The 7 Things I Know About Cyber Security After 25 Years | April 2024
Live Hacking Methodology and Strategies
1.
2. Live Hacking like a MVH –
A walkthrough on methodology
and strategies to win big
Frans Rosén – @fransrosen
3. Frans Rosén – @fransrosen
Frans Rosén @fransrosen
Security Advisor at Detectify
#6 on HackerOne leaderboard/all-time
Blogs at labs.detectify.com
4. Frans Rosén – @fransrosen
Frans Rosén @fransrosen
H1-702 2017: Winner of MVH in Vegas! (Uber, Salesforce, Zenefits)
H1-514 2018: Winner of MVH in Montreal! (Shopify)
H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath)
H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath)
H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath)
H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber)
H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath)
H1-202 2018: Winner Best bug in Washington (Mapbox)
H1-3120 2018: Winner Best bug in Amsterdam (Dropbox)
H1-514 2018: Winner Highest reputation in Montreal (Shopify)
5. Frans Rosén – @fransrosen
Frans Rosén @fransrosen
H1-702 2017: Winner of MVH in Vegas! (Uber, Salesforce, Zenefits)
H1-514 2018: Winner of MVH in Montreal! (Shopify)
H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath)
H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath)
H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath)
H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber)
H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath)
H1-202 2018: Winner Best bug in Washington (Mapbox)
H1-3120 2018: Winner Best bug in Amsterdam (Dropbox)
H1-514 2018: Winner Highest reputation in Montreal (Shopify)
7. Frans Rosén – @fransrosen
30 second elevator pitch
• A "hacker-meets-dev face-to-face" bug bounty with special targets
• First by HackerOne in 2016 in Vegas
• More companies runs these nowadays.
H1, Bugcrowd, Facebook/Google, Visma. Smaller companies run their own also
8. Frans Rosén – @fransrosen
(Inofficial first event in 2015)
Me and Justin Calmus, then CSO at Zenefits drinking Old fashioneds in Vegas
"We should bring some hackers together and hack"
9. Frans Rosén – @fransrosen
(Inofficial first event in 2015)
Me and Justin Calmus, then CSO at Zenefits drinking Old fashioneds in Vegas
"We should bring some hackers together and hack"
10. Frans Rosén – @fransrosen
(Inofficial first event in 2015)
Night after, 7 hackers in a suite at MGM
11. Frans Rosén – @fransrosen
$101.000 paid that night!
I went home with $51.000 after 7 hours of hacking
13. Frans Rosén – @fransrosen
1. Hackers gets an intro and a walkthrough
• Hangout, slides, presented by the company itself
• Ability to ask questions
14. Frans Rosén – @fransrosen
1. Hackers gets an intro and a walkthrough
• Hangout, slides, presented by the company itself
• Ability to ask questions
2. Often a bigger scope
• Often *.company.com, *.company.dev, infrastructure, IPs
• Open source repos by the company
• Enterprise access to products
• One time social engineering(!)
15. Frans Rosén – @fransrosen
3. Hackers gets some time do do recon
• This is a VERY important part
• One time 48 hours. Hard!
• Slack instance with the company!
16. Frans Rosén – @fransrosen
3. Hackers gets some time do do recon
• This is a VERY important part
• One time 48 hours. Hard!
• Slack instance with the company!
4. Some allow pre-submissions
• Awesome! Less preasure on final day
• Faster payouts on event day
17. Frans Rosén – @fransrosen
5. Arriving to event, meeting the company
• At HQ or hacking event (Defcon, Black Hat, Nullcon etc)
• Discussions here == PRICELESS!!
• Valid bugs because I could discuss with the company
- This domain, what does it do?
- Is this app supposed to work like this?
- I noticed this weird behaviour, I think I can do this, what do you think?
18. Frans Rosén – @fransrosen
6. Day of event. Wake up early, shower and HACK
• If no pre-submissions, get reports in!
• Hacking day is special, sit in teams, collaboration(!)
• Found many bugs on the actual day!
19. Frans Rosén – @fransrosen
Some events
without pre-submissions
awards "first X valid bugs"
21. Frans Rosén – @fransrosen
github.com/fransr/bountyplz
22. Frans Rosén – @fransrosen
github.com/fransr/bountyplz
23. Frans Rosén – @fransrosen
github.com/fransr/bountyplz
24. Frans Rosén – @fransrosen
github.com/fransr/bountyplz
25. Frans Rosén – @fransrosen
github.com/fransr/bountyplz
Upcoming version, batch-mode
• 24 reports sent in 4 seconds
26. Frans Rosén – @fransrosen
7. Show & Tell
• Best part of event
• Customer picks bugs to be presented
• Amazing! Other hacker’s bugs in a cool micro-talk style (5min max)
28. Frans Rosén – @fransrosen
Strategy/Methodology
The most interesting part. How to approach targets?
This is my experience, other might do differently!
29. Frans Rosén – @fransrosen
Good overview of scope
Make sure you have/know:
• credentials needed
• what domains are included, subdomains/acquisitions
• what NOT to focus on (out-of-scope)
• upgrades to enterprise accounts if promised
31. Frans Rosén – @fransrosen
Teaming!
Seriously, this is EXTREMELY VALUABLE
I’ve made more money hacking as a team
32. Frans Rosén – @fransrosen
Teaming!
Team up with someone that:
• put in "similar" effort to you
• might know stuff you don't
• helps you cover more target surface
• you can communicate with and brainstorm
33. Frans Rosén – @fransrosen
Teaming!
Team up with someone that:
• put in "similar" effort to you
• might know stuff you don't
• helps you cover more target surface
• you can communicate with and brainstorm
Keep team small, 2-4.
If 3 or more, effort will differ, allow to split differently
For 2 people, 50% each is always the simplest.
35. Frans Rosén – @fransrosen
High threshold or labour intensive testing
• Best bugs!
36. Frans Rosén – @fransrosen
High threshold or labour intensive testing
• Best bugs!
Example: trying all integrations from a list of 80.
Read docs on how each worked
Found a $20k bug due to one (1!!!) faulty implementation!
37. Frans Rosén – @fransrosen
How SDK talks with API
• Desktop client
• Web (API-paths in JS-files)
• PHP/Java/Golang-SDKs
• npm/composer/yarn
38. Frans Rosén – @fransrosen
How SDK talks with API
• Desktop client
• Web (API-paths in JS-files)
• PHP/Java/Golang-SDKs
• npm/composer/yarn
Legacy versions of APIs?
• Older versions working?
• Are there docs? Web-archive?
39. Frans Rosén – @fransrosen
Integrations with 3rd parties (!)
• Have integrations? (Slack, Trello, Zapier etc)
• Allow integrations? (OAuth etc)
• Public repos with examples?
40. Frans Rosén – @fransrosen
Integrations with 3rd parties (!)
• Have integrations? (Slack, Trello, Zapier etc)
• Allow integrations? (OAuth etc)
• Public repos with examples?
Company's Github repos
• What software they use (Forks)
• Synched with original repo? (No: vulns by diffing versions?)
41. Frans Rosén – @fransrosen
Github
• Internal domains? Search in Gists, Github, Google
• "Internal indicators", search everywhere
• Domains/AWS/GCP-tools in org: "org:xxx amazonaws" etc
42. Frans Rosén – @fransrosen
Github
• Internal domains? Search in Gists, Github, Google
• "Internal indicators", search everywhere
• Domains/AWS/GCP-tools in org: "org:xxx amazonaws" etc
• Any users in organization?
• Extract contributors from repos
• Company name in users’ repos: "user:xxx company-name"
• Search Github Issues, funky stuff by accident!
• Non-forked repos in organization
‣ Package dependencies from employees?
‣ Still hired by the company?
If not, bad
43. Frans Rosén – @fransrosen
Whitebox testing on company's FOSS
• Bugs might mean bugs in prod!
• Might mean company made other companies vulnerable
(really bad PR for the company)
44. Frans Rosén – @fransrosen
Whitebox testing on company's FOSS
• Bugs might mean bugs in prod!
• Might mean company made other companies vulnerable
(really bad PR for the company)
LEGACY
• Content from web-archive, read old documentation(!!!)
• URLs from web-archive's CDX-api, commoncrawl etc.
• Test all URLs. Distinguish status-codes / bytes received (Wfuzz)
• Anything interesting? Filter file-types, deduplicate
45. Frans Rosén – @fransrosen
Regular recon
There is soooo much here we can't cover it all. These are general things
• DNS, Subbrute, sublist3r etc. So many tools!
‣ Customized subbrute with 3rd party data
‣ Generate DNS-wordlist based on findings
• Existing routes from JS-files, Burp History
• postMessage-tracker (logs all listener functions)
• Wfuzz target (VPN with switchable IP if blocked)
46. Frans Rosén – @fransrosen
Regular recon
There is soooo much here we can't cover it all. These are general things
• DNS, Subbrute, sublist3r etc. So many tools!
‣ Customized subbrute with 3rd party data
‣ Generate DNS-wordlist based on findings
• Existing routes from JS-files, Burp History
• postMessage-tracker (logs all listener functions)
• Wfuzz target (VPN with switchable IP if blocked)
Best protip:
Focus on BORING/HARD STUFF, other hackers won’t
47. Frans Rosén – @fransrosen
Notes
While you hack. KISS!
• Dir for target, TXT-file always open
• Comments (snippets / indicators / urls)
• Super helpful. Chaining bugs!
- If an Open-Redirect, we can make a chain
• Test-code, SDKs, screenshots in dir
• Valid vulns in one place, separate from "interesting behaviour"
48. Frans Rosén – @fransrosen
Notes
• On event, team up sharing "interesting behaviour" things
• Burp history is golden, save it! Search alot!
Found bugs by searching:
49. Frans Rosén – @fransrosen
SSRF-testing server
• ONLY reachable by internal network (Both ipv4/ipv6)
• Virtual host / kubernetes node is bad, due to requirement of Host-header.
Not all SSRF send proper Host-header
(HTTP/1.0, binding external DNS-host to internal IP etc)
• Different files, depends on SSRF:
MP3, ICS, XML, TXT, HTML, PNG, JPG, SVG etc.
• If internal hosts can be reached without scanning internal network.
One company had flags in files, simple to prove you could access.
50. Frans Rosén – @fransrosen
SSRF-testing server
Should be an open source project
Anyone up for it?
110. Frans Rosén – @fransrosen
Final words
1. Use the time before
2. Consuming tasks no one bothers
3. Move around, but if interesting, be persistent!
4. Work as a team, it’s amazing.
Thank you!