The Bug Hunter's Methodology 2.0

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right my name is Jason i am the vp of trust and security at a company called bugcrowd at bugcrowd we host manage crowdsource security solutions in particular bug bounty and responsible disclosure programs but I'm also a tester and I've been a pen tester my whole life and I continue to be a bug hunter and this presentation basically goes over a whole bunch of bug hunter tips and tricks as well live oh no really as well as vulnerability classes that are pertinent in today's bug hunter type of life cycle any of you hunt bugs on a bug crowd or any vulnerability disclosure program or anything like that hacker one cynic couple you yeah hopefully this will have some good stuff in it this is kind of a year of parsed knowledge basically so I did one of these at Def Con 23 what I did is I took all of the top hunters back then they didn't have a lot of blogs there was not a lot of information and and we took all of their methods from their blogs and disclosures and stuff like that tried to distill them back to how they test and how they found big quality bugs and then what automation and tooling was good in those sections and so that kind of turned into this talk that I gave at Def Con and so the idea is I redo this every year with the new pertinent bugs that basically high quality high-impact bug bounty hunters find on programs to help the rest of us get up to there so the first version of the bug hunters methodology had things like discovery and mapping and parameters off an attack and this one will have those things - its up for revitalized with new data new tools new fuzz strings filter evasion technique stuff like that the vulnerability classes I covered in the last presentations were things like sequel injection cross-site scripting file uploads C surf and privilege some of those are going to be the same and some of them have changed in the two years since I did this talk at Def Con so we're gonna talk about some of those so in this years we're gonna do more discovery a lot of discovery and I'll talk about why that is advents and cross-site scripting a new vulnerability ish class called server-side template injection server side request forgery some advents in code scanning for code injection command injections and just some general advents and web fuzzing and then infrastructure and configuration so when you're doing bug hunting you're getting into ethical hacking or anything like that there are some books that you'd really need to put on your bookshelf one is the web application hacker's handbook and this is considered kind of the Bible for the web application hacker handbook it really breaks down the methodology the syntax all of the attack techniques and it's written by the authors of a tool that we all use in web application hacking called burp burp suite proxy after that shortly following that is the OS testing guide at the bottom and that's a you know referenced by Oh wast it has basically a list of all types of vulnerabilities and how to check for those now they're having a couple books I really recommend adding two to your kind of bookshelf for this and one is web hacking 101 by Peter your ski this book is actually really awesome it goes through a whole bunch of disclosures of his bugs and other people's bugs on the hacker one platform because they have disclosure breaking into security by Andy Gill and modern web penetration testing which is a PAC publish book so these three are kind of add-ons from the last presentation that you should have in your bookshelf if you're going to do modern web application assessment so the first section of this presentation is all about discovery and the idea here is that if you look at the cross-section of our researchers you can think of them or bug bounty hunters you can think of them in a triangle right and at the top we have the heavy hitters the guys that get paid 10k a bug very regularly they do this for a full time right they have a certain set of skills if you take their submissions and reverse them out down into what vulnerability classes they're finding so we wanted to find out well how are they and what classes of bugs are they finding at that top of that pyramid so we can get the middle of the pack up there right that's what we want as bugcrowd so one of the things that we found is really good hunters are really good at finding a tack surface that was unknown which I call discovery so what this is is finding websites that your development crew stood up for two days and never took down lawful offline things like marketing sites that marketing stood up never took offline internal systems that have been left out there I think there's a term called for it called like shadow IT basically these are all those systems that everybody has forgotten but are still connected to your cloud infrastructure or even your real infrastructure so this is a methodology that is parsed from myself and a whole bunch of other people discovery is actually one of my specialty areas and it goes through how to find lost and orphan sites because they are often less secured than the main comm and you can often find really juicy vulnerabilities for these sites so in the last version we talked about a couple of things which was sub domain scraping we talked about a couple of tools and we're gonna talk about advents in these toolings and then also as some of the other stuff that goes along with them so when you have this idea of finding domains that are left out on the internet that no one remembers or that you just kind of want to find all of the application space for one of these companies the first thing you want to do is called subdomain scraping and subdomain scraping basically goes out to all these sources on the internet like certificate certificate repository as it goes out to search engines like Google and Bing and Baidu and basically it search for your main searches for your main domain here like Tesla Tesla has an open bug bounty so they you know let us show all the tools running against their domain here and you can see here that this tool will look in Bing Yahoo Google ask net craft pns dumpster virustotal SSL certificate repositories and passive DNS the web site and it will look for anything that has Tesla com associated to it and any of those sources and it will parse them out and give you a list of everything it finds so this is a tool called sub lister that combines all of those into one tool it's made by a hunter called Abu Leia I think that's right Abu Leia something like that excuse me if I put your names and it hasn't been updated in a little while if you look at this repository for sub Lister there's actually a fork maintained by another author that actually has a few more a few more parsing methods other than being Baidu asked and all the ones that are listed here so if you just go to the github and go at the forks look at the most updated one and that guy actually has some checks here to see where these redirect by IP and then also if they're associated to any places where you could possibly hijack the subdomain which is a vulnerability we're going to talk at the end of the presentation about which is hijacking subdomains so this is search engine basically scraping and so sub Lister is one of the main tools to use here for for finding orphaned sites so in subdomain scraping this is one method of discovery right there's lots of methods you have two or three tools that are really pertinent in this area so you have sub lister on the right here and then you have another tool set called Recon NJ recon ng made by Tim tomes and it's recon and G is actually a whole ocean framework to do discovery on people places domains it can do oceans on anywhere and then I wrote a tool that wraps around recon ng called enum all with this guy leaf right here he actually he did most of the coding I just managed it and and it does it does these three on the Left SSL tools comm it parses from their API hacker target comm it pulls data from their API and showed on there are some optional modules at the bottom zoom I threat crowd just a generic zone transfer the risk IQ API if you own an API key for that and census that I do which if you own an API key for that you can pull down with recon ng I'm so are there there are some that are specific to each tool and a lot of people end up using both of them oh and then both do the middle column so luckily people realize that you didn't want to use you don't wanna have two tools and one so they made a docker container called brute subs which basically wraps these two tools and one other one called alt DNS which we're going to mention soon into one docker container that runs from one command because all you want to do is really search one domain for one command parse all of these different input sources and get a list of stuff that you might want to hack on for bug bounties so this is that docker container and it's pretty simple just docker compose with your up and then you have to set a config file with your target and then it runs all these tools on your on your target so here you can see it's going through and using multiple tools and it'll concatenate the results so that's called brute subs so that's subdomain scraping that's pulling from all these sources on the internet to find stuff that's either been cached by a search engine it's been sometimes somehow leaked via certificate something like that there's another couple of ways to do this which are pretty cool as well so anybody in here use CloudFlare some of you right so you know when you start up CloudFlare for domain they ask you for your domain and then they do like this magic wizard that shows you all of your sites right they have this giant database at CloudFlare already mapped out of the Internet they know where your domains are what your de namespace is and what IPS are associated to those domains and they're ready to deliver you CloudFlare on all of those well as bug hunters we created a script to go through that login cycle and parse their data set and pull it back into the stuff we should attack so this is CloudFlare enum so here's Disney I didn't run this sorry if you work at Disney um this is from the main page sorry and so you give it your credentials for CloudFlare you just create a fake account and then you give it your email your credentials and then it tells you what the CloudFlare magic database comes back with this one actually gives you some pretty good information there's another project called census do some of you might use and there's a script to parse that as well these haven't been integrated into an automated tool yet but they will be really shortly they'll actually part of the new fork of sub lister which I'm helping with so so that's sub scraping getting getting subdomains from a whole bunch of sources that are out on the internet and trying to list them out so you can attack them and find the juicy ones where the good vulnerabilities are there's also this idea of subdomain brute forcing right so you have Tesla com and then you just try to resolve admin that Tesla dot-com and if that doesn't work you try to resolve customer service Tesla comm right and this is brute force this is brute forcing the subdomain part of the domain there's multiple tools that have existed for this for a long time right some of you might have heard of fierce which is older but very common one taught in pen testing courses really there's a new class of this tool that have come out in the last couple years that dramatically increase the efficient this type of finding basically so there's two tools one is mass DNS and one is gogo Buster and both of these are brute force tools with the syntax listed here and so I did a case study of how long it took to run through a 1 million one hundred thirty six thousand nine hundred and sixty four line sub-domain brute force list which I made I took every tool that had ever seen do subdomain dupe brute force saying I catted it and unique it into one file and I'm talking about stuff that's from like fifteen years ago I put it all into one file and I ran it through some of these tools so you can see the run time sub brute which is a common one Totten pentesting classes just air it out with this size of a dictionary just couldn't do it go Buster took about 21 minutes mass DNS because it's a distributed program written in C and it used mul it uses multiple DNS resolvers to try to resolve the DNS uses up to 150 took 1 minute in 24 seconds to run that whole file now there are false positives in this tool so depending on the resolvers that are returning stuff sometimes they'll just return yes that this thing resolved for a lot of stuff that didn't resolve so you'll get false positives but the thing you'll notice about the false positives in the output of mass DNS is that they're pretty pretty easy to spot because they all return like these generic like cname errors in the tool and so you'll know right away that they're false positives and you can just grab them out so mass DNS and as a backup go Buster are the tools that you should probably use for subdomain brute forcing and this is the hardware I use for that case so at the bottom and you'll have to excuse me I've been sick like all week so I'm trying to you know persevere ok so we talked about subdomain brute forcing this is the combination of basically all of those word lists for the brute forcing I just called it all dot txt it's a gist at this address you can grab it I use it in my pen testing all the time this is like every program that's ever done DNS brute forcing on the right here just put those all into one list unique tit and so now you have that for your own usage mass DNS is at blech Schmidt that's where you can pull down nasty and ask to do some of this and so those are those are two advents and kind of subdomain brute-forcing in that part of discovery in addition when you have a bug bounty that is open scope enough like Tesla's Tesla's is basically any system that you can verify that Tesla own is included in their their bug bounty you can check for acquisitions for some of these programs as well as in Facebook in Google but they have a wait period they have like I think it's maybe three months after they acquire a company you might need to wait until you submit it to their bug bounty and I'm assuming that's how long it takes them to migrate IT over to Facebook or Google I can't remember which one in the wait period is on but once you do that you want to have mapped out that hey look Tesla acquired groomin engineering Solar City and Riviere tool over the course of their lifetime are all those assets that might be related to a company that Tesla now owns have they been tested have they been hacked do they have bounty related vulnerabilities on them maybe maybe not so CrunchBase is the place to go for this CrunchBase has a lot of financial data related to acquisitions and stuff like that so you can go to crunchbase and pull down related acquisitions so then after you have all of these hosts via subdomain scraping brute-forcing maybe some acquisitions and when you find the actively acquired companies in their domains you put them back through the subdomain scraping and brute forcing you finally have this large list of targets maybe you want to go after now you have to port scan because to not port that port scan them would be unfruitful what happens a lot of times is these things have remote administration protocols open on them they have web servers running on high ports that people don't even think to look out for so you know in the traditional kind of web testing method you would use nmap to scan and 65,000 host with nmap this is a large targets ASN or maybe a large discovery from the methods we just mentioned before that just takes forever it'll just like put you to sleep if you want to test all ports or even just the default and month and map ports list for this you might as well wait a month for that type of scanner maybe a week maybe maybe a week some a scan is a solution to this problem distributed written in C actually not distributed written and see way faster higher higher error tolerance on the scanning so this is the syntax for running masscan against 65,000 hosts with the default end map port range you'll need some serious hardware in the cloud to probably do this so I I commissioned a digital ocean box with plenty of memory and bandwidth but time to run 65,000 hosts with the default end map scrip ort list 11 minutes which is not that bad for this so pretty amazing alright so you have a port scan you have a whole bunch of domains with ports on them that are open you're ready to hack them now you need to know which one of these domains that you pulled down earlier are worthy of attacking first some of those sources that we pulled from might have been taken offline because one of them was search engines right in search engines cache old information sometimes so some of those domains might have been pulled off line some of the domains might exist as a DNS entry but they might redirect to the main Tesla comm site so how do you how do you account for that in your recon well you can use it to like eyewitness which basically takes a list of everything you have which is at this point domain names and subdomains and appends HTTP and HTTPS tries to resolve each one of those and takes a screenshot of each site after all the resolving has taken place and all the redirects to have taken place then you get a folder like this on the right which has all of the basically pictures of what it landed on and you can start to get a good feeling as to what you want to hack first obviously if you land on something that's like an admin page or a developer console or a login you want to check those out if it's just the Tesla normal home page that you're supposed to land on probably not going to prioritize that right away all right so now you have domains ports prioritized places to test via like visual identification now you kind of want to do some platform identification and to see if any of their web server software or components are outdated these will provide quick wins and bounties if those vulnerability is associated to old versions in their server software or their third-party code is is something you have to do any work basically you'll see that they're running an old version of something you'll go google it you'll see okay here's the exploit for that and you'll exploit it and you don't have to do any work yourself so there's a couple of things from the first presentation we talked about this tool called retire j/s which will go through third-party Java JavaScript libraries and tell you if nodejs is out of date and has vulnerabilities associated to it for technology mapping to see what a site is actually running on the server side what stack it's running there's Apple Iser and built with and now there's a new burp plug-in called vulnera sanentur vulnerable that as you passively visit sites in burp instead of just giving you basically the application level vulnerabilities it'll also start parsing version numbers that show up in read Me's in the headers everywhere and tell you that there's vulnerabilities associated to anything behind the version they're running at so burp vulner scanner is a new tool to kind of identify some of these easy c V's that already exist okay so none of that substitutes for actually walking the app right like a lot of bugs are are highly contingent on knowing what your application does very intimately especially things like insecure direct object reference or missing function level access control those type of bugs very contingent on you actually using the site instead of just using all this automation so I put the slide in here just to say like don't forget to get very cozy with your app and understand what it's doing these are ways to expand your scope and to do discovery but once you land on that site that you're gonna hack really put your effort into it alright so once you're on an app that you want to start hacking though one of the first things that people have done is use a tool called der bust or even to use der Buster force and unwashed tool cool so it is a directory boot for sir so we have Tesla comm right now in order to discover everything that might be on Tesla comm I spider it and I see it has all these URLs and parameters and it does certain things but there are hidden things that it might do hidden admin panels hidden parameters stuff like that that might exist on that site so we brute-force a whole list of common common pages for that type of stuff now traditionally der buster was the tool that you would use for this now there's a tool called go Buster which is written in go it's much faster I didn't need to do like a basically a comparison for this because it's this has just kind of been what we switched to and I think a lot of people are aware of go Buster already so but go Buster is a tool you use for content discovery or directory brute-forcing now burp has this idea - it's called content discovery it's available in the pro version of burp not everybody has the pro version of burp if you do have the pro version of burp you're counting on that the word list that they're brute-forcing in the path is as good as the one that comes with with go Buster or the ones that are out in the open source community for route forcing these types of paths the best one right now that exists for doing this is called robots disallowed it's one of the best it's written by Daniel me sir who's sitting right there so he maintains basically you parked parsed like the alexa top of what like million or something yeah he parsed the whole licks a list of their robots.txt files and then sorted them by occurrence so robots.txt meaning that developers don't want you to know or go to those pages so that's exactly what we're gonna go to so you feed this thing to go Buster you feed this list to go Buster and you find things that developers didn't want you to go to hopefully things that are juicy and that have vulnerabilities associated them so then there's the idea of like we found pages that are good that we want to attack and we want to fuzz and that's general web hacking is putting stuff into parameters or input fields and seeing what happens but there's the idea that there might be hidden parameters associated to pages or functions or scripts and so there's even a tool to brute force parameter names if you're with an API or with you think there's a hidden parameter something is called pram F and it's written by a guy named Syrian Mach o he's a bug hunter and so this will brute force parameter names burp the authors of burp suite did a project as part of something else that they did which mapped the top parameters that applications use the parameter name so ID action page name and they mapped all of these by occurence so you can feed these two parameters like an API or something like that this can be either like the syntax of you know poor script question mark equals parameter or something like that or it could be the you know the rest style or whatever you could do either but you can brute-force parameters with but these type of tools so this is the overall discovery methodology right identify IPs and mein Teil these scrape brute force ports can do some visual identification identify the platform do content discovery and then maybe do parameter discovery so this is most of the active stuff there is there are some other stuff that you can do as part of recon which is like trying to investigate github repositories associated to companies and map out their technology that way and find paths and even deeper parse javascript files that the company's hosting to pull up pads that are there those are new advents and kind of mapping sites but I didn't include those in here but they're actually in a presentation that Ben wrote for LevelUp that was like six months ago or eight months ago and he did a whole presentation on a couple of those methods right so cool so one of the topics in the last one in the last bug hunters methodology was cross-site scripting so we're gonna talk about a few of the admins and cross-site scripting so not really a lot of advents and cross-site scripting cross-site scripting remains the same except for the addition of a quasi new category so and I'm just gonna draw myself as an example here for the longest time I was pen testing for years throwing in attack payloads into parameters and and boxes input boxes that I was shooting alert payloads into right and I was getting cross-site scripting and I felt great but for years I was missing out on the fact that if I would have had a little bit more JavaScript a little bit more experience I could have added what's called a JavaScript hook and then when I sent a cross site scripting payload into a form I might not have gotten immediate response from my page but someone in customer service for that come might have eventually seen that a tack string and it would have popped up on their internal customer service admin portal so this is a category of cross-site scripting called blind cross-site scripting and there's a couple of frameworks here to manage and test for blind cross-site scripting so one of them is called sleepy puppy it's built by the Netflix team anybody from Netflix in here yeah awesome tool so sleepy puppies awesome there's some other ones there's ground control by Gilbert Alma Amba you see your words last name sorry and then there's XSS hunter which is a framework for managing the callbacks for this there's also some things called polyglots which have come around which are basically identifying cross-site scripting using one string that will execute in multiple contexts which helps you quickly identify some versions of cross-site scripting and there's there's some other resources here so this is the idea blind cross-site scripting so this is Franz and Franz in step one finds a form field for a name last name and organization Franz puts in a script like this it says script source equals y dot VG which is his domain he owns and so when anyone visits that and that script executes it will call back to his yvg domain and he'll know that someone saw that immediately he sends it through the tubes and it ends up that he doesn't get an alert right away so there's no stored cross-site scripting there's no reflected cross-site scripting but all is not lost for Franz so eventually it ends up on Jamie's computer and he works for Yahoo and he has a customer service portal he logs into every day that reads emails or an application parses that information and it pops up on Jamie's admin console then it executes a shell a JavaScript shell back to Franz a server yvg and then Franz now has the same access as Jamie can instrument his admin panel this is blind cross-site scripting so so sleepy puppies really good ground controls really good but the one that a lot of hunters use is actually XSS hunter so XS enter XSS hunter is a framework that instruments blind cross-site scripting it generates hooks for you it will also email you when you get blinds cross-site scripting triggers when those customer support reps actually open the email will email you it will send you reports it has the ability to basically parse and change the payload it does a lot of cool tricks like beef and XSL XSS shell used to do when we were doing like demos of that so XSS hunter is kind of the the framework that would you would use nowadays to manage cross-site scripting attacks for applying across site scripting okay so in the last presentation we talked about this idea of polyglots and we you can look it up it's a from Def Con 23 we talked about three of the most common XSS polyglots the idea of an XSS polyglot is that it's one long string that can execute in multiple contexts so if you put it in a form or a parameter wherever it lands on the page in the HTML as long as there's not sufficient output encoding it will alert you don't have to fiddle with it to get it to match the context of your page you just paste in this one string and it should ignore all the parts that it doesn't care about and alert on the part that it does care about so there are four main one of these that exist this is one by hack fault called the ultimate XSS polyglot it's not actually the one I use them the most the one I use the most is part of the old presentation by a it was invented by a guy named azshara to ved a lot of scanners are starting to Institute polyglot payloads because they don't send as much traffic to the sites and they don't have to worry about context and some of their scanners so it's kind of where some of that fuzzing is going these days if you're really into manually mapping context for cross-site scripting there is a new resource out there called the XSS mind map by Jack Massa and what this does it's a giant mind map of cross-site scripting payloads based on context so you can drill down if it's you know lands in the Dom if it's part of Flash if it's part of react or jQuery frameworks if you're trying to bypass or stay under a character limit there's basically notes or actual payloads to use against that type of context and examples um so this is one of the new resources that's really cool for for cross-site scripting not that any of these are new but definitely organized really well okay so that's cross-site scripting so now we're going to talk about a vulnerability called server-side template injection so there are a number of template engines out there I use flasks a lot for like you know easy development projects to make CTF stuff like that but if you use the templating and engine there's there's the opportunity that there could be a remote code execution bug called server-side template injection there now I'm not a templating engine expert so I just know that this vulnerability exists I've kind of built CTFs around it before but I'm not like 100% expert so so identifying sites when they're using a templating engine is is the same thing that we would normally do you would use WAP eliezer built with to verify the stack on the server-side and see what they're running you would fuzz parameters but really there's a couple of tools here when you identify that you're using a templating engine Marco dust you know Jinja any of those tornado and this is the idea temple of a templating engine right so here you have an error page that's going to parse this URL or when you get redirected to this air page it's going to parse a your all here and instead of providing it a parameter or it's going to parse this page you give it a math operator inside some mustache braces or you ask it to read a file in the second one here yeah so there's an excellent article here I have it in the resources page that explains like axes actually how we're finding out which class to use for the file read here and this is against Jinja but most of the time when i'm fuzzing for SST i use the payload on the top right what i want to do is usually I'll have like a page or an input parameter field of a nickname or something that or whatever the parameter name is or whatever and I'll just put in a payload like two times three and if it gives me back you know that if it evals the math and gives me back page six or gives me back six I know that I'm probably you know good for server-side template injection though there is a tool called TPL map which is very similar to sequel map which knows each template in engine and how to construct and find the class that we'll be able to get you an operating system shell when template injection is available so TPL map here I've given it a URL that's vulnerable and it identifies the template injection in the name parameter and then I tell it to get me the Etsy password file and it's gonna do that in a second so they're actually giving me an operating system shell I did - - oh I saw very similar to sequel map except for all for templating injection and it got me the OS command shell goes pretty fast sorry so this is one of the bugs that is like a p1 bug on most systems new class of ish bug server-side template injection was actually found by one of the people on the burp team so they have a whole white paper on how this works so what we did at bugcrowd this is actually off a little bit on the style sorry it's from a different presentation but I thought it was apt to add into this presentation so what we did at bugcrowd was we took all of the parameters that were most often vulnerable to this class of vulnerability and ranked them by occurrence and so what happens when you build web applications or you end up using these technologies as these frameworks they either provide you parameters or you think of one yourself for the data you're trying to handle and semantically it ends up being the same parameter that's associated to a lot of the same vulnerabilities so for server-side template injection these are the top parameters that are vulnerable to this bug preview ID view activity name content redirect and template template makes a lot of sense right templating engine template so for debugging and logic which this slide came in from another presentation but for applications that where you want to try to fuzz for debug or logic functionality in a URL as part of a parameter this is that list on that side which is access admin dbg debug edit etcetera etc so this is part of another presentation I did called hunt I made a tool to alert whenever burp saw these parameters to tell you to go test for certain classes of vulnerabilities that's a whole different presentation but I included the tables in here so that if testers really want to get intimate with these type of bugs they know the places the type of places to look so here are those resources the original white paper for s STI the s STI workshop that was done by Jerome do you SSST is STI in flask in Jinja by Tim tomes really like I'm not an expert on something I'm gonna try to give you the best resource that you can go learn about it so this is kind of what I do at the end of each section so this is where you would go and then pizza good friend of mine so I put a little bubble here say what's up okay so another vulnerability that pays out well is part of kind of the elite hunter kind of methodology is server side request forgery so server side request forgery we didn't really talk about it that much in the first version the bug hunters methodology we're gonna talk about some resources and tooling for it and this one we're gonna move a little fast because I'm running out of time so the same as other places here's the table for the most often attack parameters for a server side request forgery file folder location style locale template path doc display you'll notice some of them are the same for all the one our ability classes that's okay I don't care about that this is a very small handful of params to test really or to be alerted on so that's that list for you the idea of SSR F is you have a function on a website that takes normally takes a path HTTP usually in most cases and it's trying to do a redirect or pull some kind of content from the value of that parameter so you can see the value of URL here is HTTP Google com well what if you passed just last Google com what if you pass it without the HTTP with the protocol or the slash is what if you pass it with just a path to something else here well you can do malicious things when those functions are encoded correctly like use the file protocol to read Etsy password on the bottom or use TFTP to internally port scan the server because they haven't disallowed that protocol handler in that's parser so there are a whole bunch of ways to do this one of the presentations I list in the resources section is this presentation by nicolas and it's a whole bunch of ways to notate IP addresses or web addresses that can get past blacklist that people try to disallow this attack in or a really you know whitelist any type of you know pathing attack so these are different ways that you can you can do that you can bypass some some laughs stuff really this is the ultimate cheat sheet for SS RF it tells you by platform or by a stack or programming language basically which ones are vulnerable to which protocol handlers by default um so you can use this if you see a URL basically my methodology is use burp if you see anywhere in a parameter value that a URL is getting passed or a path is getting passed start to fuzz it find out what platform it's on and then referenced this cheat sheet what is usually enabled by default on that technology try to use those protocol handlers and try to pull out bad files these are the most common parameters for server side request forgery you can grab these slides offline so I'll go through them and these are the best resources for learning server site request forgery okay I have ten minutes so I'm gonna blast you this sorry so for just code injection or command injection or just kind of new fuzzing ideas in the last you know whatever in the last version talked about sequel injection sequel injection not super like it although it's a super impactful bug we don't see it a ton like it's not a top bug that we see a lot of testers finding nowadays a lot of mitigations in sequel injection but command injection funnily enough still exists in a lot of a lot of web applications and then the idea of custom fuzzing as well is thing that we see as well as I door or missing function level access so this is I doors the idea where you have a numerical identifier inside of a URL and if you incremented or decremented you can get somebody else's data back right that's an ID or ball bug so ID or still retains its it's kind of king status to bug all of our bugs ID or gives you the highest payout applications are most often vulnerable to it this is an instance of a site here that was vulnerable to an ID or that let you pull down from a endpoint that gave you JSON data on a customer and so basically all you did was there is a ser ID parameter and you incremented it by one or two or three and it would give you back someone else's data instead of your own this happens all the time I don't think I've seen a web application that has access mapped very well that hasn't been hit by an IED or before it's just it's super prevalent people really there's no real framework to fix access bugs so you know they're usually pretty late in applications so the things that you do here to find I doors is look for you know numericals in parameter values which sounds like every every site is going to have that but you'll know when you see it's like ID equals or something like that like you'll know by the parameter if you should try to iterate it or not if you see an email address try to change it to a different email address if you see a hash referencing something try to change the hash create two accounts and if one has a unique hash as it's referencing an account just steal the other hash see if you can substitute it I'm a mix of some of these exist on some of these sites these are the most common parameters associated to insecure direct object reference again this is out of another presentation called hunt that I did at DEFCON command injection really that one's kind of been covered a lot but there's a tool called comics very similar to sequel map and TPL map that exploits command injection and it has the ideal it has the ability also to give you reverse shells in PowerShell or Python and integrate directly in the Metasploit which is pretty cool there is some other advents that have come out so burps sweets has an optional module built into it now called backslash powered scanner and what it does is it doesn't actually fuzz for any singular vulnerability it fuzz's by applying just kind of junk in certain in certain parameters and then escaping them with the backslash and then reading the response whether whether something executed or an error came back or the content type was different there's a whole bunch of checks that he does but it's kind of like automated manual fuzzing that's what I call it and so it's pretty powerful and it's a way to get back to kind of manual fuzzing for web vulnerabilities and when you when Bert finds something that either returns a different content type err or something like that it gives you a scanner check in and it says suspicious input transformation you should check this out basically so that's cool these are all the resources for that section last section how much time do I have five minutes cool so the last section where we see bug hunters succeeding and finding big bugs is basically related to infrastructure and configuration vulnerabilities this is one that we see a lot which is subdomain takeovers this is the idea that you have a subdomain that at one time connected to something like one of these services and then you let it lapse and so you still have the subdomain mapped and what happens is an attacker goes out and registers on one of these sites your subdomain and since you didn't you let it lapse they have the ability to register it and then now they have control of one of your domains and inherit the trust of your users so sub domain take over these are the ones that can be efficiently efficiently used basically you don't have to provide credentials or IDs or company verification to register those things in most cases or you can forge it this was made by was basically coined or made popular by a tester named Franz Rosen he has all these checks automated I don't think anybody else really does she's awesome I'm a pretty simple it's pretty simple you know you check to see if any see names are resolving to third-party services and you make sure those things are either active set up for you know renewal and after and renewed you nuke that CNN basically it's a whole bunch of tools for this one written by Ben here called hostile sub root for sir although is is that maintained still or not you anymore okay yeah so use the originator but not the maintainer TKO subs auto sub takeover there's probably like six or seven tools that are looking for this now because it's an easy of all happens all the time is usually a p1 on most platforms so it gets you paid out at the top level it's a big big time bug so misconfigured AWS this is s3 buckets you read a lot about these this is a whole probably day in itself both hunting for s3 buckets that are associated to companies and also taking them over seeing if they're configured right there's a couple tools in this section and one called sandcastle one called bucket finder and there's some other ones that have recently just come out that I haven't used yet so just presentation needs to be updated but there's a whole walkthrough by detective I and Franz who wrote about basically taking over s3 as three sources basically so I'm not gonna reinvent the wheel here you can check that it's called a deep dive into AWS three access controls taking full control over your assets probably the best reference and most complete write-up I've seen on this type of thing before the other one is get the idea that you have get exposed off of your main domain somehow there's a couple tools for this called get Rob and truffle hog that will basically pull down source code repositories that are left open the way you fuzz for this is in your directory brute-forcing you just add dot get usually and if you get a 200 ok on dot get it means they have misconfigured usually get configuration and you can try to download code that they've left that on the internet or through their repository that's it so I got so some some resources the bug hunters methodology the original one is on my github so J haddock /tph em there's also a forum for bug hunters called the bug bounty forum and it's associated to a slack channel so like we all hang out in there and share techniques and kind of make fun of each other a lot so you can check that out and these are all the people that I pulled content from in the presentation so you can check those out in the thing and this is me if you need to find me at J headaches or J headaches about calm that's it [Applause]

Info

Channel: Coding Tech

Views: 69,847

Rating: undefined out of 5

Keywords: hacking, web hacking, bug hunter's methodology, bug bounty hunters

Id: HI1mTQ7ovFY

Channel Id: undefined

Length: 44min 39sec (2679 seconds)

Published: Tue Apr 03 2018