 this is how to shot web, better web hacking and mobile hacking in 2015. I know Dan Kaminski is talking right now, so I really appreciate everyone being here. He's way smarter than me. This is me. I work for bug crowd. I'm the director of technical operations. I manage a team of hackers who validates the bugs behind the scenes of a bug bounty, large scale bug bounty program. In 2014, I participated as only a researcher. I didn't work for them yet. And this talk is about my methodology that I used there to do web hacking as well as a little bit of mobile stuff, as well as stuff I learned from other researchers while doing this work. So what is this really about? It's just how to hack stuff better and practically. And I put a lot of memes and some of them are not funny, apparently, my wife says. So it's okay. So more specifically, what I did is I started off with my methodology, which was a normal pen tester methodology when I started doing this work, a basic web application assessment. And so I then went out and manually parsed out all of the public researchers of all the bad bug bounty hunters I knew. So there's about 150 people that I knew just around the Twitter scene, not Twitter scene, sorry. Twitter scene as well as people I just knew who were good at it, right? And so I went through every single article they had ever written from the beginning of the crowd source bug bounty scene. And also all of the Google and Facebook programs that I could find, like enterprise based bug bounty stuff. And I created a presentation around what I distilled around that knowledge. So this is kind of the stuff that I'm going to bring in this presentation, philosophy shifts from doing bug bounty testing from web app testing, traditional web app testing, discovery techniques, mapping methodology, parameters often attacked, useful fuzz strings, bypass our filter of Asian techniques and some tooling that I think is cooler than other tooling. Cool. So the first section is philosophy. So the differences between kind of bug bounty hunting and being a web pen tester, you know, I'm not really to argue this debate. There's a lot of people who feel strongly about both sides and they're both right, honestly. But when you get down to the practical work, you introduce a lot of stuff here. You introduce time onto a security tester, right? They're not used to competition when they're doing this kind of stuff, unless you're playing in a CTF, which, you know, you're used to that. I played in some CTF, so I was kind of used to it. You know, you're only incentivizing it in one side for what you find and not the hours you put in. So I mean, this is a basic overview of how they differ, but the talk's more about the technical stuff. But yeah, you basically tailor your methodology based around finding stuff in the 20% as opposed to the 80% across application assessment. So we'll go into how that 80-20 rule kind of fits in the rest of the slides. So if you're doing regular web app assessment, you're following these two Bibles, right? The OWAS testers guide or the web application hackers handbook. This is usually what you're trained from and what your internal methodologies are built off of at almost any of the good consultancies. And the authors are, you know, super great testers, right? But these take you from A to Z. And, you know, even though they find good bugs, they take a long time to complete in their full scale. So bug bounties are different. So if you want to do web hacking, you want to get started, these are what you go for. But my talk is a little bit different. So let's talk about discovery in a web application assessment for a bounty. So what you want to do in a bug bounty is basically find the road less traveled. And this is if you're aiming to get paid, I think. So you can attack the flagship application that the company has, right? But really, that's not where the vulnerabilities are going to be most of the time. That application has been tested by a pentest team. It's probably had a bug bounty on it for a long time. What you really want to find is the parts of the applications that are like subdomains or maybe obscure web servers on different ports. You want to find acquisitions that maybe the company has had recently that came in from a different development team. And they might have a whole slew of problems that came from a whole different group. You want to look at functionality changes and redesigns on sites, mobile websites, because they're set to render differently on your phone. And also new mobile app versions when you're testing. So we're going to go into some tools and stuff I use to find a new surface area for you to attack. So ReconNG is this tool that basically allows you to do a whole bunch of automated OSINT stuff. And one part of it is it has all these modules to do subdomain brute forcing and subdomain discovery. Now subdomain discovery is a big part of finding applications that have been left out there. I mean marketing spins up a site, dev spins up a test site, like you have integration stuff left up. So finding those and hacking those and getting RCE or code execution through those sites is kind of where you can get big payouts. So this script what it does is it iteratively scrapes Google for all subdomains on a given web property. So let's say acme.com. This will find, this will scrape Google for everything that is in acme.com and then iteratively remove those results until you're down to this long list of subdomains. It also scrapes Bing, Baidu, Netcraft and brute forces subdomains like your common fierce tool would. So this is on GitHub. It's a simple shells wrapper around ReconNG. So you need to have ReconNG installed. If you use Cali Linux, you can just pop the script in and go. So this is the output of something like that against a company like this. You can see there's a lot of output. Probably a lot of domains here that have gone under assessed as far as you go. So this is that idea of iterating through Google to find subdomains. So here you have site and then minus dub, dub, dub sites. And then I found on the first hit was Sandbox. So I removed that on the next run through. And this is that scraping that's happening that the tool is doing. And then you get more entries floating to the top. So you get credit apply or business or shopping or advertising. And you just keep on removing these until you have all of them. And then you brute force and then you end up with a huge list of sites to assess. And then you want to go through and on your, you know, on your entity that you're attacking, you want to find any, you know, mergers or acquisitions that maybe aren't the domain that you're given, right? But they've just purchased a company, right? So Oculus, you know, purchased by Facebook had some bugs and they got popped as soon as they were acquired and they were not under the Facebook like six month rule or I don't know if it's six month or I can't remember how long, but yeah, they got popped immediately, right? And that was a whole different dev team but owned by Facebook and worthy for an RCE bug. They got hit with SQL injection and a custom header and that was great. So well, not great, but it was good for the bounty hunter. So, yeah. So Wikipedia for Facebook and Google does this really well. People updates these things all the time when there's an acquisition for like stock reasons, right? So keep an eye on these if your company has, you know, purchased something else and they have some new domain and it might not be in the bug bounty brief yet. You can go after this. If you're doing those types of bounties. There's also a repository of links of every kind of volume that's come out on Facebook and PayPal and Google. People like to share this information. This one is hosted on Facebook. I have no idea why. The links in there and the slides have everything hyperlink so you can go check it out. But these are all the blog articles that reference bugs here. Now, why is this important if somebody else has already found these bugs? Because bugs get represented across the domain in different places. So you can tell a lot about an organization once you read these articles and find the same bug in other locations. Like the subdomains you found, maybe rogue web servers and things like that. It also kind of tells you what they're going to do to fix them, like how they filtered out input. You get a lot of intel around the application. So really doing a lot of research on your target can't help. But it's not the fast stuff. So port scanning. I mentioned port scanning. So port scanning is not just for NetPen. So yeah, I mean how I hacked Facebook, there was an article by Ryan Dewhurst who was like, I started up port scanning and found some weird server which was a Jenkins script console with no auth. And that was it. He got in. Simple as that. Like $8,000 or something like that. Or even more, I don't remember. So is.net, the Microsoft domain that evangelizes.net had RDP open to the world with MS-12020 on it. Vulnerable. And so that was a thing. So yeah, just go ahead and use a simple end map syntax to start port scanning all of your sites and make sure you check all those services. This syntax will port scan for all ports on a domain as well as pull out any HTTP servers titles and display those in the output. It's a SIN scan and OS fingerprint and stuff like that too. So mapping. So you found all of these new servers, right? Like maybe sub-domains or maybe you found an acquisition or something like that and now you want to move into, you want to move into mapping an individual application. And taking notes is really important when you're doing this. Whether you're doing it inside of like a notepad or just using pen and paper or like Evernote. I use Evernote. All my bugs are templatized so when I find them I can just copy and paste into the disclosure email or whatever like that. So these are some mapping tips that I use right away. So Google is actually your friend, right? You can get a lot of parameter information from just Googling a domain and figure out like what happens there. I know there's some like parameter parsing scripts. I couldn't find a really good one for this presentation. But you know just will parse parameters out of the Google cache stuff. But really the next big thing is directory brute forcing, right? Finding unlinked content. Content that's not supposed to be there. So a lot of people use like Durbuster or Content Discovery and Burp for this kind of thing. And that's good. They're good lists. But those lists were created by going out and spidering the internet and finding every path after the top level domain and then prioritizing them. There's some other lists that are better for this type of work. So the raft lists are these lists that came out of a talk maybe four or five years ago. Raft was an application proxy. It was a decent one but it's since been discontinued. But it's lists for directory brute forcing have lived on. They are a spider of the internet's robot docs text files. So everything that everybody doesn't want you to see is in this directory brute forcing list. So it's super sick. I can't tell you how many bugs I found just using this list. Like config files, badly configured git stuff. It's just all over the place. SVN Digger is another list like this. They went out and spidered all the SVN projects. So if your project, if your site or your target is an open source place you can use the, you can take all the paths that have been converted for you to directory brute force to get better application coverage or find config files. Git Digger is the same thing for Git. So after you do some unlinked content discovery or directory brute forcing, whatever you want to call it, you move on to try and identify your platform. So there's just some really simple wins here. Wappalizer and built with are Chrome extensions that you can just click and they will give you pretty much the whole stack by looking at the headers, the comments in the pages, the way they render like analytics things that have been integrated and they'll just give you like the whole server stack. And they'll even give you version numbers if they can identify them. So Wappalizer and built with are super sick. Retire.js is one of my new favorites. It will profile all of the server side JavaScript libraries and tell you if they're out of date as well as give you all the vulnerabilities before that patch or your vulnerable version has. So you'll get a list of prioritized cross-site scripting or whatever is in jQuery at the time, right? And then once you identify all of these servers, version numbers, you just go check for CVEs and server side stuff. So that's pretty standard, that's web stuff. But these are some good tools. Now if you happen to come across a CMS, which is like the pentesters training because those things suck and the plug-ins suck, you want to use these two tools. WP scan for WordPress, a lot of people use this already. It will identify all plug-ins and users for WordPress install as well as look up any phones that are associated with those plug-ins that have been disclosed. And then CMS map for Drupal and what is the other CMS Drupal and Juma, there you go, thank you. Awesome. So those are the two that have really yielded any value for me across CMSs. So here you see a screenshot of WP scan. And it's, you know, found a version of a plug-in or a theme that already has like cross-site script or a file upload vulnerability in it. Sometimes there's false positives, honestly. For what this script does, it provides so much value, so it's great. So the directory brute forcing, we talked about a little bit earlier. I mean the workflow for this, a lot of people do, but I just put the slide in here because I see a lot of people do it a little bit weird. I see people brute force like off the top level path a lot and then just stop, right? And so they'll get some errors and they don't know what to do with it. So they'll go to ACME.com and get a 200. And then they'll go to Backlog and they'll get a 404 and they'll get more 404s and more 404s and you know there's nothing there. But then they'll hit like control panel and see a 401. And then they'll be like why can't do anything that I'm not authorized, right? So they don't brute force after control panel. There's so many like messed up access control on web server bugs that you can exploit. If you just brute force after that, you'll probably find something. So I just see this a lot where people stop after the top level domain when they're doing directory, you know, enumeration. So that's kind of the workflow you're doing there. Some other things that you can do is mapping and vulnerability using open source intelligence. So these are one, two, three, four, five sites, six methods that you can use to find already published bugs or almost already public bugs. I mean I guess they're considered like end day or whatever. But xss.com, reddit, xss, punk spider is actually a burp engine that just scans the internet. So if your target is a high profile site, information might already be in here for your test. And you can pull it out and use it to your advantage. Even if those bugs have already been disclosed and I've found bugs that were on here but not disclosed to the customer through the bounty. So that's actually worked before. It was like a super easy win. They help you get a feeling for what the company has faced before as far of issues, like prevalent cross-site scripting, cross-site request forgery, you know, file uploads. And then you can do regression testing on all the domains that you found earlier in the presentation. So, yeah, go out and use these resources to try to find bugs in the platform as quickly as possible because they're free and they're already out there. And the customer should know about them anyway. It's the responsible thing to do. Okay, so this is my intern Ben. He's never spoken before at DEF CON. Neither have I actually. This is my first DEF CON speaking. But he did an awesome project and he's going to talk about it for a couple seconds. I really like it, so. So, hello everyone. My name is Ben. Like Jason mentioned, I'm an internet bug crowd on Jason's team. For the past couple of months, we actually gathered a bunch of JSON files that includes all the metadata for each bug-bounding program that's out there. So, there's 250 plus bounding programs that are included in this project and they all include information like how much a minimum bound is, how much a maximum is, what mobile apps are included, what web apps are included and what's not included in the scope of the program as well. And we actually use all this data and fed it into different scripts like you can see on the screen. We fed it into knock and it just went through all the, every single one of those programs and brute-forced them for sub-domains. And this also is available on GitHub account and everyone could go and use it if they want to. So, the JSON files look similar to this. This is Yahoo's program a couple months ago. If I've updated it, we don't know. But what we have is a DNS record that shows that's the Yahoo.com itself and all sub-domains of it and Flickr and all sub-domains of Flickr are included in the scope as well as all their mobile apps that are included in the scope as well. And as you can see in the bottom, there is two sub-domains, two domains which is Yahoo.net and its sub-domains and Yahoo.net itself not being included in the scope of the program. So, what we ended up doing with this using Ruby, we wrote a script, we fed every single one of those JSON files and we crawled them. And using grep, we, for a sample for this one, we grep redirect and you can see there was a, we couldn't disclose a domain but there's a bunch of sites that are out there that have to redirect out there that you can easily report and take them out and report to the vendor. Taking it further, we, same idea is all the JSON files and we fit that into Intrig, which Intrig is a API framework that is for intelligence gathering. And it does a bunch of tasks that you can see on the right left side of the screen. It includes doing supplement brute force, web spider, end map and you name it, we can do it with Intrig. So, also Intrig is available on GitHub as well. It's open sourced. Go ahead and fork it and commit to it if you need to. What we ended up doing for Intrig is we parsed every single JSON file with help of Ruby and I can see at the line when it says R, we are taking the task which is called DNS, DNS brute sub which is a supplement brute for sir and we need to give it an entity and then options that are all included in the manual and we are running that for a JSON file which at the bottom shows it's being assigned an ID that you can just go in your local host and check it out and see what Intrig is found. So, for example we did Intrig.io and for DNS brute force you can see all those sub domains that have been out there that Intrig found with their IP addresses as well and make sure you guys check it out. It's like I said it's online and you guys could, the possibility is that it's in finite. You can do whatever you can think of out there with those and being a bug bounty hunter I think it's a huge tool for everybody out there. Yeah, that's a sick tool and a sick framework both mapping and recon entry like I mean if you've used FOCA and Maltigo and everything like that it's like an open source version of those license tools. I love both those tools by the way just saying like using both if you can but Intrig is going to be sick you guys should check it out. Okay so on to often session I'm going to have to blow through some of this because this presentation is long and like there's a ton of stuff in here. So auth related bugs the one thing I want to say about these right these are low shallow bugs that everybody hates people to report in bug bounties the problem is if people start not paying attention to them you can't chain them to do bigger things right so we've had multiple bugs or I've had multiple bugs where where we've had a couple small issues like with password resets or like you know something like that and then we've chained them to make like a critical critical account takeover bugs so these are really important but these are the kind of bugs that a lot of people see in like the hashtag like beg bounty instead of bug bounty you know people really don't like them don't discount them just note them and if you don't want to if they're out of scope don't do anything with them but you might be able to use them later that's all I really have to say about some of these so session the kind of same things right so failure invalidate old cookies like new cookies on login or no new cookies on login and time out never any cookie length like these are all things you're going to be able to use later when you need to chain bugs but a lot of times they're out of scope so either out of scope or unappreciated or duped or something like that so but but yeah you should you should keep them in mind when you continue testing because they can be chained into bigger issues so so the big part of this one is actually tactical fuzzing so so I go through a couple different injection types or you know vulnerability types here and so we're going to talk about cross-site scripting and some research that some really cool people have done so the core idea of cross-site scripting right does the page functionality display something to the users like you know that's kind of the question I asked myself you know can I get reflection somehow with JavaScript and so you can do manual testing which is great right and you enter in your your meta characters and see you know if they return but really when I'm trying to work fast in a bug bounty I have three or four like magic strings that I use and so you probably use them before the technical definition for them is polyglot payloads these are web polyglot payloads and so the first one you'll probably recognize this one is arsenakes they used to call it the arsenic battering ram or that's what I when I worked in pentests they used to call it came out of the XSS cheat sheet you probably use this before you put it into the search bar comment field and then you pray that you get cross-site scripting right so this is the first one this is actually a multi-context filter bypass based polyglot web payload that's a mouthful I know but basically it's designed to evade filters it's about to execute in different web contexts and it's really cool so I have three of these strings that I cite here that if you're just doing bug bounty hunting you can use and just kind of move along on your on your critical functions in the site so this one is from a researcher named a charge of ed he does a cross-site scripting research I think he did his PhD in cross-site scripting which to me is like blows my mind so this is a multi-context filter bypass based polyglot as well so you can see here that he's trying to to mark up in a whole bunch of different contexts he's got like an e like an at sign here to like trick trick email like filters or you know maybe a formally takes emails or something like that so he actually ran this along like the Alexa top 100 and like 80% of them were vulnerable to just their search parameters with this string so you know more ammo for you guys doing bug bounties this one is one by Matthias Matthias Carlson and is he here right now? Is Matthias here? Hey there he is he's awesome so he did a whole presentation on this idea multi or polyglot payloads and websites so this is his multi-context polyglot payload and so this is one that I use now so thank you. Other XSS observations when I started parsing bug bounty work as well as getting bugs myself so finding input vectors is important so finding customizable three themes or profiles that use CSS but then you can trick them into using JavaScript to execute cross-site scripting a lot of names of like events or meetings in any application that deals with those types of things URI based XSS is still a big thing when people pull things from the URI and render it for some reason importing from a third party so things like Facebook integration where there may be filtering characters but your site actually displays Facebook data in line so you can set your name on Facebook to script alert and it will alert on this site. JSON post values that didn't return the correct content types a lot of people discount web services right away because they think that the content time won't execute cross-site scripting or won't execute JavaScript and so you have to really check and make sure they're returning the content type otherwise you can get reflected XSS and a lot of web services like that. File upload names when you're uploading file just try to change it to script alert or whatever like that it's going to echo that file name back usually a lot of places. Uploaded files themselves this is a huge one actually that's all over the place so a compiled Swift file or an HTML file that's designed to execute its own JavaScript and you basically attack a file upload and so a lot of you know file upload there's a whole section here about file uploads we'll talk about it more in a little bit. Custom error pages where they're echoing out what you can't find put XSS strings in there fake parameters where the page might parse some fake parameter data and put it into into your response and then log in and forgot password forms. Also this is a Swift parameter XSS is a huge thing as well I don't think I've ever found a Swift file that I decompiled that hasn't been vulnerable to either cross-site scripting or remote file include and actually Dennis here is like the guy I ask questions to that all the time so yeah so these things are like J player and like all of these like caught software that are Swift files that do like media or whatever like so there's a whole OWAS page on the common params that these players use and then also the injection strings but these you have to kind of do more manual analysis so to do that manual analysis I use this tool called flash bang which I think is super awesome it's by cure 53 you drop it a Swift file on the other end comes out all of the parameters that might be vulnerable to cross-site scripting it decompiles it for you and it displays them along with if they're going to execute out of the context of the Swift file I highly suggest this tool if you're going to do some Swift hacking it's way better than like a lot of the old ones cool so SQL injection the core idea does the page look like it might need to call on some stored data obviously this is Matias is SQL I polyglot where it will execute in single quote double quote and straight into query context so I've seen a lot of cross-site scripting polyglots and remember these are things that actually scanners are starting to do right they don't want to send a million fuzzing payloads to a parameter because you have like eight million parameters on a page so it just takes forever to scan things right so Matias and his presentation like has this string and I imagine a lot of fuzzers web fuzzers and scanners will start to pick up on this type of thing if they haven't already the idea of these multi-context injection strings so this is awesome as well so for SQL injection to kind of go through and fuzz things I also use this project called the sex list sex list project and it's got a whole bunch of fuzzing lists in it it was a fork of the fuzz DB and then we added to it with like username and password lists and all this crazy stuff Daniel Measler here actually helped me curate it and we decided together and it's it's invaluable right it's got like by by type of injection so if you want to just do like a login bypass in my SQL it's got all those curated all those strings curated that would you you would usually use to do SQL injection there I highly suggest using this and I just load these in the burp into intruder when I want to attack a former or something like that some parameter I think is vulnerable so other observations so blind is the predominant SQL injection you hardly ever get air based SQL injection anymore and so like in those cases you use like benchmark strings and stuff to make the page take a long time to load and that's how you identify whether you take it the whole exploit way is you know it's up to you right we have a lot of researchers I know who just want to identify and move on right I like to to run SQL map eventually because it's still king I mean there's no other tool that does it as good as SQL map and that's actually something I learned doing the research was that everybody use SQL map at some point so yeah some tips for for SQL map basically when you're doing this you can actually part parse a whole burp log file so like enable burp to do logging and then parse the whole log file and actually fuzz the whole log file with SQL map it takes forever it's not like the greatest way to do things but it's also offering a lot of coverage if you're up against some kind of like blacklist or something like that it has a SQL map has tamper scripts that you can use which basically encode all of your attacks so that you can try to evade blacklist and it there's a really good guide on there it's somewhere on the bug crowd forum on DBM DBMS specific syntax for SQL map tamper strings so if you're going up against MS SQL or my SQL or something like that there's a simple string you can pass into SQL map and start fuzzing those parameters and get past blacklist and then a really fast way to instrument SQL map is SQLI PI which is a burp extension and basically allows you to right click in any window and burp and send that request to SQL maps API running on your local box so like you can just be inside a burp right click and start fuzzing the parameter if you need to be so some common parameters and injection points like any ID value currency values item number values sorting parameters I'm not going to go through all these they're all on the slide like and eventually this is all going to be on GitHub anyway so you guys can just grab it and use it in your methodologies if you think it's useful but these are the kind of places where we saw them where I saw the most injection and where I you know my research parts out of other places showed me this is SQLI PI so right click on a request send it to SQLI PI scan and now that burp renders scanner results in the target tab but it doesn't look like this anymore but you get the idea so this is my cheat sheet of SQL injection resources when I do SQL injection broken down by my skill type and these are cheat sheets that let you know manual syntax based on my SQL a lot of these people are like pentas monkeys lists are old they're still the best like you have to use these and you have to have them handy when you're doing injection so there's some really edge case ones at the bottom like access which God who uses access that sucks ingress dv2 informix like three and active record for Ruby on rails so I keep those handy in my every note when I'm doing SQL injection testing and when I see errors or long load times or something like that I just I start you know getting in that mode so file uploads and file inclusion is the next area so local file inclusion the core ideas does it or can it interact with the server file system Liffy is my cool favorite tool for doing this obviously you can do it manually so I have all of my Liffy scripting stuff up on SecList under fuzzing and Liffy so you can see here like I've you know I've tried a little bunch of blacklist bypass or encoding to try to get common you know system files this is on the SecList project common parameters or injection points for this type of stuff is like you would think of this but it's good to have it in the list so like file location locale path display load read or retrieve these are the most common parameters that you'll find those in malicious file uploads this is an important and common attack vector been doing this type of testing not only just to upload like a swift file and get XSS off of it but you can also do pretty cool attacks one of the ones I like a lot and it's a it's a DOS basically an image that specifies itself to be super large but isn't so it you can upload it and the server will write all this or will allocate all of this space for it on disk but it's actually not that big of a file and you can DOS the application server using images crafted like that there was a whole blog on it and then you can you can actually one of the things I think is interesting I'm not going to go into too much but there's a slide about it is bypassing like security zones and storing malware on client servers so there's as well as polyglot web payloads there's also a polyglot files which can execute code in different contexts like you think of a parser reading a file it can you know it basically will look until it finds what it wants and then execute that so you can create like a jar that is actually an executable so if I make an executable that is malware but I upload it to your server because you allow me to allow a jar well is that a phone like I don't know like you are technically storing malware on your server for me right and I can send the blackouts to go retrieve it but can you do anything about that right are you going to implement a parser to look through the binary data and cut stuff out I don't think so that's kind of hard to do so interesting question there it's kind of a another road Dan Crawley did a presentation on it here at death con and it was super sweet so you should check that out oh no technical errors that that came at the perfect time actually oh wow okay that's what we're doing that we're doing shots okay so he's a first-time speaker and actually the little story I would go ahead I guess he's mentioned that you would deaf con like what deaf on 16 deaf con 16 he met someone I met Julia my wife here he met his wife yeah so you know give him a hand huh cheers cheers welcome to the club thanks man now back to the show I mean I mean if I can deal with the laptop issue are these guys doing all right should I kick them off the stage or you want to keep listening to them I can go to keep listening I guess I guess you can stay okay can you give me a second till my throat stops burning uh no okay all right let's see if this works sweet okay so file upload attacks are a thing I've never seen any better presentation to guide you along the road of file upload attacks then this guy Sarusha Dali's presentation and if I butcher names I'm sorry I love all these guys they're bug hunters just like me so about file upload vulnerabilities and this includes doing new and novel attacks as well as old attacks to get files past black lists or you know upload you know bypassing extension trickery or stuff like that so I'm trying to give you guys resources as well like the ones I would use so I mean a lot of this actually got I think got parsed into the new a was upset testing guide most of it at least so I would I would check that out too as an intro to malicious file uploads and getting shells and like web shells and stuff so oh this is what I talked about Dan Dan Crawley and I don't know that guy's real name but um yeah these are the types of binary files that can execute in different ways so you can see they have like a PDF that's a zip that's a MBR or so like you know interesting research here coming out there I would like to see you know interesting bugs come out of it so remote file includes and redirects common parameters there destination continue redirect URL URI window next common black list bypasses these are all kinds of escaping tricks that you use normally in web stuff but these are the most common ones I found these are also insect lists in the LFI and RFI fuzz lists that I use often so for RFI these are the common parameters file folder path style template yes yes yes yes so these are where I saw the most bugs or you know other researchers you know published data around their RFIs and so these are kind of the type of parameters you can do and I think eventually right the thing you do here is you write a verb extension I haven't yet right but that just like automates anytime you see these it sends it to like logger or something like that so you can just go test them later I haven't done it because I just do it with eyeballs but it's probably the better way to do it is write an extension to do this work okay so cross it request forgery how much time to have 10 minutes okay I think I can do it okay so CSERF everybody knows about CSERF right like how do you execute CSERF you find some function in the website that does something right and you what it's a security related function change password or whatever right there's a list later of the functions and then you right click and burp and create proof of concept that's like CSERF nowadays so what you really have to focus on in bug bounties is CSERF bypasses customers who have CSERF protections but haven't implemented them enough so common CSERF bypasses in my research you'll did removing the token from the request removing the parameter value from the request adding control characters to the parameter value using a second identical CSERF parameter or changing the request method so check this out this tool has gotten no love I don't know why I think it's been out for two years already it's called burpee have any of you used this tool before no good give you something to take away so what burpee does you enable logging in burp and you crawl a site completely that has cross-site request forgery protection in it right like a CSERF token and then you create this template and tell it what the token was what a good result is for getting a page what an error page looks like and this template is actually really easy to edit this is the sample one this has been out for I think two years already I don't understand why people use this super sweet right so then you write this template it's a python script and then you run his python script burpee on your burp log file and it re-request all of those across the whole domain every request that you've ever made in burp re-request with with those first three attacks for CSERF bypass then it produces an html report telling you which ones gave different error messages which ones came out the same and prioritizes CSERF CSERF bypasses for you so he made a lot of money doing this to facebook and twitter because it wasn't a direct burp extension it didn't get a lot of notice I randomly found it on github and I was like sweet this is awesome so this is a part of the html output here's the base request here's the crafted the first crafted request and then the response and then you get a report back saying if they came back the same it diffs them so I highly suggest that tool it's linked in the talk another way to do it is just to check for every request across a whole burp log file that didn't have the token in it the actual parameter so this is another script that does that it's another python script that runs on a burp log file also that went undetected kind of a little bit so super sweet I use these all the time and finds bugs with these all the time so CSERF just some common critical functions like add and upload file you know password change email change transfer money your currency delete a file edit your profile things like that so these are commonly where you see CSERF and that rewards big bugs so privilege transport and logic kind of get mashed into a section so privilege you know off and logic kind of get blurred a lot but my testing thing is just you know the you have an administrative user you need a couple of counts to do this and then you have a low privilege user and then you know the low privilege user just tries to directly call functions that are only for an admin right pretty simple but to automate that across multiple functions you might need some tooling and so this is what I use for that it's called autorize this one is available on the burp store and basically you spider a site completely you run through it all of your post requests as an admin user then you go through as a lower user and you give that information to authorize and you run the tool and it tells you which ones the lower user was able to access that the admin user was also able to access and you look through those in your burp output so common functions or views that I check for privilege escalation or anything like that and these can be actually combined with the last two sections is add a user delete a user start projects change account info view customer analytics or like there's a page that tells everything about whatever that site does you want to try that view payment processing view like receipts or any view with any PII on it you want to focus on this is what that looks like authorize browse using a high privilege user login with the low privilege user burp re-request everything and gives you prioritized output cool so insecure direct object references is one of my favorites because I want a bad-ass pair of gaming headphones a couple months back so I found a bug in a really cool company and I had to disclose it and I ended up calling them on the phone and their help desk guy was like I have no idea what you're talking about and then I actually linked in spammed everybody at of the IT group of that company and finally someone accepted and I tell them like listen I'm legit I'm not like an asshole I'm not extorting you I just want to tell you this exists because I was buying a pair of headphones already and their astros by the way they're awesome and they fix this bug so yeah and so the receipt function basically was an I door you could just iterate up and down and find other people's receipts with their credit card info on it and they sent me two free pair of headphones and I have one and one goes to Daniel for his birthday but I forgot to bring it I'm sorry but they're sweet headphones I guarantee it they're awesome anyway so I doors five minutes okay cool so increment decrement negative values attempt to perform sensitive function substituting user IDs things like this these are how you test idors these are common functions user files that deal with idors so everything from the CSERF table anything that says UID password or user hashes emails images like that are supposed to be private so you can you can go through the slides and kind of go through this and all this is going to be up on github and if you have questions or whatever so this is a simple I door I don't know why I put a simple I door in here this is deathcon you guys probably knew this you see like this numerical value and you're like oh what happens if I change it and you get someone else's receipt this is exactly what I did to another place this was a disclosed bug that's patch so don't worry about that they had a bug bounty transport you need to enable HTTP everywhere there's this awesome script that will basically take up our blog file again re-request every request in your site tree over HTTP instead of HTTPS so you can see what's going over insecure channels instead of having to like you know sort columns and burp and do all this stuff I find this really useful so it'll just try to downgrade everything and then you report like this is a SSL downgrade attack or whatever logic fog logic laws are usually pretty manual the one I see a lot is substituting hash parameters where there's like prices or something like that and they've hashed it and it's irreversible or they've done something to it and it's irreversible or I'm too dumb to reverse it right but just finding another item that's cheaper taking its hash and substituting it and usually at what it's an e-commerce payment or something like that and so doing that is usually yields the product for less money so step manipulation this is like the bread and butter example everybody gives for logic frauds like there's multiple steps like order or put things in cart order check out pay ship so you just skip everything or you like put everything in your cart and then you just ship because you have the you know the whole process and burp and so you just you know skip a process using negative quantities in or using negatives and quantity per value so I've actually had websites pay me credit because I put in a negative negative value on some price thing or your negative quantity right like order number equals one usually I want to buy one thing and I put in like negative 20 and now they've credited my account like a thousand dollars or something like that so application level DOS this is one is kind of interesting right it's not actual DOS right I'm not advocating bug bounty like using a botnet or anything like that but I've seen sites that just can't handle just like parsing a parameter with you know 40 zeros in it or something or me putting in like a math function as a parameter value and the server is like I don't know what to do let me try to process this somehow and it just falls over so those are interesting and then timing attacks I think there was a DEF CON talk about timing attacks so you can check that out mobile I'm really running in so data storage is really important check these files for data storage as well as logging this is the best tool to quickly get spun up on iOS it's called IDB it's by Daniel Mayor basically jailbreak your phone install this tool it gives you a full GUI list of the handler of all of the files all of the encryption values if it's using exploit mitigation etc etc etc it's the most functional tool I think it's partly based off a talk I gave a long time ago and he made it in Ruby and it's super sick it's the best way to get into iOS testing if you've never done it before this is a thing about logs we got to go this those other those other phones I repeat them again right like don't discard them like content spoofing referral liquid search security headers path disclosure keep them in your pocket later to escalate if you can use them this is one idea of like you know if I have five or thirty minutes or something like that what can I do so I tried to time myself with the methodology using the stuff in here so in fifteen to thirty minutes I can do most of this using burp in the automation maybe now or like it depends on how motivated I am right so these are like the steps I'd go through I'd register I'd hit the password reset I'd go to all the forms that do security functions I checked the cookie I do like a all right and perform a numeration on any like UIDs I see in the URL I directory brute force using one of the short lists in the background I'd upload a file if it had uploads and within thirty minutes you know or an hour I can usually find some pretty darn good bugs things take with you crowdsourced is different it's the same but different you find like twenty percent of the edge case stuff instead of eighty percent and a lot of stuff goes quick data analysis is cool you could probably do a fifteen to thirty minute web test and done right you could get some major volums set lists polyglots are cool and follow all of the bug bounty people on this bug bounty list I put them all into a twitter list for you and you can watch them hack things and talk about their findings also there's a lot of stuff that didn't get put in here there was a lot of data that I didn't get to parse so fifty percent of the data is still unparced someone to put it up on github as a get book I think or maybe just mark down and you guys can contribute to it if you care enough if you just want to take it and use it that's fine stuff to go in there more tooling that I found XXE that's actually meant to say SSRF a bunch of cool SSRF techniques capture bypass more detail on logic flaws and to add android mobile tools that I use often thirteen memes that okay okay attribution and thanks these are bug hunters who did researcher that are these are bug hunters who did things in this presentation all of them are super awesome I respect every single one of them or who made tools and also my team at bug crowd John Taj Ben Ben Grant Fati Patrick Katie Kim Abby Casey Chris and Sam and everybody in the bug community I love you guys I love doing this for a day job so that's it