Post on 24-Jan-2017
SQUASHING BUGSIntroduction to Bug
Bounties
SESSION OUTLINE Introduction to Bug Bounties 2:05-2:15 How to find bugs hands-on 2:15-2:35 How to use popular bug bounty programs 2:35-2.45 Case evaluation: Facebook page takeover bug 2:45-2:255
Conclusions and surprises 2:55 onwards
INTRODUCTION
BUG BOUNTY A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.
These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.
Bug bounty programs have been implemented by Facebook, Yahoo!, Google, Reddit, Square and Microsoft.
REWARDS Hall of fame(s) $$$ Study grants and scholarships for research Recognition
FAQS & MISCONCEPTIONS I do not have any of those fancy security research tools I do not have excellent coding knowledge How do I begin and where do I begin?
WHAT YOU NEED Be able to read and understand code Keep an open eye for different attack possibilities Keep updated with the latest attacks and see their POCs (Proof of Concept)
Differentiate between bugs and false positives (https://www.facebook.com/notes/facebook-bug-bounty/commonly-submitted-false-positives/744066222274273 )
Don’t give up!
FLOW Know about bugs! Refer OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Use a testing guide! OWASP Testing Project
(https://www.owasp.org/images/1/19/OTGv4.pdf ) Follow researchers and their updates!
FAMOUS RESEARCHERS http://www.breaksec.com/?page_id=6002 http://homakov.blogspot.in/ https://bitquark.co.uk/blog/ https://nealpoole.com/blog/ http://nahamsec.com/ http://stephensclafani.com/ http://insertco.in/articles arunsureshkumar.me
PRACTICE AT http://www.dvwa.co.uk/ https://www.vulnhub.com/ https://github.com/WebGoat/WebGoat
HANDS ONSearch “Google dorks” to find vulnerable websites. Sample strings: Inurl:admin_login.php site:.pkSQL Injection string to be entered in username and password fields: ' or 1=1--
BURP SUITE Burp Suite: Burp Suite is an integrated platform for performing security
testing of applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
(It is one of the most awesome tools i have ever come across. there are a lot of features you can use, just make sure you understand each and every function from burp suite). I’m sure you know all the functionality will make your task way easier if it is related to security. But be sure to manually validate your findings as it does report false positives.
Download: http://portswigger.net/burp/download.html
USING BUG BOUNTY
PLATFORMS
FACEBOOK WHITEHAThttps://www.facebook.com/whitehat
HACKERONEhttps://hackerone.com/internet-bug-bounty
GITHUB SECURITYhttps://bounty.github.com/
INTERNET BUG BOUNTYhttps://internetbugbounty.org/
PAYTMhttps://paytm.com/offer/bug-bounty/
OLAhttps://www.olacabs.com/whitehat
MOBIKWIKhttps://www.mobikwik.com/bug-bounty
OTHERS http://bugsheet.com/directory https://www.mozilla.org/en-US/security/bug-bounty/ https://bugcrowd.com/
SOME TERMS USED IN CLASS IDOR: Insecure Direct Object Reference
https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
Rate Limiting: http://www.websecresearch.com/2014/05/a-way-to-bypass-rate-limiting.html
RESOURCES TO SCAN WEBSITES
https://hackertarget.com/joomla-security-scan/ https://hackertarget.com/wordpress-security-scan/ https://hackertarget.com/drupal-security-scan/ https://pentest-tools.com/website-vulnerability-scanning/discover-hidden-directories-and-files https://www.magereport.com/ https://pentest-tools.com/information-gathering/find-subdomains-of-domain http://savanttools.com/test-frame https://bugcrowd.com/resources https://www.ssllabs.com/ssltest/ http://www.kitterman.com/spf/validate.html https://forum.bugcrowd.com/t/researcher-resources-tools/167 https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102
RESOURCES Tamper Data: Tamper Data is a Firefox Extension which gives you the power to
view, record and even modify outgoing HTTP requests. If you are not familiar with then just take a look at it once, It is very helpful in identifying the CSRF issues as well as Finding IDOR.Download: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Live http Headers: To be very frank I rarely use this extension, as it has exactly the same function as in tamper data the only difference is that, you can capture and reply within the same session.Download: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
Default user agent switcher: It gives your ability to change your user agent. Basically i use it to find mobile version of any site. And you may utilize it whenever you want to see the mobile version of any website. mostly developers host mobile version on m.xyzdomain.com, but sometimes website load mobile version after detecting the user agent. With this extension you can change user agent as mobile and view mobile version of the sites.Download: https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/
Hackbar: It helps us In SQL as well as XSS, also it encode & decode the string, ASCII conversion. This extension will help you in exploiting sql injections, XSS holes. If you know what you’re doing, this extension will help you do it faster. If you want to learn SQL exploitation, you can also use this extension, but you will probably also need a book, a lot of Google and a brain :)Download: https://addons.mozilla.org/en-US/firefox/addon/hackbar/
FREEBIES http://www.autodesk.com/education/free-software/all https://aws.amazon.com/grants/ https://education.github.com/pack
LINKS TO CASE STUDIES Facebook Page Takeover Bug:
http://arunsureshkumar.me/index.php/2016/09/16/facebook-page-takeover-zero-day-vulnerability/
Ola Free Rides Bug: https://blog.appknox.com/major-bug-in-ola-app-can-make-you-either-rich-or-poor/
CONTACTAvi Sharma – 7830993535 – sharma.avi14@stu.upes.ac.in
THANK YOU