The Bug Hunters

Methodology
1

whoami
Faraz Khan

Bugcrowd Tech-OPS Team Member

Part time Hacker & Bug hunter
Writer at Securityidiots.com
Ex-Full time Penetration Tester

Source of the Slides

These Slides were originally developed and presented by
Jason Haddix at Defcon 23 on August 6th

Director of Technical Ops at Bugcrowd

Hacker & Bug hunter
#1 on all-time leaderboard bugcrowd 2014

@jhaddix

What this talks about...

Hack
Stuff
Better
(and practically)
AndLOTS of memes. only some of them are funny
4

More Specifically
Step 1: Started with my bug hunting methodology
Step 2: Parsed some of the top bug hunters research (web/mobile only for now)
Step 3: Create kickass preso

Topics? BB philosophy shifts, discovery techniques, mapping

methodology, common attack parameters, useful fuzz strings, bypass or
filter evasion techniques, new/awesome tooling
Note: All information is from Jason Haddixs own methodology and public resource. No
information from the Bugcrowd platform is obtained!

Philosophy
6

Differences from standard testing

Single-sourced

looking mostly for

common-ish vulns
not competing with
others
incentivized for count
payment based on sniff
test

Crowdsourced

looking for vulns that

arent as easy to find
racing vs. time
competitive vs. others
incentivized to find
unique bugs
payment based on
impact not number of
findings

Scenario while Standard Penetration Test

Scenario while Bounty Hunting

The regular methodologies

10

Discovery
11

Find the road less traveled

12

^ means find the application (or parts of an

application) less tested to avoid duplicate.
1. *.acme.com scope is your friend
2. Find domains via Google (and others!)
a. Can be automated well via recon-ng
and other tools.
3. Confirm the subdomain to be in Scope
4. Port scan for obscure web servers or
services (on all domains)
5. Find acquisitions and the bounty
acquisition rules
6. Functionality changes or re-designs
7. Mobile websites
8. New mobile app versions

Tool: Recon-ng script (enumall.sh)

13

https://github.com/jhaddix/domain

LMGTFY

14

LMGTFY

15

DEMO:
enumall.sh script

16

LMGTFY

Google dorks on Exploit-Db

Link: https://www.exploit-db.com/google-hacking-database/

17

18

https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640

19

Port Scanning!
Port scanning is not just for Netpen!
A full port scan of all your new found targets will usually
yield #win:

separate webapps
extraneous services
Facebook had Jenkins Script console with no auth
IIS.net had rdp open vulnerable to MS12_020

nmap -sS -A -PN -p- --script=http-title dontscanme.bro

20

^ syn scan, OS + service fingerprint, no ping, all ports,

http titles

Mapping
21

Mapping tips

22

Google
*Smart* Directory Brute Forcing
RAFT lists (included in Seclists)
SVN Digger (included in Seclists)
Git Digger
Platform Identification:
Wapplyzer (Chrome)
Builtwith (Chrome)
retire.js (cmd-line or Burp)
Check CVEs
Auxiliary
WPScan
CMSmap

Just what the hack is SecList?

SecLists is the security tester's companion. It's a collection of multiple types of lists used
during security assessments, collected in one place. List types include usernames,
passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
The goal is to enable a security tester to pull this repo onto a new testing box and have
access to every type of list that may be needed.
This project is maintained by Daniel Miessler and Jason Haddix.

https://github.com/danielmiessler/SecLists

23

DEMO:
Wapplyzer

24

DEMO:
wpscan

25

Directory Bruteforce Workflow

After bruteforcing look for other status codes indicating you are denied or require auth then
append list there to test for misconfigured access control.
Example:

GET http://www.acme.com - 200

GET http://www.acme.com/backlog/ - 404
GET http://www.acme.com/controlpanel/ - 401 hmm.. ok
GET http://www.acme.com/controlpanel/[bruteforce here now]
26

Auth and Session

27

Auth (better be quick)

Auth Related (more in logic and priv sections)

28

Make sure they are in scope before submitting

User/pass discrepancy flaw
Registration page harvesting
Login page harvesting
Password reset page harvesting
No account lockout
Weak password policy
Password not required for account updates
Password reset tokens (no expiry or re-use)

Session (better be quick)

Session Related

29

Failure to invalidate old cookies

No new cookies on login/logout/timeout
Never ending cookie length
Easily reversible cookie (base64 most often)

Tactical Fuzzing - XSS

30

XSS
Core Idea: Does the pagefunctionalitydisplay something to the users?

For time sensitive testing the 80/20 rule

applies. Many testers use Polyglot payloads.
You probably have too!

31

XSS
';alert(String.fromCharCode(88,83,83))//';alert(String.
fromCharCode(88,83,83))//";alert(String.fromCharCode
(88,83,83))//";alert(String.fromCharCode(88,83,83))//-></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))
</SCRIPT>
Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)
32

XSS
'">><marquee><img src=x onerror=confirm(1)></marquee>"
></plaintext\></|\><plaintext/onmouseover=prompt(1)
><script>prompt(1)</script>@gmail.com<isindex
formaction=javascript:alert(/XSS/) type=submit>'-->"
></script><script>alert(1)</script>"><img/id="confirm&lpar;
1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http:
//i.imgur.com/P8mL8.jpg">
33

Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)

XSS

onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//

Multi-context polyglot payload (Mathias Karlsson)
http://polyglot.innerht.ml/

34

XSS

35

Other XSS
Observations

Input Vectors
Customizable Themes & Profiles via CSS
Event or meeting names
URI based
Imported from a 3rd party (think Facebook integration)
JSON POST Values (check returning content type)
File Upload names
Uploaded files (swf, HTML, ++)
Custom Error pages
fake params - ?realparam=1&foo=bar+alert(/XSS/)+
Login and Forgot password forms

36

SWF Parameter XSS

37

DEMO:
Flashbang

38

Tactical Fuzzing - SQLi

39

SQL Injection
Core Idea: Does the page look like it might need to call on stored data?
There exist some SQLi polyglots, i.e;

SLEEP(1) /* or SLEEP(1) or or SLEEP(1) or */

Works in single quote context, works in double quote context, works in straight into query
context! (Mathias Karlsson)
40

SQL Injection
You can also leverage the large database of
fuzzing lists from Seclists here:

41

SQL Injection Observations

Common Parameters or Injection points
Blind is predominant, Error based is highly unlikely.

%2Bbenchmark(3200,SHA1(1))%2B
+BENCHMARK(40000000,SHA1(1337))+
SQLMap is king!

ID
Currency Values
Item number values
sorting parameters (i.e order, sort, etc)

JSON and XML values

Use -l to parse a Burp log file.
Use Tamper Scripts for blacklists.
Cookie values (really?)
SQLMapper Burp plugin works well to instrument SQLmap quickly.
Custom headers (look for possible
integrations with CDNs or WAFs)
Lots of injection in web services!

REST based Services

42

Burp Suite Extension

Burp allows you to use a range of addons/extensions
which can be added from BAPP Store, you download
and add manually or you can program your own script
and add to Burp.
There are many cool Burp Extensions you can add to
your collection to help you automate many manual
tasks and make your life easier.
Example:
- Autorize
- CO2
- Reflected Parameters

43

DEMO:
Adding Burp Extension

44

DEMO:
SQLMapper

45

SQLmap All Tamper Scripts

--tamper=apostrophemask,apostrophenullencode,appendnullbyte,
base64encode,between,bluecoat,chardoubleencode,charencode,
charunicodeencode,concat2concatws,equaltolike,greatest,
halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,
modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,
percentage,randomcase,randomcomments,securesphere,space2comment,
space2dash,space2hash,space2morehash,space2mssqlblank,
space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,
space2randomblank,sp_password,unionalltounion,unmagicquotes,
versionedkeywords,versionedmorekeywords

46

https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423

SQLmap Targeted Tamper Scripts

General: tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,
charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,
randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL:
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,
percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,
space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,
halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,
nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,
space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,
versionedmorekeywords,xforwardedfor
47

Best SQL injection resources

DBMS Specific Resources

48

mySQL

PentestMonkey's mySQL injection cheat sheet

Reiners mySQL injection Filter Evasion Cheatsheet

MSSQL

EvilSQL's Error/Union/Blind MSSQL Cheatsheet

PentestMonkey's MSSQL SQLi injection Cheat Sheet

ORACLE

PentestMonkey's Oracle SQLi Cheatsheet

POSTGRESQL

PentestMonkey's Postgres SQLi Cheatsheet

Others

Access SQLi Cheatsheet

PentestMonkey's Ingres SQL Injection Cheat Sheet
pentestmonkey's DB2 SQL Injection Cheat Sheet
pentestmonkey's Informix SQL Injection Cheat Sheet
SQLite3 Injection Cheat sheet
Ruby on Rails (Active Record) SQL Injection Guide

SSRF - A new face in Picture

49

SSRF (Server-Side Script Request Forgery)

Core Idea : Is there any external resource accessed by any
parameter which could be controlled by us.
Polyglot : www.yoursite.com/your_resource
Simply capture the IP from which your resource is accessed. There we start,
once we get the IP and we confirm that the resource is accessed by serverside, we are up with our game for SSRF.

50

SSRF Tools - Testing & Exploitation

Tools
Burp Scanner, other few scanners in market.
Testing
As we know SSRF does not need automated fuzzing, because once we confirm a resource is accessible from the Server-Side
we can confirm SSRF/XFPA.
Exploitation
Once we have confirmed SSRF, we can move on to further exploitation which includes the following but not limited to:
1. Internal Server/Port Scan
2. Access to File System
3. SSRF via 306 Redirects
4. Exploitation via other known Protocols

51

DEMO:
SSRF

52

XXE - XML eXternal Entity

53

XML External Entity Injection

Core Idea : Trial & Error, find any XML upload request or
any request which takes XML in input body.
Not very commonly we finds an application functionality which is
dealing with XML inputs. But if we do, we might get lucky to find an
XXE.
Heres how it works, if the XML is getting parsed by the application and
the External entities in the DTD (Document Type declaration) is
resolved then it may lead to XXE. You can also try converting a JSON
endpoint request to XML and try XML Injections.

54

XXE Tools - Testing & Exploitation

As the vulnerability is in its early stages we do not have any specific tool that totally concentrate on finding or exploiting
XXE, but as per automated scanning/finding we have Burp scanner, other updated automated vulnerability scanner which
are able to find XXE.
Simple Payload
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
Exploitation:
Can be used to read system files + Other attacks SSRF is capable of.

55

DEMO:
XXE

56

Tactical Fuzzing - FI & Uploads

57

Local file inclusion

Core Idea: Does it (or can it) interact with the server file system?
Liffy is new and cool here but you can also use Seclists:

Common Parameters or Injection points

file=
location=
locale=
path=
display=
load=
read=

58

retrieve=

Malicious File Upload ++

File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:

59

content type spoofing

extension trickery
File in the hole! presentaion - http://goo.gl/VCXPh6

Malicious File Upload ++

This is an important and common attack vector in this type of testing
A file upload functions need a lot of protections to be adequately secure.
Attacks:

60

Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web
shells or...
Execute XSS via same types of files. Images as well!
Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
Bypass security zones and store malware on target site via file polyglots

CSRF
61

CSRF
Everyone knows CSRF but the TLDR
here is find sensitive functions and
attempt to CSRF.
Burps CSRF PoC is fast and easy for
this:

62

CSRF
Many sites will have CSRF protection, focus on CSRF bypass!
Common bypasses:

Check this out...

63

Remove CSRF token from request

Remove CSRF token parameter value
Add bad control chars to CSRF parameter value
Use a second identical CSRF param
Change POST to GET

CSRF
Debasish Mandal wrote a python tool to automate finding CSRF bypasses called
Burpy.
Step 1: Enable logging in Burp. Crawl a site with Burp completely executing all
functions.
Step 2: Create a template...

64

DEMO:
Burpy

65

CSRF
Or focus on pages without the token in Burp:
https://github.
com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/csrf_token_d
etect.py

66

CSRF
CSRF Common Critical functions
Add / Upload file

Password change

Email change

Transfer Money /
Currency

Delete File

Profile edit
CSRF N/A functions

Logout CSRF

Public Forms

Forms that dont make any change

67

Privilege, Transport, Logic

68

Privilege
Often logic, priv, auth bugs are blurred.
Testing user priv:
Here is how it should be:
1. admin has power
2. user has few permissions
And we are looking for functions which are
only meant for the admin and are accessible
by user.

69

Privilege
1. Find site functionality that is restricted to certain
user types
2. Try accessing those functions with lesser/other
user roles
3. Try to directly browse to views with sensitive
information as a lesser priv user
Autorize Burp plugin is pretty neat here...

Common Functions or Views

Add user function
Delete user function
start project / campaign / etc function
change account info (pass, CC, etc) function
customer analytics view
payment processing view

https://github.com/Quitten/Autorize

70

any view with PII

DEMO:
Autorize

71

Insecure direct object references

IDORs are common place in bounties, and hard
to catch with scanners.
Find any and all UIDs
increment
decrement
negative values
Attempt to perform sensitive functions
substituting another UID
change password
forgot password
admin only functions
72

Idors
Common Functions , Views, or Files
Everything from the CSRF Table, trying cross account attacks
Sub: UIDs, user hashes, or emails
Images that are non-public
Receipts
Private Files (pdfs, ++)
Shipping info & Purchase Orders
Sending / Deleting messages

73

Logic
Logic flaws that are tricky, mostly manual:

74

substituting hashed parameters

step manipulation
use negatives in quantities
authentication bypass
application level DoS
Timing attacks

75

A simple logic Flaw

An online cute dog contest, the dog with the best average of likes
wins.
1. Anyone can register and take part.
2. Once a dog is registered, people can start liking or disliking
that dog.
3. Everyone dislikes each others dogs to win the contest
4. The dog with the best average wins the contest.
5. Registration and votings gets closed 5 minutes before the
results are announced.
What is the Logic Flaw over here?

76

Auxiliary
77

The vulns formerly known as noise

78

Content Spoofing or HTML injection

Referer leakage
security headers
path disclosure
clickjacking
++

Things to take with you

1.
2.
3.
4.
5.
6.
7.

Crowdsourced testing is different enough to pay attention to

Crowdsourcing focuses on the 20% because the 80% goes quick
Data analysis can yield the most successfully attacked areas
A 15 minute web test, done right, could yield a majority of your critical vulns
Add polyglots to your toolbelt
Use SecLists to power your scanners
Remember to periodically refresh your game with the wisdom of other techniques and
other approaches
Follow these ninjas who I profiled: https://twitter.com/Jhaddix/lists/bninjas

79

Meme Count:

14
80

Attribution and Thanks

81

Tim Tomes - Recon-ng

Joe Giron - RFI params
Soroush Dalili - File in the Hole preso
Mathias Karlsson - polyglot research
Ashar Javed - polyglot/xss research
Ryan Dewhurst & Wpscan Team
Bitquark - for being a ninja, bsqli string
rotlogix - liffy LFI scanner
Arvind Doraiswamy - HTTPs, CSRF Burp Plugins
Barak Tawily - Autorize burp plugin
the RAFT list authors
Ferruh Mavituna - SVNDigger
Jaime Filson aka wick2o - GitDigger
Robert Hansen aka rsnake - polyglot / xss
Dan Crowley - polyglot research
Daniel Miessler - methodology, slide, and data contributions
My awesome team at Bugcrowd ( Ashley,Grant,Shpend,Fatih, Dan, Sean,Jay, Patrik ++)
82

Nullcon & All the bug hunting community!!!