Bug Bounty for - Beginners

1. Bug Bounty for -
Beginners
HIMANSHU KUMAR DAS

2. about.me
 Infosec analyst at iViZ techno sol. Pvt. Ltd.
 Passionate Capture The Flag(CTF) player.
 Started bug bounty recently, listed on few Security
Acknowledgement Pages, few $$$, few t-shirts.
 Member of n|u community past 2 years 6 months.

3. todays talk
 Prerequisites
 Highlights
 Initial Approach
 Tools to tune
 Automating on localhost.
 Bug Submission/Reporting.
 Demo…..

4. prerequisites
 patience……… of course, YES!!!
 Ninja Skills, NO!!!
 Operating System and web browser, a matter of argument, so you
select!!!
 Have you read any of these?
 OWASP Testing Guide v3
 The Web Application Hacker’s Handbook- 2nd Edition
 RFC 2616 – HTTP/1.1

5. bug bounty program: highlights
 Not limited to web applications, even networks and products.
 Must be a Responsible Disclosure.
 Lots of $$$ , gifts, t-shirts.
 Test your: <script>alert(“Bounty”);</script>

6. initial approach
 Did you read the scope?
 Reconnaissance:
 CMS, default pages, paths, plugins( robots.txt, phpinfo.php, .htaccess)
 Various subdomains
 Identify services
 Understand the logic of any functionality.
 Say No to SCANNERS!!!

8. tools to tune
 Web Proxy (Burp Suite, Fiddler, OWASP ZAP many others)
 Must have firefox addons:
 web developer
 tamper Data
 wappalyzer
 foxyproxy
 user agent switcher
 live http headers
 ClickJacking Defense (https://addons.mozilla.org/en-
us/firefox/addon/clickjacking-defense-declar/)
 and the counting goes on……………………

9. automating on localhost
 Install web server on your local system.(WAMP, XAMPP)
 Download and install product(CMS) on your local web server.
 Time to input and sleep :
 Wfuzz
 intellifuzz-xss(By @matthewdfuller)
 Sqlmap
 IronWASP( By @lavakumark)

10. Few techniques to bypass security measures
 Brute-force
 IP based blocking, user-agent based blocking.
 Account locked, yet account accessible.
 Cross-site request forgery
 Token missing.
 Token not time-boxed.
 Token not validated.
 Token not random.
 UI Redressing/ClickJacking
 Drag and Drop [ Discovered by ahamed nafeez(@skeptic_fx) ]
 Content Extraction (deprecated in modern browsers).

11. Bug Submission
 Subject: Responsible Disclosure.
 Nature/Description of the Bug.
 Impact.
 Testing Environment: OS, Browsers, Tools(if any).
 Proof Of Concept: Video(avi/flv), Screenshot.

12. DEMO

13. Stored XSS through SVG
 What is SVG?
 Supports modern browser.
 Dis-section of the payload.
 XML CDATA - All text in an XML document will be parsed by the
parser, But text inside a CDATA section will be ignored by the parser.
 To avoid errors script code can be defined as CDATA.

14. references / links
 http://www.computersecuritywithethicalhacking.blogspot.in/
 https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_im
age_that_called_me.pdf
 http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html
 http://www.riyazwalikar.com
 http://www.amolnaik4.blogspot.com

15. DEMO – Stored XSS on FACEBOOK
BY
Riyaz Ahemed Walikar
@riyazwalikar
http://www.riyazwalikar.com

16. QUESTIONS ?
THANK YOU!!!
twitter: @mehimansu
e-mail: me.himansu@gmail.com