lecture: Nature, Darwin and Bug Bounty Hunting
Is bug bounty hunting different from a security audit or pentest? Yes and NO! When you practice security assessment or pentesting you have all the skills needed for bug bounty hunting. Lack of will power, time and strategy are main factors of failure. Also question arise like how much time you have and how much time you are willing to spend, how to choose your target if you know that a pentest has been conducted and that hundreds or thousands of bug bounty hunters had already taken a look at the target. This presentation will focus on how to start bug bounty as a pentester or security consultant and make it fun and rewarding process.
When doing bug bounty hunting one should take time and purpose into account. Considering these factors, strategy should be adjusted. Presentation will show personal views, strategy and approach that proved to be rewarding in few hours of work. Setup, tools, resources and strategy used for discovering bugs will be also shared as well as details of two reflected XSS vulnerabilities that have been affecting two big companies.
Bug bounty hunting, security assessment and pentesting have some common factors, but they differ in details and details often decide about success or failure. In this presentation two major question will be answered. How to start bug bounty hunting as pentester and what strategy pays off. A strategy can include time, purpose, motivation, tools and techniques.
A lot of bug bounty programs include web and mobile applications. When the choice of a mobile application is obvious, choosing a target web application is not. As many bug bounty hunters follow up popular web pages with a lot of traffic one should look at subdomain pages of a company. Tools like dnsrecon or recon-ng are great choice to discover “less crowded” web application and start hunting bugs there. If looking at a popular web page one should search for hidden content and linked functionality behind. Strategy that proved to be rewarding was taken from nature where an attacker chooses the weakest pray in order to survive.
Burp proxy with scanner and additional modules is a good choice for discovering flows in web applications. New attack vectors are discovered constantly and updated attacking tool that is maintained is advisable to use. A good alternative to Burp is Zap Attack proxy. Uber suffered two vulnerabilities that have been more publicly known last two years (Client side template injection with Angular JS   and Server side template injection ). Client side template injection with Angular JS can lead to XSS when a sandbox escape is possible, but a web application with server side template injection vulnerability can suffer RCE. As already Charles Darwin said “It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change”. Being responsive to new vulnerabilities can be rewarding.
When hunting bugs in a mobile application apart from discovering vulnerabilities on a phone, server side is always important. Often certificate pinning is in place. Three different approaches have been found to be useful for android applications. After bypassing certificate pinning, requests in an attack proxy are visible and one can hunt bugs in an additional web application or exposed API. On a jailbroken iOS phone, bypassing certificate pinning also shouldn’t be a problem. In most cases server side API’s are unified, so it is better to choose a platform one is most familiar with.
Following simple strategy two reflected XSS vulnerabilities have been discovered. The vulnerabilities have been affecting two large companies. The first was on a sharing platform with more than one million active users. The second was on a subdomain web page linked with an entry page. In the presentation details will be revealed.
Start time: 13:15