Bug Bounty Hunter Methodology - Nullcon 2016

1
The Bug Hunter’s
Methodology

2
Faraz Khan
● Bugcrowd Tech-OPS Team Member
● Part time Hacker & Bug hunter
● Writer at Securityidiots.com
● Ex-Full time Penetration Tester
whoami

3
These Slides were originally developed and presented by
Jason Haddix at Defcon 23 on August 6th
● Director of Technical Ops at Bugcrowd
● Hacker & Bug hunter
● #1 on all-time leaderboard bugcrowd 2014
Source of the Slides
@jhaddix

4
Hack
Stuff
Better
(and practically)
What this talk’s about...
And…LOTS of memes…. only some of them are funny

5
Step 1: Started with my bug hunting methodology
Step 2: Parsed some of the top bug hunters’ research (web/mobile only for now)
Step 3: Create kickass preso
Topics? BB philosophy shifts, discovery techniques, mapping
methodology, common attack parameters, useful fuzz strings, bypass or
filter evasion techniques, new/awesome tooling
Note: All information is from Jason Haddix’s own methodology and public resource. No
information from the Bugcrowd platform is obtained!
More Specifically

7
Differences from standard testing
Single-sourced Crowdsourced
● looking mostly for
common-ish vulns
● not competing with
others
● incentivized for count
● payment based on sniff
test
● looking for vulns that
aren’t as easy to find
● racing vs. time
● competitive vs. others
● incentivized to find
unique bugs
● payment based on
impact not number of
findings

8
Scenario while Standard Penetration Test

9
Scenario while Bounty Hunting

12
Find the road less traveled
^ means find the application (or parts of an
application) less tested to avoid duplicate.
1. *.acme.com scope is your friend
2. Find domains via Google (and others!)
a. Can be automated well via recon-ng
and other tools.
3. Confirm the subdomain to be in Scope
4. Port scan for obscure web servers or
services (on all domains)
5. Find acquisitions and the bounty
acquisition rules
6. Functionality changes or re-designs
7. Mobile websites
8. New mobile app versions

13
Tool: Recon-ng script (enumall.sh)
https://github.com/jhaddix/domain

17
LMGTFY Google dorks on Exploit-Db
Link: https://www.exploit-db.com/google-hacking-database/

19
https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640

20
Port scanning is not just for Netpen!
A full port scan of all your new found targets will usually
yield #win:
● separate webapps
● extraneous services
● Facebook had Jenkins Script console with no auth
● IIS.net had rdp open vulnerable to MS12_020
nmap -sS -A -PN -p- --script=http-title dontscanme.bro
^ syn scan, OS + service fingerprint, no ping, all ports,
http titles
Port Scanning!

22
Mapping tips
● Google
● *Smart* Directory Brute Forcing
● RAFT lists (included in Seclists)
● SVN Digger (included in Seclists)
● Git Digger
● Platform Identification:
● Wapplyzer (Chrome)
● Builtwith (Chrome)
● retire.js (cmd-line or Burp)
● Check CVE’s
● Auxiliary
● WPScan
● CMSmap

23
Just what the hack is SecList?
SecLists is the security tester's companion. It's a collection of multiple types of lists used
during security assessments, collected in one place. List types include usernames,
passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
The goal is to enable a security tester to pull this repo onto a new testing box and have
access to every type of list that may be needed.
This project is maintained by Daniel Miessler and Jason Haddix.
https://github.com/danielmiessler/SecLists

26
Directory Bruteforce Workflow
After bruteforcing look for other status codes indicating you are denied or require auth then
append list there to test for misconfigured access control.
Example:
GET http://www.acme.com - 200
GET http://www.acme.com/backlog/ - 404
GET http://www.acme.com/controlpanel/ - 401 hmm.. ok
GET http://www.acme.com/controlpanel/[bruteforce here now]

28
Auth (better be quick)
Auth Related (more in logic and priv sections)
● Make sure they are in scope before submitting
● User/pass discrepancy flaw
● Registration page harvesting
● Login page harvesting
● Password reset page harvesting
● No account lockout
● Weak password policy
● Password not required for account updates
● Password reset tokens (no expiry or re-use)

29
Session (better be quick)
Session Related
● Failure to invalidate old cookies
● No new cookies on login/logout/timeout
● Never ending cookie length
● Easily reversible cookie (base64 most often)

31
XSS
Core Idea: Does the page functionality display something to the users?
For time sensitive testing the 80/20 rule
applies. Many testers use Polyglot payloads.
You probably have too!

32
XSS
';alert(String.fromCharCode(88,83,83))//';alert(String.
fromCharCode(88,83,83))//";alert(String.fromCharCode
(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>
Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)

33
XSS
'">><marquee><img src=x onerror=confirm(1)></marquee>"
></plaintext></|><plaintext/onmouseover=prompt(1)
><script>prompt(1)</script>@gmail.com<isindex
formaction=javascript:alert(/XSS/) type=submit>'-->"
></script><script>alert(1)</script>"><img/id="confirm(
1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http:
//i.imgur.com/P8mL8.jpg">
Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)

34
XSS
“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
Multi-context polyglot payload (Mathias Karlsson)
http://polyglot.innerht.ml/

36
Other XSS
Observations
Input Vectors
Customizable Themes & Profiles via CSS
Event or meeting names
URI based
Imported from a 3rd party (think Facebook integration)
JSON POST Values (check returning content type)
File Upload names
Uploaded files (swf, HTML, ++)
Custom Error pages
fake params - ?realparam=1&foo=bar’+alert(/XSS/)+’
Login and Forgot password forms

40
SQL Injection
Core Idea: Does the page look like it might need to call on stored data?
There exist some SQLi polyglots, i.e;
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
Works in single quote context, works in double quote context, works in “straight into query”
context! (Mathias Karlsson)

41
SQL Injection
You can also leverage the large database of
fuzzing lists from Seclists here:

42
SQL Injection Observations
Blind is predominant, Error based is highly unlikely.
‘%2Bbenchmark(3200,SHA1(1))%2B’
‘+BENCHMARK(40000000,SHA1(1337))+’
SQLMap is king!
● Use -l to parse a Burp log file.
● Use Tamper Scripts for blacklists.
● SQLMapper Burp plugin works well to instrument SQLmap quickly.
Lots of injection in web services!
Common Parameters or Injection points
ID
Currency Values
Item number values
sorting parameters (i.e order, sort, etc)
JSON and XML values
Cookie values (really?)
Custom headers (look for possible
integrations with CDN’s or WAF’s)
REST based Services

43
Burp Suite Extension
Burp allows you to use a range of addons/extensions
which can be added from BAPP Store, you download
and add manually or you can program your own script
and add to Burp.
There are many cool Burp Extensions you can add to
your collection to help you automate many manual
tasks and make your life easier.
Example:
- Autorize
- CO2
- Reflected Parameters

44
DEMO:
Adding Burp Extension

46
SQLmap All Tamper Scripts
https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423
--tamper=apostrophemask,apostrophenullencode,appendnullbyte,
base64encode,between,bluecoat,chardoubleencode,charencode,
charunicodeencode,concat2concatws,equaltolike,greatest,
halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,
modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,
percentage,randomcase,randomcomments,securesphere,space2comment,
space2dash,space2hash,space2morehash,space2mssqlblank,
space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,
space2randomblank,sp_password,unionalltounion,unmagicquotes,
versionedkeywords,versionedmorekeywords

47
SQLmap Targeted Tamper Scripts
General: tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,
charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,
randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
MSSQL:
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,
percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,
space2plus,space2randomblank,unionalltounion,unmagicquotes
MySQL:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,
halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,
nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,
space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,
versionedmorekeywords,xforwardedfor

48
Best SQL injection resources
DBMS Specific Resources
mySQL PentestMonkey's mySQL injection cheat sheet
Reiners mySQL injection Filter Evasion Cheatsheet
MSSQL EvilSQL's Error/Union/Blind MSSQL Cheatsheet
PentestMonkey's MSSQL SQLi injection Cheat Sheet
ORACLE PentestMonkey's Oracle SQLi Cheatsheet
POSTGRESQL PentestMonkey's Postgres SQLi Cheatsheet
Others Access SQLi Cheatsheet
PentestMonkey's Ingres SQL Injection Cheat Sheet
pentestmonkey's DB2 SQL Injection Cheat Sheet
pentestmonkey's Informix SQL Injection Cheat Sheet
SQLite3 Injection Cheat sheet
Ruby on Rails (Active Record) SQL Injection Guide

49
SSRF - A new face in Picture

50
SSRF (Server-Side Script Request Forgery)
Core Idea : Is there any external resource accessed by any
parameter which could be controlled by us.
Polyglot : www.yoursite.com/your_resource
Simply capture the IP from which your resource is accessed. There we start,
once we get the IP and we confirm that the resource is accessed by server-
side, we are up with our game for SSRF.

51
SSRF Tools - Testing & Exploitation
Tools
Burp Scanner, other few scanners in market….
Testing
As we know SSRF does not need automated fuzzing, because once we confirm a resource is accessible from the Server-Side
we can confirm SSRF/XFPA.
Exploitation
Once we have confirmed SSRF, we can move on to further exploitation which includes the following but not limited to:
1. Internal Server/Port Scan
2. Access to File System
3. SSRF via 306 Redirects
4. Exploitation via other known Protocols

54
XML External Entity Injection
Core Idea : Trial & Error, find any XML upload request or
any request which takes XML in input body.
Not very commonly we finds an application functionality which is
dealing with XML inputs. But if we do, we might get lucky to find an
XXE.
Here’s how it works, if the XML is getting parsed by the application and
the External entities in the DTD (Document Type declaration) is
resolved then it may lead to XXE. You can also try converting a JSON
endpoint request to XML and try XML Injections.

55
XXE Tools - Testing & Exploitation
As the vulnerability is in its early stages we do not have any specific tool that totally concentrate on finding or exploiting
XXE, but as per automated scanning/finding we have Burp scanner, other updated automated vulnerability scanner which
are able to find XXE.
Simple Payload
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
Exploitation:
Can be used to read system files + Other attacks SSRF is capable of.

57
Tactical Fuzzing - FI & Uploads

58
Local file inclusion
Core Idea: Does it (or can it) interact with the server file system?
Liffy is new and cool here but you can also use Seclists: Common Parameters or Injection points
file=
location=
locale=
path=
display=
load=
read=
retrieve=

59
Malicious File Upload ++
File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:
● content type spoofing
● extension trickery
● File in the hole! presentaion - http://goo.gl/VCXPh6

60
Malicious File Upload ++
This is an important and common attack vector in this type of testing
A file upload functions need a lot of protections to be adequately secure.
Attacks:
● Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web
shells or...
● Execute XSS via same types of files. Images as well!
● Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
● Bypass security zones and store malware on target site via file polyglots

62
CSRF
Everyone knows CSRF but the TLDR
here is find sensitive functions and
attempt to CSRF.
Burps CSRF PoC is fast and easy for
this:

63
CSRF
Many sites will have CSRF protection, focus on CSRF bypass!
Common bypasses:
● Remove CSRF token from request
● Remove CSRF token parameter value
● Add bad control chars to CSRF parameter value
● Use a second identical CSRF param
● Change POST to GET
Check this out...

64
CSRF
Debasish Mandal wrote a python tool to automate finding CSRF bypasses called
Burpy.
Step 1: Enable logging in Burp. Crawl a site with Burp completely executing all
functions.
Step 2: Create a template...

66
CSRF
Or focus on pages without the token in Burp:
https://github.
com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_d
etect.py

67
CSRF
CSRF Common Critical functions
Add / Upload file Password change
Email change Transfer Money /
Currency
Delete File Profile edit
CSRF N/A functions
Logout CSRF Public Forms
Forms that don’t make any change

68
Privilege, Transport, Logic

69
Privilege
Often logic, priv, auth bugs are blurred.
Testing user priv:
Here is how it should be:
1. admin has power
2. user has few permissions
And we are looking for functions which are
only meant for the admin and are accessible
by user.

70
Privilege
1. Find site functionality that is restricted to certain
user types
2. Try accessing those functions with lesser/other
user roles
3. Try to directly browse to views with sensitive
information as a lesser priv user
Autorize Burp plugin is pretty neat here...
https://github.com/Quitten/Autorize
Common Functions or Views
Add user function
Delete user function
start project / campaign / etc function
change account info (pass, CC, etc) function
customer analytics view
payment processing view
any view with PII

72
Insecure direct object references
IDORs are common place in bounties, and hard
to catch with scanners.
Find any and all UIDs
● increment
● decrement
● negative values
● Attempt to perform sensitive functions
substituting another UID
○ change password
○ forgot password
○ admin only functions

73
Idor’s
Common Functions , Views, or Files
Everything from the CSRF Table, trying cross account attacks
Sub: UIDs, user hashes, or emails
Images that are non-public
Receipts
Private Files (pdfs, ++)
Shipping info & Purchase Orders
Sending / Deleting messages

74
Logic
Logic flaws that are tricky, mostly manual:
● substituting hashed parameters
● step manipulation
● use negatives in quantities
● authentication bypass
● application level DoS
● Timing attacks

76
A simple logic Flaw
An online cute dog contest, the dog with the best average of likes
wins.
1. Anyone can register and take part.
2. Once a dog is registered, people can start liking or disliking
that dog.
3. Everyone dislikes each other’s dogs to win the contest
4. The dog with the best average wins the contest.
5. Registration and votings gets closed 5 minutes before the
results are announced.
What is the Logic Flaw over here?

78
The vulns formerly known as “noise”
● Content Spoofing or HTML injection
● Referer leakage
● security headers
● path disclosure
● clickjacking
● ++

79
Things to take with you…
1. Crowdsourced testing is different enough to pay attention to
2. Crowdsourcing focuses on the 20% because the 80% goes quick
3. Data analysis can yield the most successfully attacked areas
4. A 15 minute web test, done right, could yield a majority of your critical vulns
5. Add polyglots to your toolbelt
6. Use SecLists to power your scanners
7. Remember to periodically refresh your game with the wisdom of other techniques and
other approaches
Follow these ninjas who I profiled: https://twitter.com/Jhaddix/lists/bninjas

82
Tim Tomes - Recon-ng
Joe Giron - RFI params
Soroush Dalili - File in the Hole preso
Mathias Karlsson - polyglot research
Ashar Javed - polyglot/xss research
Ryan Dewhurst & Wpscan Team
Bitquark - for being a ninja, bsqli string
rotlogix - liffy LFI scanner
Arvind Doraiswamy - HTTPs, CSRF Burp Plugins
Barak Tawily - Autorize burp plugin
the RAFT list authors
Ferruh Mavituna - SVNDigger
Jaime Filson aka wick2o - GitDigger
Robert Hansen aka rsnake - polyglot / xss
Dan Crowley - polyglot research
Daniel Miessler - methodology, slide, and data contributions
My awesome team at Bugcrowd ( Ashley,Grant,Shpend,Fatih, Dan, Sean,Jay, Patrik ++)
Nullcon & All the bug hunting community!!!

Bug Bounty Hunter Methodology - Nullcon 2016

More Related Content

What's hot (20)

Similar to Bug Bounty Hunter Methodology - Nullcon 2016 (20)

More from bugcrowd (19)

Recently uploaded (20)

Bug Bounty Hunter Methodology - Nullcon 2016