#securitymeetup “When big brick wall becomes wooden fence” or “how to get 1 kk on the Bug Bounty”
#: whoami? Known as ‘isox’ Web penetration tester QIWI CISO Member of “hall-of-fames” (Yandex, Mail. ru, Apple, and so on) • JBFC participant ^___^ • •
Hungry nomads • • • Disparate groups Attacking every tower they see Using equal techniques and weapons Really meticulous Clever and creative You and I
Castle with gold • Ready to pay tribute for every successful attack • Got enermous territory surrounding it • Provides protection for their citizen • Takes care about it’s borders • Makes friendship with neighbors
Looking at the frontend • • • Huge strong (fire)walls Musketeers and howitzers Moat with crocodiles Perfect gate citizenship control Flawless architecture … gentlemans, what we are waiting for?
Common assault • • 10 days for one embossed brick Taked notice that walls are really pregnable 100 gold coins of income Got tired and went home
I worked using Burp Suite with plugins for a week.
Why so bad? • Most of us took weapons from the same blacksmith • Studied martial arts in one academy • There is very little of “unique attack techniques” • Unless you are black (magic) fan or can make a dozen of «PP» tricks • All easy ways are already found
Just stats for one day and one vector
Let’s dot the i’s and cross the t’s • • We are not making “security research” We are working for our own We came here to hack em for money We are legal whitehats
Bad advice № 1
Illusion of good network aggregation • It does not really matter where this RCE or SQLi will be • Common case: injection in aux DB leads to main DB takeover thru datalink • Do you really believe writing “don’t hack this domains” will stop anybody? • Hack everything you can find in target AS
Sometimes like this
Or like that
Or even like “I just hacked this IP”
Bad advice № 2
Rabbit’s are not only puff • 50$ is 50$ • “I’m too cool for clickjacking, self-xss, bad crossdomain. xml, POODLE, bad CSP”…forget about it • If it is security issue – report it • Availability of bruteforce is also security bug • Missing captcha too • Information disclosure absolutely
Sometimes $140
10 clickjacks == 1 XSS
Bad advice № 3
Enterprise toys are expensive • Nessus SC for enterprise costs a lot as example • Sometimes security team just can’t configure it well • Or does not use it at all • Scan it, validate it, report it!
For very nice bugs like this Quagga is a routing software suite, providing implementations of OSPFv 2, OSPFv 3, RIP v 1 and v 2, RIPng and BGP-4 for Unix platforms, particularly Free. BSD, Linux, Solaris and Net. BSD.
Good advice № 1
First 2 discover is first 2 pwn • Find your target AS-es (radar. qrator. net as example) • Find domains and regions (subbrute + google) • Automate nmap for portscanning target AS • Keep your eyes at the difference report • Be the first bounty hunter to discover new service
Dev, test, debug…yummy!
Good advice № 2
We are lazy • Reg. Ex for sanitizing “ab. G$2. ###” is too lazy to write • Huge frameworks and API’s are awesome • Just MD 5 username and salt with IP, this will be sessionid • Keep in mind that developers are humans too • Just imagine yourself at their place
Yandex. Disk case • What we know: Our yandex id, 229857356 • What we see in requests: _model. 0=tree&id. 0=/disk • What we will try: _model. 0=tree&id. 0=229857356: /disk • Profit. Access any disk by full URI just changing it’s uid.
Good advice № 3
Automate your ideas • Don’t be lazy, write your own plugins • Automate every cool vector you can create • Automate even every good vector you can find! • Your fuzzing and attacks must be uniq
Let’s try to find errors in a good way
Don’t take it all too serious • Research new vulnerabilities • Don’t stop working hands on. Repeater is your best friend. • Keep learning! It’s so much interesting you don’t know! • Share information with bro’s • Money is nothing. Seriously.
Thanks : ) • @videns, u r a dick • @d 0 znpp for good parties • QIWI security team for a presented time to write this slides • Mail. Ru for this great evening Email party invitations at isox@vulners. com
QIWI IS HIRING • Security Expert in Application Security Team – Write to videns@qiwi. com • Security Expert in Infrastructure Security Team – Write to mona@qiwi. com • Python programmer in Internal Development – Write to isox@qiwi. com • Welcome
Скачать презентацию securitymeetup When big brick wall becomes wooden fence
Название_Bug Hunting как работа_автор- Александр Секретов_язык- Eng.pptx