually walking and understanding the app.
Vuln discovery Still part of mapping - For reasons we’ve touched on… - (could inform ideas and places to test) - Resources: - xssed.com - reddit xss /r/xss - punkspider - xss.cx - xssposed.org - twitter searching (XSS + Tesla)
Auth and Session - Being quick is important - Many are OOS (username enumeration, etc) - Chaining… - Weak reset passwords (4 chars emailed) + login page brute force = complete account compromise - Session/auth things to think about/look for include: - Session fixation - Insufficient session expiration - No password on account changes (e.g. password) - Most people will ask for current password, but not always on email change - which, if you can control the email, then you can do a regular password reset! - Not expiring reset tokens after email changed, etc
Tactical fuzzing... #nextSlide
XSS - Does the page display something to the users? Is it dynamic? - Polyglot payloads… - Executes in multiple contexts, built-in filter evasion; blanket injection that can save time - You probably already use them... - Some favorites: - #1(from Rsnake’s XSS Cheat Sheet - now the OWASP XSS cheat sheet) - ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
More polyglots - #2 (Ashar Javed XSS Research) (http://slides.com/mscasharjaved/cross-site-scripting-my-love#/) - ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext></|><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> - #3 (Mathias Karlsson) (http://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra) - " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// - #4 0xSobky’s “Ultimate XSS Polyglot” (https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot) - jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>x3csVg/<sVg/oNloAd=alert()// >x3e
Finding XSS - Common places XSS tends to show up... - Customizable themes/profiles - Event meetings/names - URI based (redirect=) - Content imported from a 3rd party - (not sanitizing other data it's using) - File upload names - Uploaded files (swf/HTML) - Custom error messages - (injected page was not found...) - Fake params (foo=">) - JSON responses; check content type (IE only) - Login/forgot password forms - (an email has been sent to...)
SWF XSS - Flashvars - Common ones include: - onload - allowedDomain - movieplayer - xmlPath - ++ - Flashbang - Decompiles and parses the SWF file, and returns possible params to test
Blind XSS - Stored, but XSS that you can’t verify by hand - Some frameworks (because you want to use a framework) - sleepy-puppy (netflix) - Good for campaigns - Xsshunter - Most commonly used (it seems) - Gives back a lot of great info when it fires - Screenshot; cookies; email! - Does require a domain, wildcard SSL cert, mailgun account, and some setup, but is pretty slick when configured - Growing area; but there are questions about in/out of scope - Always check scope
One last resource on XSS - Jackmasa's XSS mindmap - Massive dump of tons of varying contexts and injections
SQL Injection - Does this page look like it might need to call on stored data? - There are some polyglots for SQLi - e.g. SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or"*/ - Mattias on polyglots - check out his pres: (https://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra) - Seclists has a lot of fuzzlists for SQLi - Some observations/thoughts: - Not so much error-based these days; mostly blind - SQLMap is your friend… - Can use SQLMap with -L to parse Burp log files - Common params: - ID values; currency values; sorting params; JSON and XML values; cookie values; custom headers
SQLiPy - SQLiPy - Burp plugin - right click on any request, to send to SQLMap
SQLi DBMS specific resources... mySQL PentestMonkey's mySQL injection cheat sheet Reiners mySQL injection Filter Evasion Cheatsheet MSSQL Evil SQL Error/Union/Blind MSSQL Cheatsheet PentestMonkey's MSSQL SQLi injection Cheat Sheet ORACLE PentestMonkey's Oracle SQLi Cheatsheet POSTGRESQL PentestMonkey's Postgres SQLi Cheatsheet Others Access SQLi Cheatsheet PentestMonkey's Ingres SQL Injection Cheat Sheet pentestmonkey's DB2 SQL Injection Cheat Sheet pentestmonkey's Informix SQL Injection Cheat Sheet SQLite3 Injection Cheat sheet Ruby on Rails (Active Record) SQL Injection Guide
File uploads - Malicious file upload - Can we upload and run that content? - Possible attacks - Upload an unexpected file format to achieve code exec (php, jsp, aspx, ++) - Not so likely these days to get full on code execution :( - More likely to be able to upload an html file - leading to xss, etc - Execute XSS ^, also inject on the filename -- images as well → imagejs - Attack the parser to DoS the site or XSS via storing payloads in metadata or file header - XXE (often on pdf uploads, but other places as well) → oxml_xxe tool - Ex: Imagetragick (not XXE, but using file upload to get code exec) - Bypass security zones and store malware on target site via file polyglots - Files that execute in different contexts!
Local File Inclusion #LFI - Does it or can it interact with the server file system? - Tools: - Liffy → github.com/hvqzao/liffy - Seclists fuzzing list → - Common Parameters or Injection points - file= - location= - locale= - path= - display= - load= - read= - retrieve=
Arbitrary File Inclusion {AFI/RFI} - Common Parameters/Injection points - File= - document= - Folder= - root= - Path= - pg= - style= - pdf= - template= - php_path= - doc=
File includes and redirects - Look for any param with another web address in it. - A lot of the same params from LFI can often work here - Common bypasses include: - escape "/" with "/" or “//” with “//” - try single "/" instead of "//" - remove http i.e. "continue=//google.com" - “//” , “|/” , “/%09/” - encode, slashes - ”./” CHANGE TO “..//” - ”../” CHANGE TO “....//” - ”/” CHANGE TO “//”
Redirects - Common params/injection points - Anytime it's pulling from or pointing to a resource - try make it grab something else, or even point it to your own; ex: "redirect_to" giving back internal files /etc/passwd - etc. - dest= - continue= - redirect= - url= (or anything with “url” in it) - uri= (same as above) - window= - next=
CSRF - Burp PoC makes things pretty easy these days - Focus on bypasses - Removing the param - Using old values - Values from other sessions - Modifying the values, etc - Burpy (github.com/debasishm89/burpy) - Helps automate finding CSRF bypasses - Enable site logging in Burp; crawl the site, doing all the actions - Create a template, then run it against your log - Burpy then tries removing tokens, etc, and we can diff responses - Or focus on pages with no token… (github.com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_detect.py) - Keep in mind that it’s not always in the POST body...
CSRF - Common critical functions to check for CSRF - Need CSRF to be on something of value - Add/upload file - Password/email change - Delete file - Profile edit - And so on...
Privilege escalation - Can a given user level do what they otherwise shouldn’t be able to do? - Usually will need accounts of varying privileges - Common places to check - Add/delete/modify user - Change account info - Customer analytics view - - - - - - Things on the backend, where they never would have thought the lower level user would have the knowledge to make that request - A lot of apps just have the ‘vibe’ that they relied on security through obscurity
Autorize - Burp plugin (github.com/Quitten/Autorize) - Helps with privilege testing - Browse app with high priv user; then have it resend all those same requests authenticated as a lower priv user, and see what actions succeed
IDORs (insecure direct object references) - Near impossible to find with scanners - As a result, pretty common on bug bounties! - Can you access or modify something that’s not yours? - When testing… - Find any and all UIDs - Increment AND decrement - Try negative values - Attempt to perform sensitive actions using another user's ID - Change password - Forgot password - Admin only functions - Try not to modify other people's accounts; test only against what you own
IDORs - Other IDOR thoughts... - Try pretty much any sensitive action across accounts - Again, scanners won't really find these things... - We see them a LOT - Can you access without authentication, etc? - Note other UIDs or ways users are identified - hashes, emails, etc - Receipts (what happens if I put one less on my receipt?) - Same concept for files - Shipping/purchase order ids, etc - Messages sent/delete
IDOR example
Transport - Make sure everything is over HTTPS - Examples: - Sensitive images transported over HTTP - Login forms over HTTP - Analytics with session data / PII leaked over HTTP - ForceSSL - Tool that takes https links and tries them over http - github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL
Logic - Logic flaws that are tricky, mostly manual: - substituting hashed parameters - step manipulation - use negatives in quantities (can you get money TO your account?) - authentication bypass - application level DoS - (massive parameter values, 999999 pages, etc) - Timing attacks
Server side template injection (SSTI) - Does the site use a templating engine? - A lot of times one can get code exec or file read - TPLmap - Like SQLmap for template injection - Covers a lot of the major templating engines (flask, etc) - Can even give shells! - Reviewing source code, you can see how to do this manually - Lot more manual content online, but worth looking into #notAnExpert
SSRF (Server Side Request Forgery) - Like LFI (same params, etc) - But some other things/ideas for you can do - For instance, possibly hitting internal machines or services that aren't accessible externally e.g. 127.0.0.1:8080/admin, etc - SSRF bible cheat sheet (google doc) - docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/ - Once again, #notAnExpert, but a PoC is usually easy enough to put together, and a clear demonstration of the issue is enough to get paid.
Subdomain Takeover - Going back to discovery… - Sometimes orgs forget about dangling cnames that were once setup for services. - All we have to do is find these pages waiting to be claimed… - Common forgotten services... - heroku - github - tumblr - shopify - squarespace - salesforce - desk - Aws (s3 buckets) - fastly - hubspot - and on and on
Subdomain Takeover - Don’t break ToS; often claiming the domain isn’t necessary - Some tools: - autoSubTakeover - HostileSubBruteforcer - Tko-subs - All do roughly the same thing; matter of preference.
Ok. Some notes... - Always read the scope. It’s important. - VRT - Where are people NOT testing? - APIs - Boring, but often untested - IDORs, etc (but loses XSS, etc) - Mobile apps - Which often boils down to an API - Binary apps - Web/ui testing is again, easier
Dealing with people... - People are temperamental creatures - Remember: - The person on the other side is a person - They have ups/downs - People to report to, etc - Bottom line: follow the golden rule - Treat others as you’d like to be treated - This also applies to reports - Demonstrating impact on a report is huge - They usually have to explain this to - non security people
One more tool... - Hunt! - Burp extension that looks for a lot of the params that we’ve talked about today! - github.com/bugcrowd/HUNT HUNT
Data Driven Assessment - How to test an app in n minutes... - Visit the search, registration, contact, password reset, and comment forms and hit them with your polyglot strings - Scan those specific functions with Burp’s built-in scanner - Check your cookies, log out, check cookies, log in, check cookies. Submit old cookies, see if there’s access. - Do a reset and see if; the password comes plaintext, uses a URL based token, is predictable, can be used multiple times, or logs you in automatically - Find numeric account identifiers anywhere in URLs and rotate them for context change - Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP. - Directory brute for top short list on SecLists - Check upload functions for alternate file types that can execute code (xss or php/etc/etc)
And that’s that. - There was a lot. - Hopefully you learned at least ONE thing - I learned a ton while putting this together! - Would love to talk, get feedback, etc. - @grantmcmusic - linkedin.com/in/grantmccracken

More Related Content

PPTX
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
PDF
Offzone | Another waf bypass
Дмитрий Бумов
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
PPTX
SSRF For Bug Bounties
OWASP Nagpur
 
PDF
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
PDF
XSS Magic tricks
GarethHeyes
 
PDF
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Offzone | Another waf bypass
Дмитрий Бумов
 
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
SSRF For Bug Bounties
OWASP Nagpur
 
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
XSS Magic tricks
GarethHeyes
 
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 

What's hot (20)

PDF
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
PDF
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
PPTX
Waf bypassing Techniques
Avinash Thapa
 
PPTX
Bug Bounty 101
Shahee Mirza
 
PPT
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 
PDF
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
PDF
Web Application Security and Awareness
Abdul Rahman Sherzad
 
PDF
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
PDF
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
PPTX
Introduction to Malware Analysis
Andrew McNicol
 
PDF
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
PPTX
Basics of Server Side Template Injection
Vandana Verma
 
PPTX
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
PPTX
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
PDF
A Year in the Empire
Will Schroeder
 
PDF
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
PPTX
Recon and Bug Bounties - What a great love story!
Abhijeth D
 
PDF
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
PDF
Web Application Penetration Testing
Priyanka Aash
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Waf bypassing Techniques
Avinash Thapa
 
Bug Bounty 101
Shahee Mirza
 
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Introduction to Malware Analysis
Andrew McNicol
 
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Basics of Server Side Template Injection
Vandana Verma
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
A Year in the Empire
Will Schroeder
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
Recon and Bug Bounties - What a great love story!
Abhijeth D
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
Web Application Penetration Testing
Priyanka Aash
 
Ad

Viewers also liked (6)

PDF
Names and virtual host discovery
jekil
 
ODP
Hostile Subdomain Takeover by Ankit Prateek
OWASP Delhi
 
PDF
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi
 
PDF
Nexmo Chat App Map
Nexmo
 
PDF
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
PPTX
The Data Operating System: Changing the Digital Trajectory of Healthcare
Health Catalyst
 
Names and virtual host discovery
jekil
 
Hostile Subdomain Takeover by Ankit Prateek
OWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi
 
Nexmo Chat App Map
Nexmo
 
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
The Data Operating System: Changing the Digital Trajectory of Healthcare
Health Catalyst
 
Ad

Similar to Ekoparty 2017 - The Bug Hunter's Methodology (20)

PDF
DEFCON 23 - Jason Haddix - how do i shot web
Felipe Prado
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
PPTX
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
PPTX
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
PPTX
Owasp web application security trends
beched
 
PPTX
[2.1] Web application Security Trends - Omar Ganiev
OWASP Russia
 
PDF
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
PPT
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
PDF
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
 
PDF
Tw noche geek quito webappsec
Thoughtworks
 
PPT
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
PPT
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
PDF
OpenFest 2012 : Leveraging the public internet
tkisason
 
PDF
[Russia] Bugs -> max, time &lt;= T
OWASP EEE
 
PDF
Hacking Web Apps by Brent White
EC-Council
 
PPTX
Find maximum bugs in limited time
beched
 
PDF
The Web Application Hackers Toolchain
jasonhaddix
 
PPT
Hack applications
enrizmoore
 
PPTX
Burp Suite is a powerful and widely-used tool
waudit1
 
PDF
DEF CON 23 - BRENT - white hacking web apps wp
Felipe Prado
 
DEFCON 23 - Jason Haddix - how do i shot web
Felipe Prado
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Owasp web application security trends
beched
 
[2.1] Web application Security Trends - Omar Ganiev
OWASP Russia
 
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
 
Tw noche geek quito webappsec
Thoughtworks
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
OpenFest 2012 : Leveraging the public internet
tkisason
 
[Russia] Bugs -> max, time &lt;= T
OWASP EEE
 
Hacking Web Apps by Brent White
EC-Council
 
Find maximum bugs in limited time
beched
 
The Web Application Hackers Toolchain
jasonhaddix
 
Hack applications
enrizmoore
 
Burp Suite is a powerful and widely-used tool
waudit1
 
DEF CON 23 - BRENT - white hacking web apps wp
Felipe Prado
 

More from bugcrowd (19)

PDF
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
PPTX
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
bugcrowd
 
PPTX
7 Bug Bounty Myths, BUSTED
bugcrowd
 
PDF
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
bugcrowd
 
PPTX
AppSecUSA 2016: 'Your License for Bug Hunting Season'
bugcrowd
 
PDF
Bug Bounty Tipping Point: Strength in Numbers
bugcrowd
 
PDF
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
PDF
If You Can't Beat 'Em, Join 'Em
bugcrowd
 
PDF
Writing vuln reports that maximize payouts - Nullcon 2016
bugcrowd
 
PDF
Revitalizing Product Securtiy at Zephyr Health
bugcrowd
 
PPTX
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bugcrowd
 
PPTX
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
bugcrowd
 
PDF
4 Reasons to Crowdsource Your Pen Test
bugcrowd
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
PPTX
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
bugcrowd
 
PDF
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd
 
PDF
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
PDF
Key Takeaways from Instructure's Successful Bug Bounty Program
bugcrowd
 
PDF
How to run a kick ass bug bounty program - Node Summit 2013
bugcrowd
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
bugcrowd
 
7 Bug Bounty Myths, BUSTED
bugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
bugcrowd
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
bugcrowd
 
Bug Bounty Tipping Point: Strength in Numbers
bugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
If You Can't Beat 'Em, Join 'Em
bugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
bugcrowd
 
Revitalizing Product Securtiy at Zephyr Health
bugcrowd
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
bugcrowd
 
4 Reasons to Crowdsource Your Pen Test
bugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
bugcrowd
 
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
Key Takeaways from Instructure's Successful Bug Bounty Program
bugcrowd
 
How to run a kick ass bug bounty program - Node Summit 2013
bugcrowd
 

Recently uploaded (20)

PDF
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
DOC
Rose毕业证学历认证,利物浦约翰摩尔斯大学毕业证国外本科毕业证
acoqwo
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PDF
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
PDF
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 
PDF
Introduction to the IoT system, how the IoT system works
TinBinh
 
PPTX
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
PPTX
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PPT
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
PPTX
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
PPT
250152213-Excitation-SystemWERRT (1).ppt
woldemariamworku2
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
PPT
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
Rose毕业证学历认证,利物浦约翰摩尔斯大学毕业证国外本科毕业证
acoqwo
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 
Introduction to the IoT system, how the IoT system works
TinBinh
 
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
Funds Management Learning Material for Beg
NKKumar16
 
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
t_and_OpenAI_Combined_two_pressentations
wuvjwfnaadbnzelauy
 
250152213-Excitation-SystemWERRT (1).ppt
woldemariamworku2
 
artificial intelligence overview of it and more
yafotin445
 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 

Ekoparty 2017 - The Bug Hunter's Methodology

  • 2. Let’s talk about goals... - Goal of this talk is to: - Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications - You probably already do a lot of these things... - Cover common vuln classes/types/categories from a high level - Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities - Hopefully everyone can learn at least one new thing from this... - Profit
  • 3. $whoami - Hi, my name is Grant - Manager of Solutions Architecture at Bugcrowd - Previously an Application Security Engineer - Been around bug bounties a lot - In doing so, seen a lot of bugs, and the ways people find them - ASE, bug hunter, setting up/managing programs - Music on the side
  • 4. About this workshop - Built off of Jason Haddix’s How To Shot Web talk given at DefCon 23 - Further added to by Jason Haddix’s Bug Hunter’s Methodology V2 talk at Bugcrowd’s LevelUp 2017 online-conference - I’ll be adding a few things of my own… - Consider this sort of a Tools of Titans for bug hunting - Incredible tools built by the community - Standing on the shoulders of giants - As best I can, I’ll give appropriate credit
  • 5. One step back… bug bounties? - Bug bounties aren’t new, but they are growing - Netscape; growing into new spaces - #equifax - There’s an increasing incentive to find issues in the wild before they’re exploited - Part of a larger space called “crowdsourced security” - Advantages to bug bounties AKA crowdsourced security - Competition #firstToFind - Pay based on findings, and impact - Incentivized to find innovative, unique issues - But really, it’s as simple as… - 2 > 1; 500 > 2; … - More eyes tend to equal more results - Hone skills; have fun; hiring; #cash
  • 6. Other... - Common guides/methodologies - AKA suggested “light” reading… - Once again, not just limited to bounties/responsible disclosure
  • 7. Our Journey (we’ve got a long road ahead…) - Discovery - Mapping - Auth/Session - XSS - SQLi - File upload/AFI/LFI - CSRF - IDOR - SSRF - And much, much more!!!
  • 8. Let’s get down to business #nextSlide
  • 9. Discovery - Q: what’s the value in discovery? - A: a lot. - Specifically, because we want to find things that are less tested than flagship site (fresher attack surface = easier to find issues = more critical issues = more profit) - Scope - Today we’re going to assume open scope… - Always check scope - Where do we start? - *.tesla.com -- tons of amazing tools to help us here
  • 10. Using search engines... - Use search engines to do the work for you… - (automated via recon-ng, etc) - Even better: enumall.py - Wrapper around recon-ng - google/bing/baidu/netcraft - Also does brute force - More on this later!
  • 11. But wait, there’s more! - Sublist3r - Another subdomain finder/scraper - Each tool has its own merits (hits some different search engines) - Why not both? - Enter brutesubs by Anshuman - Sublist3r + enumall.py - + altdns - Some configuration required
  • 12. On subdomain bruteforcing - A comparison of common subdomain brute forcing tools - using a 1,136,964 line subdomain dictionary - subbrute: errored out - gobuster: 21m15s; found 87 - massdns: 1m24s; found 213 - dns-parallel-prober: 42m2s; found 43 - blacksheepwall: 256m9s; found 61 - Credit: @jhaddix - Takeaway: - Massdns is pretty quick - Best tool for quickly getting a list of subdomains via brute force - Distributes resolvers (not all are reliable though)
  • 13. That one million line file... - all.txt - Created by @jhaddix - A marriage of virtually every subdomain list ever (bitquark’s research, deep magic, etc) - THE definitive subdomain list - gist.github.com/jhaddix
  • 14. Now that we have a ton of subdomains... How do we work through them quickly? - Screenshots! - Quickly see what’s on each host - Eyewitness - HTTPScreenshot - Aquatone - Can also do discovery - Relatively new - Only supported in Kali
  • 15. Let’s not forget about - Mergers and acquisitions - (depending on scope; always check the scope -- ex: Google or Tesla) - Check: - Wikipedia - Crunchbase, etc - And iterate from there... - ASNs - (again, scope) - Reading up on disclosures - May be able to find these same issues on other parts of the app - See trends and ideas for what other people have found
  • 16. Another discovery tool - Intrigue.io - OSINT framework; simple to integrate - DNS subdomain bruteforce - Web spider - nmap - API; over 45 built in tasks
  • 17. Don’t forget port scanning - Why? - Ex1: facebook had an open jenkins script console with no auth - Ex2: exposed tomcat or coldfusion admin panels with default creds - And so on... - But what if there’s A LOT to scan… e.g. 65k hosts? - Masscan - 11m4s to scan 65k hosts for top 1000 ports
  • 18. Github - Search Github for usernames/passwords/keys that developers might have left up. - Happens far more often than you’d think...
  • 19. Mapping - Directory brute forcing - All about the lists -- and GoBuster - RAFT lists (included in seclists brute force) - Robots disallowed ^ - SVN Digger ^ - Git Digger
  • 20. On brute forcing directories... After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control. Example: GET http://www.acme.com - 200 GET http://www.acme.com/backlog/ - 404 GET http://www.acme.com/controlpanel/ - 401 hmm.. ok GET http://www.acme.com/controlpanel/[bruteforce past here now]
  • 21. What about brute forcing parameters? #whynot - parameth - tool with some heuristics to - help discover params - backslash-powered-scanner by portswigger - nice list of 2500 top alexa params
  • 22. Mapping [2] - Platform identification: - Wapplyzer (chrome) - Extension; shows info on the tech stack for the site (based on headers, etc) - Builtwith (chrome) - ^ - retire.js (command line or Burp) - Notes any outdated libraries - VulnerScanner - github.com/vulnersCom/burp-vulners-scanner - Auxiliary: - If you find they're using a CMS… - WPScan - CMSmap
  • 23. Remember... - None of this, despite how great these tools are, replaces actually walking and understanding the app.
  • 24. Vuln discovery Still part of mapping - For reasons we’ve touched on… - (could inform ideas and places to test) - Resources: - xssed.com - reddit xss /r/xss - punkspider - xss.cx - xssposed.org - twitter searching (XSS + Tesla)
  • 25. Auth and Session - Being quick is important - Many are OOS (username enumeration, etc) - Chaining… - Weak reset passwords (4 chars emailed) + login page brute force = complete account compromise - Session/auth things to think about/look for include: - Session fixation - Insufficient session expiration - No password on account changes (e.g. password) - Most people will ask for current password, but not always on email change - which, if you can control the email, then you can do a regular password reset! - Not expiring reset tokens after email changed, etc
  • 27. XSS - Does the page display something to the users? Is it dynamic? - Polyglot payloads… - Executes in multiple contexts, built-in filter evasion; blanket injection that can save time - You probably already use them... - Some favorites: - #1(from Rsnake’s XSS Cheat Sheet - now the OWASP XSS cheat sheet) - ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
  • 28. More polyglots - #2 (Ashar Javed XSS Research) (http://slides.com/mscasharjaved/cross-site-scripting-my-love#/) - ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext></|><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> - #3 (Mathias Karlsson) (http://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra) - " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// - #4 0xSobky’s “Ultimate XSS Polyglot” (https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot) - jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>x3csVg/<sVg/oNloAd=alert()// >x3e
  • 29. Finding XSS - Common places XSS tends to show up... - Customizable themes/profiles - Event meetings/names - URI based (redirect=) - Content imported from a 3rd party - (not sanitizing other data it's using) - File upload names - Uploaded files (swf/HTML) - Custom error messages - (injected page was not found...) - Fake params (foo=">) - JSON responses; check content type (IE only) - Login/forgot password forms - (an email has been sent to...)
  • 30. SWF XSS - Flashvars - Common ones include: - onload - allowedDomain - movieplayer - xmlPath - ++ - Flashbang - Decompiles and parses the SWF file, and returns possible params to test
  • 31. Blind XSS - Stored, but XSS that you can’t verify by hand - Some frameworks (because you want to use a framework) - sleepy-puppy (netflix) - Good for campaigns - Xsshunter - Most commonly used (it seems) - Gives back a lot of great info when it fires - Screenshot; cookies; email! - Does require a domain, wildcard SSL cert, mailgun account, and some setup, but is pretty slick when configured - Growing area; but there are questions about in/out of scope - Always check scope
  • 32. One last resource on XSS - Jackmasa's XSS mindmap - Massive dump of tons of varying contexts and injections
  • 33. SQL Injection - Does this page look like it might need to call on stored data? - There are some polyglots for SQLi - e.g. SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or"*/ - Mattias on polyglots - check out his pres: (https://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra) - Seclists has a lot of fuzzlists for SQLi - Some observations/thoughts: - Not so much error-based these days; mostly blind - SQLMap is your friend… - Can use SQLMap with -L to parse Burp log files - Common params: - ID values; currency values; sorting params; JSON and XML values; cookie values; custom headers
  • 34. SQLiPy - SQLiPy - Burp plugin - right click on any request, to send to SQLMap
  • 35. SQLi DBMS specific resources... mySQL PentestMonkey's mySQL injection cheat sheet Reiners mySQL injection Filter Evasion Cheatsheet MSSQL Evil SQL Error/Union/Blind MSSQL Cheatsheet PentestMonkey's MSSQL SQLi injection Cheat Sheet ORACLE PentestMonkey's Oracle SQLi Cheatsheet POSTGRESQL PentestMonkey's Postgres SQLi Cheatsheet Others Access SQLi Cheatsheet PentestMonkey's Ingres SQL Injection Cheat Sheet pentestmonkey's DB2 SQL Injection Cheat Sheet pentestmonkey's Informix SQL Injection Cheat Sheet SQLite3 Injection Cheat sheet Ruby on Rails (Active Record) SQL Injection Guide
  • 36. File uploads - Malicious file upload - Can we upload and run that content? - Possible attacks - Upload an unexpected file format to achieve code exec (php, jsp, aspx, ++) - Not so likely these days to get full on code execution :( - More likely to be able to upload an html file - leading to xss, etc - Execute XSS ^, also inject on the filename -- images as well → imagejs - Attack the parser to DoS the site or XSS via storing payloads in metadata or file header - XXE (often on pdf uploads, but other places as well) → oxml_xxe tool - Ex: Imagetragick (not XXE, but using file upload to get code exec) - Bypass security zones and store malware on target site via file polyglots - Files that execute in different contexts!
  • 37. Local File Inclusion #LFI - Does it or can it interact with the server file system? - Tools: - Liffy → github.com/hvqzao/liffy - Seclists fuzzing list → - Common Parameters or Injection points - file= - location= - locale= - path= - display= - load= - read= - retrieve=
  • 38. Arbitrary File Inclusion {AFI/RFI} - Common Parameters/Injection points - File= - document= - Folder= - root= - Path= - pg= - style= - pdf= - template= - php_path= - doc=
  • 39. File includes and redirects - Look for any param with another web address in it. - A lot of the same params from LFI can often work here - Common bypasses include: - escape "/" with "/" or “//” with “//” - try single "/" instead of "//" - remove http i.e. "continue=//google.com" - “//” , “|/” , “/%09/” - encode, slashes - ”./” CHANGE TO “..//” - ”../” CHANGE TO “....//” - ”/” CHANGE TO “//”
  • 40. Redirects - Common params/injection points - Anytime it's pulling from or pointing to a resource - try make it grab something else, or even point it to your own; ex: "redirect_to" giving back internal files /etc/passwd - etc. - dest= - continue= - redirect= - url= (or anything with “url” in it) - uri= (same as above) - window= - next=
  • 41. CSRF - Burp PoC makes things pretty easy these days - Focus on bypasses - Removing the param - Using old values - Values from other sessions - Modifying the values, etc - Burpy (github.com/debasishm89/burpy) - Helps automate finding CSRF bypasses - Enable site logging in Burp; crawl the site, doing all the actions - Create a template, then run it against your log - Burpy then tries removing tokens, etc, and we can diff responses - Or focus on pages with no token… (github.com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_detect.py) - Keep in mind that it’s not always in the POST body...
  • 42. CSRF - Common critical functions to check for CSRF - Need CSRF to be on something of value - Add/upload file - Password/email change - Delete file - Profile edit - And so on...
  • 43. Privilege escalation - Can a given user level do what they otherwise shouldn’t be able to do? - Usually will need accounts of varying privileges - Common places to check - Add/delete/modify user - Change account info - Customer analytics view - - - - - - Things on the backend, where they never would have thought the lower level user would have the knowledge to make that request - A lot of apps just have the ‘vibe’ that they relied on security through obscurity
  • 44. Autorize - Burp plugin (github.com/Quitten/Autorize) - Helps with privilege testing - Browse app with high priv user; then have it resend all those same requests authenticated as a lower priv user, and see what actions succeed
  • 45. IDORs (insecure direct object references) - Near impossible to find with scanners - As a result, pretty common on bug bounties! - Can you access or modify something that’s not yours? - When testing… - Find any and all UIDs - Increment AND decrement - Try negative values - Attempt to perform sensitive actions using another user's ID - Change password - Forgot password - Admin only functions - Try not to modify other people's accounts; test only against what you own
  • 46. IDORs - Other IDOR thoughts... - Try pretty much any sensitive action across accounts - Again, scanners won't really find these things... - We see them a LOT - Can you access without authentication, etc? - Note other UIDs or ways users are identified - hashes, emails, etc - Receipts (what happens if I put one less on my receipt?) - Same concept for files - Shipping/purchase order ids, etc - Messages sent/delete
  • 48. Transport - Make sure everything is over HTTPS - Examples: - Sensitive images transported over HTTP - Login forms over HTTP - Analytics with session data / PII leaked over HTTP - ForceSSL - Tool that takes https links and tries them over http - github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL
  • 49. Logic - Logic flaws that are tricky, mostly manual: - substituting hashed parameters - step manipulation - use negatives in quantities (can you get money TO your account?) - authentication bypass - application level DoS - (massive parameter values, 999999 pages, etc) - Timing attacks
  • 50. Server side template injection (SSTI) - Does the site use a templating engine? - A lot of times one can get code exec or file read - TPLmap - Like SQLmap for template injection - Covers a lot of the major templating engines (flask, etc) - Can even give shells! - Reviewing source code, you can see how to do this manually - Lot more manual content online, but worth looking into #notAnExpert
  • 51. SSRF (Server Side Request Forgery) - Like LFI (same params, etc) - But some other things/ideas for you can do - For instance, possibly hitting internal machines or services that aren't accessible externally e.g. 127.0.0.1:8080/admin, etc - SSRF bible cheat sheet (google doc) - docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/ - Once again, #notAnExpert, but a PoC is usually easy enough to put together, and a clear demonstration of the issue is enough to get paid.
  • 52. Subdomain Takeover - Going back to discovery… - Sometimes orgs forget about dangling cnames that were once setup for services. - All we have to do is find these pages waiting to be claimed… - Common forgotten services... - heroku - github - tumblr - shopify - squarespace - salesforce - desk - Aws (s3 buckets) - fastly - hubspot - and on and on
  • 53. Subdomain Takeover - Don’t break ToS; often claiming the domain isn’t necessary - Some tools: - autoSubTakeover - HostileSubBruteforcer - Tko-subs - All do roughly the same thing; matter of preference.
  • 54. Ok. Some notes... - Always read the scope. It’s important. - VRT - Where are people NOT testing? - APIs - Boring, but often untested - IDORs, etc (but loses XSS, etc) - Mobile apps - Which often boils down to an API - Binary apps - Web/ui testing is again, easier
  • 55. Dealing with people... - People are temperamental creatures - Remember: - The person on the other side is a person - They have ups/downs - People to report to, etc - Bottom line: follow the golden rule - Treat others as you’d like to be treated - This also applies to reports - Demonstrating impact on a report is huge - They usually have to explain this to - non security people
  • 56. One more tool... - Hunt! - Burp extension that looks for a lot of the params that we’ve talked about today! - github.com/bugcrowd/HUNT HUNT
  • 57. Data Driven Assessment - How to test an app in n minutes... - Visit the search, registration, contact, password reset, and comment forms and hit them with your polyglot strings - Scan those specific functions with Burp’s built-in scanner - Check your cookies, log out, check cookies, log in, check cookies. Submit old cookies, see if there’s access. - Do a reset and see if; the password comes plaintext, uses a URL based token, is predictable, can be used multiple times, or logs you in automatically - Find numeric account identifiers anywhere in URLs and rotate them for context change - Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP. - Directory brute for top short list on SecLists - Check upload functions for alternate file types that can execute code (xss or php/etc/etc)
  • 58. And that’s that. - There was a lot. - Hopefully you learned at least ONE thing - I learned a ton while putting this together! - Would love to talk, get feedback, etc. - @grantmcmusic - linkedin.com/in/grantmccracken