Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
HI THIS IS URGENT PLZ FIX ASAP:
Critical Vulnerabilities
and Bug Bounty Programs
Kymberlee Price
Senior Director of Resear...
• Senior Director of a Red Team
• PSIRT Case Manager
• Data Analyst
• Internet Crime Investigator
• Behavioral Psychologis...
• Intro
• Red
• Blue
• tl;dr
• Questions
Agenda
• Determining if a bug bounty program is
appropriate for your company
• Selling you a bug bounty program
• Recruiting you ...
C:intro
VRP 2014
https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
VRP 2014
https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
VRP 2014
https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
PayoutsBugs found per active researcher
VRP 2014
https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
2014
Submissions:
• 17,011 submissions – 16% increase YoY
• 61 high severity bugs – 49% increase YoY
• Minimum reward: $50...
2014
Payouts:
• $1.3 million to 321 researchers
• Average reward: $1,788.
Top 5 Countries:
• India – 196 valid bugs
• Egyp...
2014
• 73 vulnerabilities identified and fixed
• 1,920 submissions
• 33 researchers earned $50,100 for 57 bugs
• Minimum r...
2014
https://github.com/blog/1951-github-security-bug-bounty-program-turns-one
Online Services: O365 and Azure
• 46 rewarded submissions since launch in late Sept 2014
• Reward amounts to each research...
Software Bounties Online Services
Middle East
8%
Europe
25%
Latin America
3%
North
America
8%
Asia
(excluding
India)
15%
India
41%
RESEARCHERS – ONLINE SERV...
https://technet.microsoft.com/en-us/security/dn469163.aspx
• 166 Customer programs
• 37,227 submissions
– 7,958 non-duplicate, valid vulnerabilities
– Rewarded 3,621 submissions
• $...
Big Bugs:
• 4.39 high- or critical-priority vulnerabilities per
program
• Total: 729 high-priority vulnerabilities
– 175 r...
• P1 – CRITICAL
Vulnerabilities that cause a privilege escalation on the platform
from unprivileged to admin, allows remot...
• Professional Pen Testers and consultants
• Former developers, QA engineers, and IT Admins that have
shifted focus into a...
C:red
• XXE in production exploited using Google
Toolbar button gallery
• Reported in April 2014
• Fredrik Almroth and Mathias K...
• XXE in production exploited using Google
Toolbar button gallery
• Reported in April 2014
• Fredrik Almroth and Mathias K...
• Reginaldo Silva reported an XML external entity vulnerability
within a PHP page that would have allowed a hacker to
chan...
• Laxman Muthiyah identified a way for a malicious user to
delete any photo album owned by a user, page, or group on
Faceb...
• Cross-domain Information Disclosure
• Clifford’s first private bounty invitation
• Launched at midnight in PH
• Found an IDOR  elevation of privilege
• Bug in “import user” feature
• no check whether the user who is requesting
the import has the the right privilege
https://www.cliffordtrigo.info/hijacking-smartsheet-accounts/
• IDOR  elevation of privilege
1) login to https://service.teslamotors.com/
2) navigate to https://service.teslamotors.co...
http://nbsriharsha.blogspot.in/2015/07/a-style-of-bypassing-authentication.html
C:blue
• Submission framework & expectations
• Eloquence of written communication
• Clear in and out of scope documentation
Rapid...
• Guidance and training
– Google: Bughunter University
– Facebook: Bounty Hunter’s Guide
– Bugcrowd: Bugcrowd Forum
• Clea...
• Guidance and training
– Google: Bughunter University
– Facebook: Bounty Hunter’s Guide
– Bugcrowd: Bugcrowd Forum
• Clea...
• Clear the queue daily
• Communicate your priorities
• Dealing with Duplicates
Rapid triage & prioritization
• Defined vulnerability taxonomy
Rapid triage & prioritization
Is it worth the hassle?
“In Mortal Combat terms, it is a ‘Fatality’”
“If we get nothing else from the bounty, this vuln wa...
• Publish and stick to your program SLA
• Stop rewarding bad behavior
• Don’t create bad behavior
– Reward consistently
– ...
C:tl;dr
• Bug bounties successfully generate high
severity vulnerability disclosures, delivering
real value that improves applicat...
• Write strong scope documentation
• Clear submission expectations
• Provide feedback
• Stay consistently engaged
• Reward...
HI THIS IS URGENT PLZ FIX ASAP:
Critical Vulnerabilities
and Bug Bounty Programs
Kymberlee Price
Senior Director of Resear...
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
Ha terminado este documento.
Descárguela y léala sin conexión.
Próximo SlideShare
[Webinar] The Art & Value of Bug Bounty Programs
Siguiente
Próximo SlideShare
[Webinar] The Art & Value of Bug Bounty Programs
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

Compartir

HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs

Descargar para leer sin conexión

Kymberlee Price's Presentation from Black Hat 2015 In this presentation, Kymberlee discusses several highly critical vulnerabilities that have been uncovered through a variety of bug bounty programs and their impact on the customers. With participation from researchers and vendors, attendees will not only see some sweet vulnerabilities broken down, but also why wading through another submission from @CluelessSec might be worth it.

HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs

  1. 1. HI THIS IS URGENT PLZ FIX ASAP: Critical Vulnerabilities and Bug Bounty Programs Kymberlee Price Senior Director of Researcher Operations Bugcrowd @Kym_Possible
  2. 2. • Senior Director of a Red Team • PSIRT Case Manager • Data Analyst • Internet Crime Investigator • Behavioral Psychologist @kym_possible whoami?
  3. 3. • Intro • Red • Blue • tl;dr • Questions Agenda
  4. 4. • Determining if a bug bounty program is appropriate for your company • Selling you a bug bounty program • Recruiting you to be a bounty hunter What this talk isn’t
  5. 5. C:intro
  6. 6. VRP 2014 https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
  7. 7. VRP 2014 https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
  8. 8. VRP 2014 https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts PayoutsBugs found per active researcher
  9. 9. VRP 2014 https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
  10. 10. 2014 Submissions: • 17,011 submissions – 16% increase YoY • 61 high severity bugs – 49% increase YoY • Minimum reward: $500 Geography: • 65 countries received rewards – 12% increase YoY • 123 countries reporting bugs https://www.facebook.com/notes/facebook-bug-bounty/2014-highlights-bounties-get-better-than- ever/1026610350686524
  11. 11. 2014 Payouts: • $1.3 million to 321 researchers • Average reward: $1,788. Top 5 Countries: • India – 196 valid bugs • Egypt – 81 valid bugs • USA – 61 valid bugs • UK – 28 valid bugs • Philippines – 27 valid bugs $1,343 $1,220 $2,470 $2,768 $1,093 $263,228 $98,820 $150,670 $77,504 $29,511 $619,733 The top 5 researchers earned a total of $256,750
  12. 12. 2014 • 73 vulnerabilities identified and fixed • 1,920 submissions • 33 researchers earned $50,100 for 57 bugs • Minimum reward: $200 • Doubled maximum bounty payout to celebrate https://github.com/blog/1951-github-security-bug-bounty-program-turns-one
  13. 13. 2014 https://github.com/blog/1951-github-security-bug-bounty-program-turns-one
  14. 14. Online Services: O365 and Azure • 46 rewarded submissions since launch in late Sept 2014 • Reward amounts to each researcher not published • Program offers minimum $500 up to $15,000 Mitigation Bypass • Up to $100,000 for novel exploitation techniques against protections built into the OS Bounty for Defense • Up to $100,000 for defensive ideas accompanying a qualifying Mitigation Bypass submission https://technet.microsoft.com/en-us/security/dn469163.aspx
  15. 15. Software Bounties Online Services
  16. 16. Middle East 8% Europe 25% Latin America 3% North America 8% Asia (excluding India) 15% India 41% RESEARCHERS – ONLINE SERVICES Oceania 3% Europe 21% Africa 5% Asia (excluding India) 29% India 8% North America 31% Latin America 3% RESEARCHERS - SOFTWARE
  17. 17. https://technet.microsoft.com/en-us/security/dn469163.aspx
  18. 18. • 166 Customer programs • 37,227 submissions – 7,958 non-duplicate, valid vulnerabilities – Rewarded 3,621 submissions • $724,839 paid out – Average reward $200.81, top reward of $10,000 2013-present http://bgcd.co/bcsbb2015
  19. 19. Big Bugs: • 4.39 high- or critical-priority vulnerabilities per program • Total: 729 high-priority vulnerabilities – 175 rated “critical” by trained application security engineers 2013-present http://bgcd.co/bcsbb2015
  20. 20. • P1 – CRITICAL Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples: Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass • P2 – SEVERE Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, Stored XSS, some CSRF depending on impact P1 and P2 Defined https://blog.bugcrowd.com/vulnerability-prioritization-at-bugcrowd/
  21. 21. • Professional Pen Testers and consultants • Former developers, QA engineers, and IT Admins that have shifted focus into application security • University students that have self taught security skills • Bugcrowd has over 18,000 researchers signed up in 147 countries worldwide Who finds these bugs? http://bgcd.co/bcsbb2015
  22. 22. C:red
  23. 23. • XXE in production exploited using Google Toolbar button gallery • Reported in April 2014 • Fredrik Almroth and Mathias Karlsson • Google responded to the report within 20 minutes
  24. 24. • XXE in production exploited using Google Toolbar button gallery • Reported in April 2014 • Fredrik Almroth and Mathias Karlsson • Google responded to the report within 20 minutes
  25. 25. • Reginaldo Silva reported an XML external entity vulnerability within a PHP page that would have allowed a hacker to change Facebook's use of Gmail as an OpenID provider to a hacker-controlled URL, before servicing requests with malicious XML code. • http://www.ubercomp.com/posts/2014-01- 16_facebook_remote_code_execution
  26. 26. • Laxman Muthiyah identified a way for a malicious user to delete any photo album owned by a user, page, or group on Facebook. He found this vulnerability when he tried to delete one of his own photo albums using the graph explorer access token. • http://www.7xter.com/2015/02/how-i-hacked-your-facebook- photos.html
  27. 27. • Cross-domain Information Disclosure
  28. 28. • Clifford’s first private bounty invitation • Launched at midnight in PH • Found an IDOR  elevation of privilege
  29. 29. • Bug in “import user” feature • no check whether the user who is requesting the import has the the right privilege
  30. 30. https://www.cliffordtrigo.info/hijacking-smartsheet-accounts/
  31. 31. • IDOR  elevation of privilege 1) login to https://service.teslamotors.com/ 2) navigate to https://service.teslamotors.com/admin/bulletins 3) now you are admin, you can delete, modify and publish documents
  32. 32. http://nbsriharsha.blogspot.in/2015/07/a-style-of-bypassing-authentication.html
  33. 33. C:blue
  34. 34. • Submission framework & expectations • Eloquence of written communication • Clear in and out of scope documentation Rapid triage & prioritization (get to the P1’s faster)
  35. 35. • Guidance and training – Google: Bughunter University – Facebook: Bounty Hunter’s Guide – Bugcrowd: Bugcrowd Forum • Clear in and out of scope documentation • Direct Performance Feedback How to reduce noise
  36. 36. • Guidance and training – Google: Bughunter University – Facebook: Bounty Hunter’s Guide – Bugcrowd: Bugcrowd Forum • Clear in and out of scope documentation • Direct Performance Feedback How to reduce noise
  37. 37. • Clear the queue daily • Communicate your priorities • Dealing with Duplicates Rapid triage & prioritization
  38. 38. • Defined vulnerability taxonomy Rapid triage & prioritization
  39. 39. Is it worth the hassle? “In Mortal Combat terms, it is a ‘Fatality’” “If we get nothing else from the bounty, this vuln was worth the whole program alone. Due to the critical nature of the issue, we immediately patched the Prod servers this evening to close this exploit. We are also reviewing all logs since we don't delete them yet to identify any instance where this ever happened in the past.”
  40. 40. • Publish and stick to your program SLA • Stop rewarding bad behavior • Don’t create bad behavior – Reward consistently – Reward fairly – Fix quickly – Again with the documentation How to reduce noise
  41. 41. C:tl;dr
  42. 42. • Bug bounties successfully generate high severity vulnerability disclosures, delivering real value that improves application security for companies of all sizes. • Crowdsourcing engages skilled researchers around the world that you may not have heard of. conclusions
  43. 43. • Write strong scope documentation • Clear submission expectations • Provide feedback • Stay consistently engaged • Reward good behavior call to action
  44. 44. HI THIS IS URGENT PLZ FIX ASAP: Critical Vulnerabilities and Bug Bounty Programs Kymberlee Price Senior Director of Researcher Operations Bugcrowd @Kym_Possible
  • amankhan127201

    Feb. 6, 2017

Kymberlee Price's Presentation from Black Hat 2015 In this presentation, Kymberlee discusses several highly critical vulnerabilities that have been uncovered through a variety of bug bounty programs and their impact on the customers. With participation from researchers and vendors, attendees will not only see some sweet vulnerabilities broken down, but also why wading through another submission from @CluelessSec might be worth it.

Vistas

Total de vistas

1.174

En Slideshare

0

De embebidos

0

Número de embebidos

3

Acciones

Descargas

28

Compartidos

0

Comentarios

0

Me gusta

1

×