lets talk about bug hunting

Download Lets talk about bug hunting

If you can't read please download the document

Post on 09-Jan-2017




0 download

Embed Size (px)


Hacking large enterprise

#securitymeetupWhen big brick wall becomes wooden fence or how to get 1kk on the Bug Bounty

#:whoami?Known as isoxWeb penetration testerQIWI CISOMember of hall-of-fames (Yandex, Mail.ru, Apple, and so on)JBFC participant ^___^


Hungry nomadsDisparate groupsAttacking every tower they seeUsing equal techniques and weaponsReally meticulousClever and creativeYou and I


Castle with goldReady to pay tribute for every successful attackGot enermous territory surrounding itProvides protection for their citizenTakes care about its bordersMakes friendship with neighbors

Looking at the frontendHuge strong (fire)wallsMusketeers and howitzersMoat with crocodilesPerfect gate citizenship controlFlawless architecture

gentlemans, what we are waiting for?

Common assault10 days for one embossed brickTaked notice that walls are really pregnable100 gold coins of incomeGot tired and went home

I worked using Burp Suite with plugins for a week.

Why so bad?Most of us took weapons from the same blacksmithStudied martial arts in one academyThere is very little of unique attack techniquesUnless you are black (magic) fan or can make a dozen of PP tricksAll easy ways are already found

Just stats for one day and one vector

Lets dot the is and cross the tsWe are not making security researchWe are working for our ownWe came here to hack em for moneyWe are legal whitehats

Bad advice 1

Illusion of good network aggregationIt does not really matter where this RCE or SQLi will beCommon case: injection in aux DB leads to main DB takeover thru datalinkDo you really believe writing dont hack this domains will stop anybody?Hack everything you can find in target AS

Sometimes like this

Or like that

Or even like I just hacked this IP

Bad advice 2

Rabbits are not only puff50$ is 50$Im too cool for clickjacking, self-xss, bad crossdomain.xml, POODLE, bad CSPforget about itIf it is security issue report itAvailability of bruteforce is also security bugMissing captcha tooInformation disclosure absolutely

Sometimes $140

10 clickjacks == 1 XSS

Bad advice 3


Enterprise toys are expensiveNessus SC for enterprise costs a lot as exampleSometimes security team just cant configure it wellOr does not use it at allScan it, validate it, report it!


For very nice bugs like this

Quaggais a routing software suite, providing implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms, particularly FreeBSD, Linux, Solaris and NetBSD.

Good advice 1


First2discover is first2pwnFind your target AS-es (radar.qrator.net as example)

Find domains and regions (subbrute + google)

Automate nmap for portscanning target AS

Keep your eyes at the difference report

Be the first bounty hunter to discover new service


Dev, test, debugyummy!

Good advice 2

We are lazyRegEx for sanitizing abG$2.### is too lazy to writeHuge frameworks and APIs are awesomeJust MD5 username and salt with IP, this will be sessionidKeep in mind that developers are humans tooJust imagine yourself at their place

Yandex.Disk caseWhat we know: Our yandex id, 229857356What we see in requests:_model.0=tree&id.0=/diskWhat we will try:_model.0=tree&id.0=229857356:/diskProfit. Access any disk by full URI just changing its uid.

Good advice 3

Automate your ideasDont be lazy, write your own pluginsAutomate every cool vector you can createAutomate even every good vector you can find!Your fuzzing and attacks must be uniq


Lets try to find errors in a good way

Dont take it all too seriousResearch new vulnerabilitiesDont stop working hands on. Repeater is your best friend.Keep learning! Its so much interesting you dont know!Share information with brosMoney is nothing. Seriously.

Thanks :)@videns, u r a dick@d0znpp for good partiesQIWI security team for a presented time to write this slidesMail.Ru for this great evening

Email party invitations at isox@vulners.com


QIWI IS HIRINGSecurity Expert in Application Security TeamWrite to videns@qiwi.comSecurity Expert in Infrastructure Security TeamWrite to mona@qiwi.comPython programmer in Internal DevelopmentWrite to isox@qiwi.comWelcome


View more >