Conference notes: How to fail at bug bounty hunting (LevelUp 2017)

Hi, these are the notes I took while watching the “How to fail at bug bounty hunting” talk given by Caleb Kinney on LevelUp 2017.

automation-for-bug-hunters.png

7 lessons learned from FAILs

  1. Double-check that your submission is in scope
    • Re-read the BBP brief (contains rules of engagement) AFTER you have written your bug report
  2. Explain the vulnerability’s impact to program owners
    • Include a PoC
    • Prioritize vulnerabilities

      P1 Critical privilege escalation, sensitive data exfiltration, Remote Code Execution
      P2 Severe vulns that affect the security of the platform
      P3 Moderate vulns that affect multiple users and require little or no user interaction
      P4 Low vulns that affect single users and require user interaction
      P5 Informational (Won’t fix) no exploitable vulnerabilities and usually will not be fixed by the program
    • Explain why the BBP should take action and remediate the bug
    • Explain if the bug requires victim interaction
    • If it does, are you able to bypass any security controls?
    • Explain if the bug affect single or multiple users
    • Can you chain multiple bugs to increase their impact? (Impact is linked to bug rewards and points)
  3. Explain the bug’s criticality
    • Do not submit bugs lower that a P3 priority, especially not Won’t fix bugs (It affect your average vulnerability severity score. P3 and higher bugs increase your chance of being selected for private programs)
    • Utilize the Bugcrowd vulnerability rating taxonomy
  4. Understand the application
    • Research the app
    • Ask questions: [email protected]
    • Cross-reference functions on mobile and Web platforms
    • Ensure, before submitting your vulnerability, that nothing was overlooked: is your bug a false positive? Is it a known functionality?
  5. Plan for private programs
    • Schedule time to work on the program as soon as published
  6. Plan for blacklisting
    • Segregate your public IP from bug bunty hunting activities
      • Use a VPN or proxy
      • Change your router’s MAC address (it forces some ISPs to issue a new public IP address)
  7. Bug bounty is not Penetration testing
    • Bug bounty programs are interested in different vulnerabilities
    • Different rules
    • Different methodology

Part-time hunt tips

  • Prefer wide scopes (*.example.com)
    • Bonus if Acquisitions/Mergers are in scope
  • Assume automatic scanning was already used
    • Assume low hanging fruit vulnerabilities discoverable with scanners were already found (by the program or other researchers)
  • Recon, recon, recon: Save time by starting with effective target reconnaissance
  • Think outside of the box for new, emergent and complicated threat factors
    • Methods to exploit
    • Emerging threats
    • Vulnerability chaining
    • Use recently discovered vulnerabilities: ImageTragick exploit, blind XSS with XSS hunter
  • Use Burp extensions
  • Use payload lists
    • Polyglots
  • Plug into the Bug Bounty community
    • Read
    • Give back
    • Collaborate
  • Do mobile recon

Personal mobile recon setup

  • iPhone with Blink Shell
    • Blink Shell is an ssh & mosh client for iOS that doesn’t require JailBreak. It allows roaming and supports intermittent connectivity (perfect for mobiles)
  • RaspberryPi with DietPi
    • DietPi is a lightweight Debian OS for RaspberryPi
  • Enable SSH
  • Install MOSH (jump box)
    • MOSH is similar to SSH as a remote terminal application
  • Configure port forwarding from your public IP to your internal DietPi IP
    • Public TCP port 22 to Private TCP port 22
    • Public UDP port 60000-60010 ro Private UDP port 60000-60010
    • => to be able to access internal machines when outside the house
  • Use a Dynamic DNS service or domain name to point to your public IP
    • Caleb had a GoDaddy domain and used a script + cron job to interact with GoDaddy’s API
  • Use the DietPi jumpbox to SSH into boxes on your internal network based on need
  • Use tmux to multiplex and keep track virtual consoles
  • Kali Linux on Raspberry Pi / Other machines

How hunting makes you a better tester

  • Understand what is important to system owners and the industry
  • More attuned to emergent security trends
  • Challenge myself for more techical exploits
  • Less dependent on automation
  • Find bugs faster
  • Write better reports
  • Experience in diverse applications
  • Involved in researcher community

Personal recon Script

Bug bounty resources

Books

Payload lists

Criticality

Bounty Reports / Write-ups / Blogs

Test Applications

Tools

Miscellaneous


If you have any questions or suggestions, please leave a comment at the bottom of this page, a tweet or a message via our contact page. See you next time!


Comments