Conference notes: How to fail at bug bounty hunting (LevelUp 2017)

Hi, these are the notes I took while watching the “How to fail at bug bounty hunting” talk given by Caleb Kinney on LevelUp 2017.

Links #

• Video
• Blog post accompanying this conference
• Bug bounty recon script
• Other Github repositories by Caleb

7 lessons learned from FAILs #

1. Double-check that your submission is in scope
   • Re-read the BBP brief (contains rules of engagement) AFTER you have written your bug report
2. Explain the vulnerability’s impact to program owners
   • Include a PoC
   • Prioritize vulnerabilities

- **Explain why** the BBP should take action and **remediate** the bug
- **Explain if** the bug requires victim **interaction**
- If it does, are you able to bypass any security controls?
- Explain if the bug **affect single or multiple users**
- Can you **chain multiple bugs** to **increase their impact**? (Impact is linked to bug rewards and points)

3. Explain the bug’s criticality
   • Do not submit bugs lower that a P3 priority, especially not Won’t fix bugs (It affect your average vulnerability severity score. P3 and higher bugs increase your chance of being selected for private programs)
   • Utilize the Bugcrowd vulnerability rating taxonomy
4. Understand the application
   • Research the app
   • Ask questions: [email protected]
   • Cross-reference functions on mobile and Web platforms
   • Ensure, before submitting your vulnerability, that nothing was overlooked: is your bug a false positive? Is it a known functionality?
5. Plan for private programs
   • Schedule time to work on the program as soon as published
6. Plan for blacklisting
   • Segregate your public IP from bug bunty hunting activities
     • Use a VPN or proxy
     • Change your router’s MAC address (it forces some ISPs to issue a new public IP address)
7. Bug bounty is not Penetration testing
   • Bug bounty programs are interested in different vulnerabilities
   • Different rules
   • Different methodology

Part-time hunt tips #

• Prefer wide scopes (*.example.com)
  • Bonus if Acquisitions/Mergers are in scope
• Assume automatic scanning was already used
  • Assume low hanging fruit vulnerabilities discoverable with scanners were already found (by the program or other researchers)
• Recon, recon, recon: Save time by starting with effective target reconnaissance
  • Subdomain brute forcing
  • port scanning
  • Google dorking
  • censys.io/shodan.io
• Think outside of the box for new, emergent and complicated threat factors
  • Methods to exploit
  • Emerging threats
  • Vulnerability chaining
  • Use recently discovered vulnerabilities: ImageTragick exploit, blind XSS with XSS hunter
• Use Burp extensions
  • Reflected Parameters
  • BurpKit
  • Co2 (particularly SQLMapper)
• Use payload lists
  • Polyglots
• Plug into the Bug Bounty community
  • Read
  • Give back
  • Collaborate
• Do mobile recon

Personal mobile recon setup #

• iPhone with Blink Shell
  • Blink Shell is an ssh & mosh client for iOS that doesn’t require JailBreak. It allows roaming and supports intermittent connectivity (perfect for mobiles)
• RaspberryPi with DietPi
  • DietPi is a lightweight Debian OS for RaspberryPi
• Enable SSH
• Install MOSH (jump box)
  • MOSH is similar to SSH as a remote terminal application
• Configure port forwarding from your public IP to your internal DietPi IP
  • Public TCP port 22 to Private TCP port 22
  • Public UDP port 60000-60010 ro Private UDP port 60000-60010
  • => to be able to access internal machines when outside the house
• Use a Dynamic DNS service or domain name to point to your public IP
  • Caleb had a GoDaddy domain and used a script + cron job to interact with GoDaddy’s API
• Use the DietPi jumpbox to SSH into boxes on your internal network based on need
• Use tmux to multiplex and keep track virtual consoles
• Kali Linux on Raspberry Pi / Other machines

How hunting makes you a better tester #

• Understand what is important to system owners and the industry
• More attuned to emergent security trends
• Challenge myself for more techical exploits
• Less dependent on automation
• Find bugs faster
• Write better reports
• Experience in diverse applications
• Involved in researcher community

Personal recon Script #

• https://github.com/reconned/domained
  • Old name:PyBrute & Old repo: https://github.com/OrOneEqualsOne/reconned
  • Wrapper around tools like Sublist3r, Domain, Knock, EyeWitness…

Bug bounty resources #

Books #

• Web Application Hacker’s Handbook
• Web Hacking 101
• Breaking into Information SecurityLearning the Ropes 101 (Free)
• OWASP Testing Guide

Payload lists #

• Daniel Miessler’s SecLists
• 1N3’s IntruderPayloads
• LevelUp All.txt Subdomain List All.txt Subdomain listby Jason Haddix)
• All.txt Subdomain list by Jason Haddix)

Criticality #

• Bugcrowd’s Vulnerability Rating Taxonomy (VRT)
• CVSS

Bounty Reports / Write-ups / Blogs #

• HackerOne Hacktivity
• Various blog posts
  • Detectify Labs
  • zseano’s blog
  • zerosec
  • BruteLogic

Communities / News / Trends #

• Bug Bounty Forum
• Bug Bounty World
• Bugcrowd blog
• HackerOne blog
• HackerOne’s ZeroDaily
• Twitter
• Reddit’s r/netsec
• AppSec Ezine

Test Applications #

• OWASP BWA
• OWASP Juice Shop
• Google Gruyere
• CTFs
  • CTF Time

Tools #

• Online recon
  • Archive.org Wayback Machine
  • Censys
  • Shodan
• Sublist3r
• enumall
• Knock
• Subbrute
• massdns
• EyeWitness
• Wfuzz
• XSS Hunter
• Sleepy Puppy
• Mobile testing
  • Mobile Security Wiki
  • iOS Security Wiki
  • droidsec

Miscellaneous #

• Using Burp to test for the OWASP top ten
• Bug bounty resources/references
  • https://github.com/djadmin/awesome-bug-bounty
  • https://github.com/ngalongc/bug-bounty-reference
• SecTalks
• HTML5 Security Cheatsheet
• Bug Bounty Forum Resources & Tools

If you have any questions or suggestions, please leave a comment at the bottom of this page, a tweet or a message via our [contact page]({{ site.url }}{{ site.baseurl }}/contact.html). See you next time!