SlideShare una empresa de Scribd logo

Ekoparty 2017 - The Bug Hunter's Methodology

bugcrowd
bugcrowd

The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.

Internet
1 de 58
Descargar para leer sin conexión
The Bug Hunter’s Methodology
Let’s talk about goals... - Goal of this talk is to: - Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications - You probably already do a lot of these things... - Cover common vuln classes/types/categories from a high level - Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities - Hopefully everyone can learn at least one new thing from this... - Profit
$whoami - Hi, my name is Grant - Manager of Solutions Architecture at Bugcrowd - Previously an Application Security Engineer - Been around bug bounties a lot - In doing so, seen a lot of bugs, and the ways people find them - ASE, bug hunter, setting up/managing programs - Music on the side
About this workshop - Built off of Jason Haddix’s How To Shot Web talk given at DefCon 23 - Further added to by Jason Haddix’s Bug Hunter’s Methodology V2 talk at Bugcrowd’s LevelUp 2017 online-conference - I’ll be adding a few things of my own… - Consider this sort of a Tools of Titans for bug hunting - Incredible tools built by the community - Standing on the shoulders of giants - As best I can, I’ll give appropriate credit
One step back… bug bounties? - Bug bounties aren’t new, but they are growing - Netscape; growing into new spaces - #equifax - There’s an increasing incentive to find issues in the wild before they’re exploited - Part of a larger space called “crowdsourced security” - Advantages to bug bounties AKA crowdsourced security - Competition #firstToFind - Pay based on findings, and impact - Incentivized to find innovative, unique issues - But really, it’s as simple as… - 2 > 1; 500 > 2; … - More eyes tend to equal more results - Hone skills; have fun; hiring; #cash
Other... - Common guides/methodologies - AKA suggested “light” reading… - Once again, not just limited to bounties/responsible disclosure
Our Journey (we’ve got a long road ahead…) - Discovery - Mapping - Auth/Session - XSS - SQLi - File upload/AFI/LFI - CSRF - IDOR - SSRF - And much, much more!!!
Let’s get down to business #nextSlide
Discovery - Q: what’s the value in discovery? - A: a lot. - Specifically, because we want to find things that are less tested than flagship site (fresher attack surface = easier to find issues = more critical issues = more profit) - Scope - Today we’re going to assume open scope… - Always check scope - Where do we start? - *.tesla.com -- tons of amazing tools to help us here
Using search engines... - Use search engines to do the work for you… - (automated via recon-ng, etc) - Even better: enumall.py - Wrapper around recon-ng - google/bing/baidu/netcraft - Also does brute force - More on this later!
But wait, there’s more! - Sublist3r - Another subdomain finder/scraper - Each tool has its own merits (hits some different search engines) - Why not both? - Enter brutesubs by Anshuman - Sublist3r + enumall.py - + altdns - Some configuration required
On subdomain bruteforcing - A comparison of common subdomain brute forcing tools - using a 1,136,964 line subdomain dictionary - subbrute: errored out - gobuster: 21m15s; found 87 - massdns: 1m24s; found 213 - dns-parallel-prober: 42m2s; found 43 - blacksheepwall: 256m9s; found 61 - Credit: @jhaddix - Takeaway: - Massdns is pretty quick - Best tool for quickly getting a list of subdomains via brute force - Distributes resolvers (not all are reliable though)
That one million line file... - all.txt - Created by @jhaddix - A marriage of virtually every subdomain list ever (bitquark’s research, deep magic, etc) - THE definitive subdomain list - gist.github.com/jhaddix
Now that we have a ton of subdomains... How do we work through them quickly? - Screenshots! - Quickly see what’s on each host - Eyewitness - HTTPScreenshot - Aquatone - Can also do discovery - Relatively new - Only supported in Kali
Let’s not forget about - Mergers and acquisitions - (depending on scope; always check the scope -- ex: Google or Tesla) - Check: - Wikipedia - Crunchbase, etc - And iterate from there... - ASNs - (again, scope) - Reading up on disclosures - May be able to find these same issues on other parts of the app - See trends and ideas for what other people have found
Another discovery tool - Intrigue.io - OSINT framework; simple to integrate - DNS subdomain bruteforce - Web spider - nmap - API; over 45 built in tasks
Don’t forget port scanning - Why? - Ex1: facebook had an open jenkins script console with no auth - Ex2: exposed tomcat or coldfusion admin panels with default creds - And so on... - But what if there’s A LOT to scan… e.g. 65k hosts? - Masscan - 11m4s to scan 65k hosts for top 1000 ports
Github - Search Github for usernames/passwords/keys that developers might have left up. - Happens far more often than you’d think...
Mapping - Directory brute forcing - All about the lists -- and GoBuster - RAFT lists (included in seclists brute force) - Robots disallowed ^ - SVN Digger ^ - Git Digger
On brute forcing directories... After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control. Example: GET http://www.acme.com - 200 GET http://www.acme.com/backlog/ - 404 GET http://www.acme.com/controlpanel/ - 401 hmm.. ok GET http://www.acme.com/controlpanel/[bruteforce past here now]
What about brute forcing parameters? #whynot - parameth - tool with some heuristics to - help discover params - backslash-powered-scanner by portswigger - nice list of 2500 top alexa params
Mapping [2] - Platform identification: - Wapplyzer (chrome) - Extension; shows info on the tech stack for the site (based on headers, etc) - Builtwith (chrome) - ^ - retire.js (command line or Burp) - Notes any outdated libraries - VulnerScanner - github.com/vulnersCom/burp-vulners-scanner - Auxiliary: - If you find they're using a CMS… - WPScan - CMSmap
Remember... - None of this, despite how great these tools are, replaces actually walking and understanding the app.
Vuln discovery Still part of mapping - For reasons we’ve touched on… - (could inform ideas and places to test) - Resources: - xssed.com - reddit xss /r/xss - punkspider - xss.cx - xssposed.org - twitter searching (XSS + Tesla)
Auth and Session - Being quick is important - Many are OOS (username enumeration, etc) - Chaining… - Weak reset passwords (4 chars emailed) + login page brute force = complete account compromise - Session/auth things to think about/look for include: - Session fixation - Insufficient session expiration - No password on account changes (e.g. password) - Most people will ask for current password, but not always on email change - which, if you can control the email, then you can do a regular password reset! - Not expiring reset tokens after email changed, etc
Tactical fuzzing... #nextSlide
XSS - Does the page display something to the users? Is it dynamic? - Polyglot payloads… - Executes in multiple contexts, built-in filter evasion; blanket injection that can save time - You probably already use them... - Some favorites: - #1(from Rsnake’s XSS Cheat Sheet - now the OWASP XSS cheat sheet) - ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
More polyglots - #2 (Ashar Javed XSS Research) (http://slides.com/mscasharjaved/cross-site-scripting-my-love#/) - ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext></|><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> - #3 (Mathias Karlsson) (http://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra) - " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// - #4 0xSobky’s “Ultimate XSS Polyglot” (https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot) - jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>x3csVg/<sVg/oNloAd=alert()// >x3e
Finding XSS - Common places XSS tends to show up... - Customizable themes/profiles - Event meetings/names - URI based (redirect=) - Content imported from a 3rd party - (not sanitizing other data it's using) - File upload names - Uploaded files (swf/HTML) - Custom error messages - (injected page was not found...) - Fake params (foo=">) - JSON responses; check content type (IE only) - Login/forgot password forms - (an email has been sent to...)
SWF XSS - Flashvars - Common ones include: - onload - allowedDomain - movieplayer - xmlPath - ++ - Flashbang - Decompiles and parses the SWF file, and returns possible params to test
Blind XSS - Stored, but XSS that you can’t verify by hand - Some frameworks (because you want to use a framework) - sleepy-puppy (netflix) - Good for campaigns - Xsshunter - Most commonly used (it seems) - Gives back a lot of great info when it fires - Screenshot; cookies; email! - Does require a domain, wildcard SSL cert, mailgun account, and some setup, but is pretty slick when configured - Growing area; but there are questions about in/out of scope - Always check scope
One last resource on XSS - Jackmasa's XSS mindmap - Massive dump of tons of varying contexts and injections
SQL Injection - Does this page look like it might need to call on stored data? - There are some polyglots for SQLi - e.g. SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or"*/ - Mattias on polyglots - check out his pres: (https://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra) - Seclists has a lot of fuzzlists for SQLi - Some observations/thoughts: - Not so much error-based these days; mostly blind - SQLMap is your friend… - Can use SQLMap with -L to parse Burp log files - Common params: - ID values; currency values; sorting params; JSON and XML values; cookie values; custom headers
SQLiPy - SQLiPy - Burp plugin - right click on any request, to send to SQLMap
SQLi DBMS specific resources... mySQL PentestMonkey's mySQL injection cheat sheet Reiners mySQL injection Filter Evasion Cheatsheet MSSQL Evil SQL Error/Union/Blind MSSQL Cheatsheet PentestMonkey's MSSQL SQLi injection Cheat Sheet ORACLE PentestMonkey's Oracle SQLi Cheatsheet POSTGRESQL PentestMonkey's Postgres SQLi Cheatsheet Others Access SQLi Cheatsheet PentestMonkey's Ingres SQL Injection Cheat Sheet pentestmonkey's DB2 SQL Injection Cheat Sheet pentestmonkey's Informix SQL Injection Cheat Sheet SQLite3 Injection Cheat sheet Ruby on Rails (Active Record) SQL Injection Guide
File uploads - Malicious file upload - Can we upload and run that content? - Possible attacks - Upload an unexpected file format to achieve code exec (php, jsp, aspx, ++) - Not so likely these days to get full on code execution :( - More likely to be able to upload an html file - leading to xss, etc - Execute XSS ^, also inject on the filename -- images as well → imagejs - Attack the parser to DoS the site or XSS via storing payloads in metadata or file header - XXE (often on pdf uploads, but other places as well) → oxml_xxe tool - Ex: Imagetragick (not XXE, but using file upload to get code exec) - Bypass security zones and store malware on target site via file polyglots - Files that execute in different contexts!
Local File Inclusion #LFI - Does it or can it interact with the server file system? - Tools: - Liffy → github.com/hvqzao/liffy - Seclists fuzzing list → - Common Parameters or Injection points - file= - location= - locale= - path= - display= - load= - read= - retrieve=
Arbitrary File Inclusion {AFI/RFI} - Common Parameters/Injection points - File= - document= - Folder= - root= - Path= - pg= - style= - pdf= - template= - php_path= - doc=
File includes and redirects - Look for any param with another web address in it. - A lot of the same params from LFI can often work here - Common bypasses include: - escape "/" with "/" or “//” with “//” - try single "/" instead of "//" - remove http i.e. "continue=//google.com" - “//” , “|/” , “/%09/” - encode, slashes - ”./” CHANGE TO “..//” - ”../” CHANGE TO “....//” - ”/” CHANGE TO “//”
Redirects - Common params/injection points - Anytime it's pulling from or pointing to a resource - try make it grab something else, or even point it to your own; ex: "redirect_to" giving back internal files /etc/passwd - etc. - dest= - continue= - redirect= - url= (or anything with “url” in it) - uri= (same as above) - window= - next=
CSRF - Burp PoC makes things pretty easy these days - Focus on bypasses - Removing the param - Using old values - Values from other sessions - Modifying the values, etc - Burpy (github.com/debasishm89/burpy) - Helps automate finding CSRF bypasses - Enable site logging in Burp; crawl the site, doing all the actions - Create a template, then run it against your log - Burpy then tries removing tokens, etc, and we can diff responses - Or focus on pages with no token… (github.com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_detect.py) - Keep in mind that it’s not always in the POST body...
CSRF - Common critical functions to check for CSRF - Need CSRF to be on something of value - Add/upload file - Password/email change - Delete file - Profile edit - And so on...
Privilege escalation - Can a given user level do what they otherwise shouldn’t be able to do? - Usually will need accounts of varying privileges - Common places to check - Add/delete/modify user - Change account info - Customer analytics view - - - - - - Things on the backend, where they never would have thought the lower level user would have the knowledge to make that request - A lot of apps just have the ‘vibe’ that they relied on security through obscurity
Autorize - Burp plugin (github.com/Quitten/Autorize) - Helps with privilege testing - Browse app with high priv user; then have it resend all those same requests authenticated as a lower priv user, and see what actions succeed
IDORs (insecure direct object references) - Near impossible to find with scanners - As a result, pretty common on bug bounties! - Can you access or modify something that’s not yours? - When testing… - Find any and all UIDs - Increment AND decrement - Try negative values - Attempt to perform sensitive actions using another user's ID - Change password - Forgot password - Admin only functions - Try not to modify other people's accounts; test only against what you own
IDORs - Other IDOR thoughts... - Try pretty much any sensitive action across accounts - Again, scanners won't really find these things... - We see them a LOT - Can you access without authentication, etc? - Note other UIDs or ways users are identified - hashes, emails, etc - Receipts (what happens if I put one less on my receipt?) - Same concept for files - Shipping/purchase order ids, etc - Messages sent/delete
IDOR example
Transport - Make sure everything is over HTTPS - Examples: - Sensitive images transported over HTTP - Login forms over HTTP - Analytics with session data / PII leaked over HTTP - ForceSSL - Tool that takes https links and tries them over http - github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL
Logic - Logic flaws that are tricky, mostly manual: - substituting hashed parameters - step manipulation - use negatives in quantities (can you get money TO your account?) - authentication bypass - application level DoS - (massive parameter values, 999999 pages, etc) - Timing attacks
Server side template injection (SSTI) - Does the site use a templating engine? - A lot of times one can get code exec or file read - TPLmap - Like SQLmap for template injection - Covers a lot of the major templating engines (flask, etc) - Can even give shells! - Reviewing source code, you can see how to do this manually - Lot more manual content online, but worth looking into #notAnExpert
SSRF (Server Side Request Forgery) - Like LFI (same params, etc) - But some other things/ideas for you can do - For instance, possibly hitting internal machines or services that aren't accessible externally e.g. 127.0.0.1:8080/admin, etc - SSRF bible cheat sheet (google doc) - docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/ - Once again, #notAnExpert, but a PoC is usually easy enough to put together, and a clear demonstration of the issue is enough to get paid.
Subdomain Takeover - Going back to discovery… - Sometimes orgs forget about dangling cnames that were once setup for services. - All we have to do is find these pages waiting to be claimed… - Common forgotten services... - heroku - github - tumblr - shopify - squarespace - salesforce - desk - Aws (s3 buckets) - fastly - hubspot - and on and on
Subdomain Takeover - Don’t break ToS; often claiming the domain isn’t necessary - Some tools: - autoSubTakeover - HostileSubBruteforcer - Tko-subs - All do roughly the same thing; matter of preference.
Ok. Some notes... - Always read the scope. It’s important. - VRT - Where are people NOT testing? - APIs - Boring, but often untested - IDORs, etc (but loses XSS, etc) - Mobile apps - Which often boils down to an API - Binary apps - Web/ui testing is again, easier
Dealing with people... - People are temperamental creatures - Remember: - The person on the other side is a person - They have ups/downs - People to report to, etc - Bottom line: follow the golden rule - Treat others as you’d like to be treated - This also applies to reports - Demonstrating impact on a report is huge - They usually have to explain this to - non security people
One more tool... - Hunt! - Burp extension that looks for a lot of the params that we’ve talked about today! - github.com/bugcrowd/HUNT HUNT
Data Driven Assessment - How to test an app in n minutes... - Visit the search, registration, contact, password reset, and comment forms and hit them with your polyglot strings - Scan those specific functions with Burp’s built-in scanner - Check your cookies, log out, check cookies, log in, check cookies. Submit old cookies, see if there’s access. - Do a reset and see if; the password comes plaintext, uses a URL based token, is predictable, can be used multiple times, or logs you in automatically - Find numeric account identifiers anywhere in URLs and rotate them for context change - Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP. - Directory brute for top short list on SecLists - Check upload functions for alternate file types that can execute code (xss or php/etc/etc)
And that’s that. - There was a lot. - Hopefully you learned at least ONE thing - I learned a ton while putting this together! - Would love to talk, get feedback, etc. - @grantmcmusic - linkedin.com/in/grantmccracken

Recomendados

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 

Recomendados

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The WebMichael Coates
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Names and virtual host discovery
Names and virtual host discoveryNames and virtual host discovery
Names and virtual host discoveryjekil
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekOWASP Delhi
 

Más contenido relacionado

La actualidad más candente

Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The WebMichael Coates
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 

La actualidad más candente (20)

Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 

Destacado

Names and virtual host discovery
Names and virtual host discoveryNames and virtual host discovery
Names and virtual host discoveryjekil
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekOWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
 
Nexmo Chat App Map
Nexmo Chat App MapNexmo Chat App Map
Nexmo Chat App MapNexmo
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
The Data Operating System: Changing the Digital Trajectory of Healthcare
The Data Operating System: Changing the Digital Trajectory of HealthcareThe Data Operating System: Changing the Digital Trajectory of Healthcare
The Data Operating System: Changing the Digital Trajectory of HealthcareHealth Catalyst
 

Destacado (6)

Names and virtual host discovery
Names and virtual host discoveryNames and virtual host discovery
Names and virtual host discovery
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 
Nexmo Chat App Map
Nexmo Chat App MapNexmo Chat App Map
Nexmo Chat App Map
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
The Data Operating System: Changing the Digital Trajectory of Healthcare
The Data Operating System: Changing the Digital Trajectory of HealthcareThe Data Operating System: Changing the Digital Trajectory of Healthcare
The Data Operating System: Changing the Digital Trajectory of Healthcare
 

Similar a Ekoparty 2017 - The Bug Hunter's Methodology

Semantic technologies in practice - KULeuven 2016
Semantic technologies in practice - KULeuven 2016Semantic technologies in practice - KULeuven 2016
Semantic technologies in practice - KULeuven 2016Aad Versteden
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scalingsmattoon
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Thotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail WhaleThotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail WhaleErin Willingham
 
How containers helped a SaaS startup be developed and go live
How containers helped a SaaS startup be developed and go liveHow containers helped a SaaS startup be developed and go live
How containers helped a SaaS startup be developed and go liveRamon Navarro
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sunsmattoon
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoknaddison
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moiblemarkuskobler
 
HAXTheWeb @ Apereo 19
HAXTheWeb @ Apereo 19HAXTheWeb @ Apereo 19
HAXTheWeb @ Apereo 19btopro
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101Ievgenii Katsan
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesSysdig
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
MOBISEC 2018 - 08 - Reverse Engineering.pptx
MOBISEC 2018 - 08 - Reverse Engineering.pptxMOBISEC 2018 - 08 - Reverse Engineering.pptx
MOBISEC 2018 - 08 - Reverse Engineering.pptxEnigma58
 
Continuous Security
Continuous SecurityContinuous Security
Continuous SecuritySysdig
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 

Similar a Ekoparty 2017 - The Bug Hunter's Methodology (20)

Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014
 
Semantic technologies in practice - KULeuven 2016
Semantic technologies in practice - KULeuven 2016Semantic technologies in practice - KULeuven 2016
Semantic technologies in practice - KULeuven 2016
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scaling
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Thotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail WhaleThotcon - All aboard the Fail Whale
Thotcon - All aboard the Fail Whale
 
How containers helped a SaaS startup be developed and go live
How containers helped a SaaS startup be developed and go liveHow containers helped a SaaS startup be developed and go live
How containers helped a SaaS startup be developed and go live
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sun
 
Death of a Themer
Death of a ThemerDeath of a Themer
Death of a Themer
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicago
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Get Ahead with HTML5 on Moible
Get Ahead with HTML5 on MoibleGet Ahead with HTML5 on Moible
Get Ahead with HTML5 on Moible
 
HAXTheWeb @ Apereo 19
HAXTheWeb @ Apereo 19HAXTheWeb @ Apereo 19
HAXTheWeb @ Apereo 19
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
MOBISEC 2018 - 08 - Reverse Engineering.pptx
MOBISEC 2018 - 08 - Reverse Engineering.pptxMOBISEC 2018 - 08 - Reverse Engineering.pptx
MOBISEC 2018 - 08 - Reverse Engineering.pptx
 
Continuous Security
Continuous SecurityContinuous Security
Continuous Security
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 

Más de bugcrowd

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'bugcrowd
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbersbugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Embugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVbugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Testbugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
 

Más de bugcrowd (20)

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbers
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Health
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Program
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013
 

Último

Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 

Último (11)

Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 

Ekoparty 2017 - The Bug Hunter's Methodology

  • 2. Let’s talk about goals... - Goal of this talk is to: - Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications - You probably already do a lot of these things... - Cover common vuln classes/types/categories from a high level - Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities - Hopefully everyone can learn at least one new thing from this... - Profit
  • 3. $whoami - Hi, my name is Grant - Manager of Solutions Architecture at Bugcrowd - Previously an Application Security Engineer - Been around bug bounties a lot - In doing so, seen a lot of bugs, and the ways people find them - ASE, bug hunter, setting up/managing programs - Music on the side
  • 4. About this workshop - Built off of Jason Haddix’s How To Shot Web talk given at DefCon 23 - Further added to by Jason Haddix’s Bug Hunter’s Methodology V2 talk at Bugcrowd’s LevelUp 2017 online-conference - I’ll be adding a few things of my own… - Consider this sort of a Tools of Titans for bug hunting - Incredible tools built by the community - Standing on the shoulders of giants - As best I can, I’ll give appropriate credit
  • 5. One step back… bug bounties? - Bug bounties aren’t new, but they are growing - Netscape; growing into new spaces - #equifax - There’s an increasing incentive to find issues in the wild before they’re exploited - Part of a larger space called “crowdsourced security” - Advantages to bug bounties AKA crowdsourced security - Competition #firstToFind - Pay based on findings, and impact - Incentivized to find innovative, unique issues - But really, it’s as simple as… - 2 > 1; 500 > 2; … - More eyes tend to equal more results - Hone skills; have fun; hiring; #cash
  • 6. Other... - Common guides/methodologies - AKA suggested “light” reading… - Once again, not just limited to bounties/responsible disclosure
  • 7. Our Journey (we’ve got a long road ahead…) - Discovery - Mapping - Auth/Session - XSS - SQLi - File upload/AFI/LFI - CSRF - IDOR - SSRF - And much, much more!!!
  • 8. Let’s get down to business #nextSlide
  • 9. Discovery - Q: what’s the value in discovery? - A: a lot. - Specifically, because we want to find things that are less tested than flagship site (fresher attack surface = easier to find issues = more critical issues = more profit) - Scope - Today we’re going to assume open scope… - Always check scope - Where do we start? - *.tesla.com -- tons of amazing tools to help us here
  • 10. Using search engines... - Use search engines to do the work for you… - (automated via recon-ng, etc) - Even better: enumall.py - Wrapper around recon-ng - google/bing/baidu/netcraft - Also does brute force - More on this later!
  • 11. But wait, there’s more! - Sublist3r - Another subdomain finder/scraper - Each tool has its own merits (hits some different search engines) - Why not both? - Enter brutesubs by Anshuman - Sublist3r + enumall.py - + altdns - Some configuration required
  • 12. On subdomain bruteforcing - A comparison of common subdomain brute forcing tools - using a 1,136,964 line subdomain dictionary - subbrute: errored out - gobuster: 21m15s; found 87 - massdns: 1m24s; found 213 - dns-parallel-prober: 42m2s; found 43 - blacksheepwall: 256m9s; found 61 - Credit: @jhaddix - Takeaway: - Massdns is pretty quick - Best tool for quickly getting a list of subdomains via brute force - Distributes resolvers (not all are reliable though)
  • 13. That one million line file... - all.txt - Created by @jhaddix - A marriage of virtually every subdomain list ever (bitquark’s research, deep magic, etc) - THE definitive subdomain list - gist.github.com/jhaddix
  • 14. Now that we have a ton of subdomains... How do we work through them quickly? - Screenshots! - Quickly see what’s on each host - Eyewitness - HTTPScreenshot - Aquatone - Can also do discovery - Relatively new - Only supported in Kali
  • 15. Let’s not forget about - Mergers and acquisitions - (depending on scope; always check the scope -- ex: Google or Tesla) - Check: - Wikipedia - Crunchbase, etc - And iterate from there... - ASNs - (again, scope) - Reading up on disclosures - May be able to find these same issues on other parts of the app - See trends and ideas for what other people have found
  • 16. Another discovery tool - Intrigue.io - OSINT framework; simple to integrate - DNS subdomain bruteforce - Web spider - nmap - API; over 45 built in tasks
  • 17. Don’t forget port scanning - Why? - Ex1: facebook had an open jenkins script console with no auth - Ex2: exposed tomcat or coldfusion admin panels with default creds - And so on... - But what if there’s A LOT to scan… e.g. 65k hosts? - Masscan - 11m4s to scan 65k hosts for top 1000 ports
  • 18. Github - Search Github for usernames/passwords/keys that developers might have left up. - Happens far more often than you’d think...
  • 19. Mapping - Directory brute forcing - All about the lists -- and GoBuster - RAFT lists (included in seclists brute force) - Robots disallowed ^ - SVN Digger ^ - Git Digger
  • 20. On brute forcing directories... After bruteforcing look for other status codes indicating you are denied or require auth then append list there to test for misconfigured access control. Example: GET http://www.acme.com - 200 GET http://www.acme.com/backlog/ - 404 GET http://www.acme.com/controlpanel/ - 401 hmm.. ok GET http://www.acme.com/controlpanel/[bruteforce past here now]
  • 21. What about brute forcing parameters? #whynot - parameth - tool with some heuristics to - help discover params - backslash-powered-scanner by portswigger - nice list of 2500 top alexa params
  • 22. Mapping [2] - Platform identification: - Wapplyzer (chrome) - Extension; shows info on the tech stack for the site (based on headers, etc) - Builtwith (chrome) - ^ - retire.js (command line or Burp) - Notes any outdated libraries - VulnerScanner - github.com/vulnersCom/burp-vulners-scanner - Auxiliary: - If you find they're using a CMS… - WPScan - CMSmap
  • 23. Remember... - None of this, despite how great these tools are, replaces actually walking and understanding the app.
  • 24. Vuln discovery Still part of mapping - For reasons we’ve touched on… - (could inform ideas and places to test) - Resources: - xssed.com - reddit xss /r/xss - punkspider - xss.cx - xssposed.org - twitter searching (XSS + Tesla)
  • 25. Auth and Session - Being quick is important - Many are OOS (username enumeration, etc) - Chaining… - Weak reset passwords (4 chars emailed) + login page brute force = complete account compromise - Session/auth things to think about/look for include: - Session fixation - Insufficient session expiration - No password on account changes (e.g. password) - Most people will ask for current password, but not always on email change - which, if you can control the email, then you can do a regular password reset! - Not expiring reset tokens after email changed, etc
  • 27. XSS - Does the page display something to the users? Is it dynamic? - Polyglot payloads… - Executes in multiple contexts, built-in filter evasion; blanket injection that can save time - You probably already use them... - Some favorites: - #1(from Rsnake’s XSS Cheat Sheet - now the OWASP XSS cheat sheet) - ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
  • 28. More polyglots - #2 (Ashar Javed XSS Research) (http://slides.com/mscasharjaved/cross-site-scripting-my-love#/) - ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext></|><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> - #3 (Mathias Karlsson) (http://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra) - " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// - #4 0xSobky’s “Ultimate XSS Polyglot” (https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot) - jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>x3csVg/<sVg/oNloAd=alert()// >x3e
  • 29. Finding XSS - Common places XSS tends to show up... - Customizable themes/profiles - Event meetings/names - URI based (redirect=) - Content imported from a 3rd party - (not sanitizing other data it's using) - File upload names - Uploaded files (swf/HTML) - Custom error messages - (injected page was not found...) - Fake params (foo=">) - JSON responses; check content type (IE only) - Login/forgot password forms - (an email has been sent to...)
  • 30. SWF XSS - Flashvars - Common ones include: - onload - allowedDomain - movieplayer - xmlPath - ++ - Flashbang - Decompiles and parses the SWF file, and returns possible params to test
  • 31. Blind XSS - Stored, but XSS that you can’t verify by hand - Some frameworks (because you want to use a framework) - sleepy-puppy (netflix) - Good for campaigns - Xsshunter - Most commonly used (it seems) - Gives back a lot of great info when it fires - Screenshot; cookies; email! - Does require a domain, wildcard SSL cert, mailgun account, and some setup, but is pretty slick when configured - Growing area; but there are questions about in/out of scope - Always check scope
  • 32. One last resource on XSS - Jackmasa's XSS mindmap - Massive dump of tons of varying contexts and injections
  • 33. SQL Injection - Does this page look like it might need to call on stored data? - There are some polyglots for SQLi - e.g. SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or"*/ - Mattias on polyglots - check out his pres: (https://www.slideshare.net/MathiasKarlsson2/polyglot-payloads-in-practice-by-avlidienbrunn-at-hackpra) - Seclists has a lot of fuzzlists for SQLi - Some observations/thoughts: - Not so much error-based these days; mostly blind - SQLMap is your friend… - Can use SQLMap with -L to parse Burp log files - Common params: - ID values; currency values; sorting params; JSON and XML values; cookie values; custom headers
  • 34. SQLiPy - SQLiPy - Burp plugin - right click on any request, to send to SQLMap
  • 35. SQLi DBMS specific resources... mySQL PentestMonkey's mySQL injection cheat sheet Reiners mySQL injection Filter Evasion Cheatsheet MSSQL Evil SQL Error/Union/Blind MSSQL Cheatsheet PentestMonkey's MSSQL SQLi injection Cheat Sheet ORACLE PentestMonkey's Oracle SQLi Cheatsheet POSTGRESQL PentestMonkey's Postgres SQLi Cheatsheet Others Access SQLi Cheatsheet PentestMonkey's Ingres SQL Injection Cheat Sheet pentestmonkey's DB2 SQL Injection Cheat Sheet pentestmonkey's Informix SQL Injection Cheat Sheet SQLite3 Injection Cheat sheet Ruby on Rails (Active Record) SQL Injection Guide
  • 36. File uploads - Malicious file upload - Can we upload and run that content? - Possible attacks - Upload an unexpected file format to achieve code exec (php, jsp, aspx, ++) - Not so likely these days to get full on code execution :( - More likely to be able to upload an html file - leading to xss, etc - Execute XSS ^, also inject on the filename -- images as well → imagejs - Attack the parser to DoS the site or XSS via storing payloads in metadata or file header - XXE (often on pdf uploads, but other places as well) → oxml_xxe tool - Ex: Imagetragick (not XXE, but using file upload to get code exec) - Bypass security zones and store malware on target site via file polyglots - Files that execute in different contexts!
  • 37. Local File Inclusion #LFI - Does it or can it interact with the server file system? - Tools: - Liffy → github.com/hvqzao/liffy - Seclists fuzzing list → - Common Parameters or Injection points - file= - location= - locale= - path= - display= - load= - read= - retrieve=
  • 38. Arbitrary File Inclusion {AFI/RFI} - Common Parameters/Injection points - File= - document= - Folder= - root= - Path= - pg= - style= - pdf= - template= - php_path= - doc=
  • 39. File includes and redirects - Look for any param with another web address in it. - A lot of the same params from LFI can often work here - Common bypasses include: - escape "/" with "/" or “//” with “//” - try single "/" instead of "//" - remove http i.e. "continue=//google.com" - “//” , “|/” , “/%09/” - encode, slashes - ”./” CHANGE TO “..//” - ”../” CHANGE TO “....//” - ”/” CHANGE TO “//”
  • 40. Redirects - Common params/injection points - Anytime it's pulling from or pointing to a resource - try make it grab something else, or even point it to your own; ex: "redirect_to" giving back internal files /etc/passwd - etc. - dest= - continue= - redirect= - url= (or anything with “url” in it) - uri= (same as above) - window= - next=
  • 41. CSRF - Burp PoC makes things pretty easy these days - Focus on bypasses - Removing the param - Using old values - Values from other sessions - Modifying the values, etc - Burpy (github.com/debasishm89/burpy) - Helps automate finding CSRF bypasses - Enable site logging in Burp; crawl the site, doing all the actions - Create a template, then run it against your log - Burpy then tries removing tokens, etc, and we can diff responses - Or focus on pages with no token… (github.com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_detect.py) - Keep in mind that it’s not always in the POST body...
  • 42. CSRF - Common critical functions to check for CSRF - Need CSRF to be on something of value - Add/upload file - Password/email change - Delete file - Profile edit - And so on...
  • 43. Privilege escalation - Can a given user level do what they otherwise shouldn’t be able to do? - Usually will need accounts of varying privileges - Common places to check - Add/delete/modify user - Change account info - Customer analytics view - - - - - - Things on the backend, where they never would have thought the lower level user would have the knowledge to make that request - A lot of apps just have the ‘vibe’ that they relied on security through obscurity
  • 44. Autorize - Burp plugin (github.com/Quitten/Autorize) - Helps with privilege testing - Browse app with high priv user; then have it resend all those same requests authenticated as a lower priv user, and see what actions succeed
  • 45. IDORs (insecure direct object references) - Near impossible to find with scanners - As a result, pretty common on bug bounties! - Can you access or modify something that’s not yours? - When testing… - Find any and all UIDs - Increment AND decrement - Try negative values - Attempt to perform sensitive actions using another user's ID - Change password - Forgot password - Admin only functions - Try not to modify other people's accounts; test only against what you own
  • 46. IDORs - Other IDOR thoughts... - Try pretty much any sensitive action across accounts - Again, scanners won't really find these things... - We see them a LOT - Can you access without authentication, etc? - Note other UIDs or ways users are identified - hashes, emails, etc - Receipts (what happens if I put one less on my receipt?) - Same concept for files - Shipping/purchase order ids, etc - Messages sent/delete
  • 48. Transport - Make sure everything is over HTTPS - Examples: - Sensitive images transported over HTTP - Login forms over HTTP - Analytics with session data / PII leaked over HTTP - ForceSSL - Tool that takes https links and tries them over http - github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL
  • 49. Logic - Logic flaws that are tricky, mostly manual: - substituting hashed parameters - step manipulation - use negatives in quantities (can you get money TO your account?) - authentication bypass - application level DoS - (massive parameter values, 999999 pages, etc) - Timing attacks
  • 50. Server side template injection (SSTI) - Does the site use a templating engine? - A lot of times one can get code exec or file read - TPLmap - Like SQLmap for template injection - Covers a lot of the major templating engines (flask, etc) - Can even give shells! - Reviewing source code, you can see how to do this manually - Lot more manual content online, but worth looking into #notAnExpert
  • 51. SSRF (Server Side Request Forgery) - Like LFI (same params, etc) - But some other things/ideas for you can do - For instance, possibly hitting internal machines or services that aren't accessible externally e.g. 127.0.0.1:8080/admin, etc - SSRF bible cheat sheet (google doc) - docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/ - Once again, #notAnExpert, but a PoC is usually easy enough to put together, and a clear demonstration of the issue is enough to get paid.
  • 52. Subdomain Takeover - Going back to discovery… - Sometimes orgs forget about dangling cnames that were once setup for services. - All we have to do is find these pages waiting to be claimed… - Common forgotten services... - heroku - github - tumblr - shopify - squarespace - salesforce - desk - Aws (s3 buckets) - fastly - hubspot - and on and on
  • 53. Subdomain Takeover - Don’t break ToS; often claiming the domain isn’t necessary - Some tools: - autoSubTakeover - HostileSubBruteforcer - Tko-subs - All do roughly the same thing; matter of preference.
  • 54. Ok. Some notes... - Always read the scope. It’s important. - VRT - Where are people NOT testing? - APIs - Boring, but often untested - IDORs, etc (but loses XSS, etc) - Mobile apps - Which often boils down to an API - Binary apps - Web/ui testing is again, easier
  • 55. Dealing with people... - People are temperamental creatures - Remember: - The person on the other side is a person - They have ups/downs - People to report to, etc - Bottom line: follow the golden rule - Treat others as you’d like to be treated - This also applies to reports - Demonstrating impact on a report is huge - They usually have to explain this to - non security people
  • 56. One more tool... - Hunt! - Burp extension that looks for a lot of the params that we’ve talked about today! - github.com/bugcrowd/HUNT HUNT
  • 57. Data Driven Assessment - How to test an app in n minutes... - Visit the search, registration, contact, password reset, and comment forms and hit them with your polyglot strings - Scan those specific functions with Burp’s built-in scanner - Check your cookies, log out, check cookies, log in, check cookies. Submit old cookies, see if there’s access. - Do a reset and see if; the password comes plaintext, uses a URL based token, is predictable, can be used multiple times, or logs you in automatically - Find numeric account identifiers anywhere in URLs and rotate them for context change - Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP. - Directory brute for top short list on SecLists - Check upload functions for alternate file types that can execute code (xss or php/etc/etc)
  • 58. And that’s that. - There was a lot. - Hopefully you learned at least ONE thing - I learned a ton while putting this together! - Would love to talk, get feedback, etc. - @grantmcmusic - linkedin.com/in/grantmccracken