Upload
himanshu-das
View
2.466
Download
9
Tags:
Embed Size (px)
DESCRIPTION
Bug Bounty for - Beginners
Citation preview
Bug Bounty for - Beginners
HIMANSHU KUMAR DAS
about.me
Infosec analyst at iViZ techno sol. Pvt. Ltd.
Passionate Capture The Flag(CTF) player.
Started bug bounty recently, listed on few Security Acknowledgement Pages, few $$$, few t-shirts.
Member of n|u community past 2 years 6 months.
todays talk
Prerequisites
Highlights
Initial Approach
Tools to tune
Automating on localhost.
Bug Submission/Reporting.
Demo…..
prerequisites
patience……… of course, YES!!!
Ninja Skills, NO!!!
Operating System and web browser, a matter of argument, so you select!!!
Have you read any of these? OWASP Testing Guide v3
The Web Application Hacker’s Handbook- 2nd Edition
RFC 2616 – HTTP/1.1
bug bounty program: highlights
Not limited to web applications, even networks and products.
Must be a Responsible Disclosure.
Lots of $$$ , gifts, t-shirts.
Test your: <script>alert(“Bounty”);</script>
initial approach
Did you read the scope?
Reconnaissance: CMS, default pages, paths, plugins( robots.txt,
phpinfo.php, .htaccess)
Various subdomains
Identify services
Understand the logic of any functionality.
Say No to SCANNERS!!!
tools to tune Web Proxy (Burp Suite, Fiddler, OWASP ZAP many others)
Must have firefox addons: web developer
tamper Data
wappalyzer
foxyproxy
user agent switcher
live http headers
ClickJacking Defense (https://addons.mozilla.org/en-us/firefox/addon/clickjacking-defense-declar/)
and the counting goes on……………………
automating on localhost
Install web server on your local system.(WAMP, XAMPP)
Download and install product(CMS) on your local web server.
Time to input and sleep : Wfuzz
intellifuzz-xss(By @matthewdfuller)
Sqlmap
IronWASP( By @lavakumark)
Few techniques to bypass security measures
Brute-force IP based blocking, user-agent based blocking.
Account locked, yet account accessible.
Cross-site request forgery Token missing.
Token not time-boxed.
Token not validated.
Token not random.
UI Redressing/ClickJacking Drag and Drop [ Discovered by ahamed nafeez(@skeptic_fx) ]
Content Extraction (deprecated in modern browsers).
Bug Submission
Subject: Responsible Disclosure.
Nature/Description of the Bug.
Impact.
Testing Environment: OS, Browsers, Tools(if any).
Proof Of Concept: Video(avi/flv), Screenshot.
DEMO
Stored XSS through SVG
What is SVG?
Supports modern browser.
Dis-section of the payload. XML CDATA - All text in an XML document will be parsed by the
parser, But text inside a CDATA section will be ignored by the parser.
To avoid errors script code can be defined as CDATA.
references / links
http://www.computersecuritywithethicalhacking.blogspot.in/
https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf
http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html
http://www.riyazwalikar.com
http://www.amolnaik4.blogspot.com
DEMO – Stored XSS on FACEBOOKBY
Riyaz Ahemed Walikar@riyazwalikar
http://www.riyazwalikar.com