lets talk about bug hunting
Post on 09-Jan-2017
Embed Size (px)
Hacking large enterprise
#securitymeetupWhen big brick wall becomes wooden fence or how to get 1kk on the Bug Bounty
#:whoami?Known as isoxWeb penetration testerQIWI CISOMember of hall-of-fames (Yandex, Mail.ru, Apple, and so on)JBFC participant ^___^
Hungry nomadsDisparate groupsAttacking every tower they seeUsing equal techniques and weaponsReally meticulousClever and creativeYou and I
Castle with goldReady to pay tribute for every successful attackGot enermous territory surrounding itProvides protection for their citizenTakes care about its bordersMakes friendship with neighbors
Looking at the frontendHuge strong (fire)wallsMusketeers and howitzersMoat with crocodilesPerfect gate citizenship controlFlawless architecture
gentlemans, what we are waiting for?
Common assault10 days for one embossed brickTaked notice that walls are really pregnable100 gold coins of incomeGot tired and went home
I worked using Burp Suite with plugins for a week.
Why so bad?Most of us took weapons from the same blacksmithStudied martial arts in one academyThere is very little of unique attack techniquesUnless you are black (magic) fan or can make a dozen of PP tricksAll easy ways are already found
Just stats for one day and one vector
Lets dot the is and cross the tsWe are not making security researchWe are working for our ownWe came here to hack em for moneyWe are legal whitehats
Bad advice 1
Illusion of good network aggregationIt does not really matter where this RCE or SQLi will beCommon case: injection in aux DB leads to main DB takeover thru datalinkDo you really believe writing dont hack this domains will stop anybody?Hack everything you can find in target AS
Sometimes like this
Or like that
Or even like I just hacked this IP
Bad advice 2
Rabbits are not only puff50$ is 50$Im too cool for clickjacking, self-xss, bad crossdomain.xml, POODLE, bad CSPforget about itIf it is security issue report itAvailability of bruteforce is also security bugMissing captcha tooInformation disclosure absolutely
10 clickjacks == 1 XSS
Bad advice 3
Enterprise toys are expensiveNessus SC for enterprise costs a lot as exampleSometimes security team just cant configure it wellOr does not use it at allScan it, validate it, report it!
For very nice bugs like this
Quaggais a routing software suite, providing implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms, particularly FreeBSD, Linux, Solaris and NetBSD.
Good advice 1
First2discover is first2pwnFind your target AS-es (radar.qrator.net as example)
Find domains and regions (subbrute + google)
Automate nmap for portscanning target AS
Keep your eyes at the difference report
Be the first bounty hunter to discover new service
Dev, test, debugyummy!
Good advice 2
We are lazyRegEx for sanitizing abG$2.### is too lazy to writeHuge frameworks and APIs are awesomeJust MD5 username and salt with IP, this will be sessionidKeep in mind that developers are humans tooJust imagine yourself at their place
Yandex.Disk caseWhat we know: Our yandex id, 229857356What we see in requests:_model.0=tree&id.0=/diskWhat we will try:_model.0=tree&id.0=229857356:/diskProfit. Access any disk by full URI just changing its uid.
Good advice 3
Automate your ideasDont be lazy, write your own pluginsAutomate every cool vector you can createAutomate even every good vector you can find!Your fuzzing and attacks must be uniq
Lets try to find errors in a good way
Dont take it all too seriousResearch new vulnerabilitiesDont stop working hands on. Repeater is your best friend.Keep learning! Its so much interesting you dont know!Share information with brosMoney is nothing. Seriously.
Thanks :)@videns, u r a dick@d0znpp for good partiesQIWI security team for a presented time to write this slidesMail.Ru for this great evening
Email party invitations at email@example.com
QIWI IS HIRINGSecurity Expert in Application Security TeamWrite to firstname.lastname@example.orgSecurity Expert in Infrastructure Security TeamWrite to email@example.comPython programmer in Internal DevelopmentWrite to firstname.lastname@example.orgWelcome