The Bug Hunter’s

Methodology

1
 whoami
Jason Haddix

● Bugcrowd
● Director of Technical Ops
● Hacker & Bug hunter
● #1 on all-time leaderboard bugcrowd 2014

@jhaddix

2
 What this talk’s about...

Hack
Stuff
Better
(and practically)
And…LOTS of memes…. only some are funny
3
 More Specifically
Step 1: Cut a hole in a box... j/k

Step 1: Started with my bug hunting methodology

Step 2: Parsed some of the top bug hunters’ research (web/mobile only for now)
Step 3: Create kickass preso

Topics? BB philosophy shifts, discovery

techniques, mapping methodology, parameters
oft attacked, useful fuzz strings, bypass or filter
4 evasion techniques, new/awesome tooling
 Philosophy

5
 Differences from standard testing
Single-sourced Crowdsourced
● looking mostly for ● looking for vulns that
common-ish vulns aren’t as easy to find
● not competing with ● racing vs. time
others ● competitive vs. others
● incentivized for count ● incentivized to find
● payment based on sniff unique bugs
test ● payment based on
impact not number of
findings

6
 The regular methodologies

7
 Discovery

8
 Find the road less traveled
^ means find the application (or parts of an
application) less tested.
1. *.acme.com scope is your friend
2. Find domains via Google (and others!)
a. Can be automated well via recon-ng
and other tools.
3. Port scan for obscure web servers or
services (on all domains)
4. Find acquisitions and the bounty
acquisition rules
a. Google has a 6 month rule
5. Functionality changes or re-designs
6. Mobile websites
9 7. New mobile app versions
 Tool: Recon-ng script (enumall.sh)

10 https://github.com/jhaddix/domain
11
 LMGTFY

12
 LMGTFY

13
14
 https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640

15
 Port Scanning!
Port scanning is not just for Netpen!

A full port scan of all your new found targets will usually
yield #win:

● separate webapps
● extraneous services
● Facebook had Jenkins Script console with no auth
● IIS.net had rdp open vulnerable to MS12_020

nmap -sS -A -PN -p- --script=http-title dontscanme.bro

^ syn scan, OS + service fingerprint, no ping, all ports,

16
http titles
 Mapping

17
 Mapping tips
● Google
● *Smart* Directory Brute Forcing
● RAFT lists (included in Seclists)
● SVN Digger (included in Seclists)
● Git Digger
● Platform Identification:
● Wapplyzer (Chrome)
● Builtwith (Chrome)
● retire.js (cmd-line or Burp)
● Check CVE’s
● Auxiliary
● WPScan
● CMSmap
18
● Patator?
 Directory Bruteforce Workflow
After bruteforcing look for other status codes indicating you are denied or require auth then
append list there to test for misconfigured access control.

Example:

GET http://www.acme.com - 200

GET http://www.acme.com/backlog/ - 404
GET http://www.acme.com/controlpanel/ - 401 hmm.. ok
GET http://www.acme.com/controlpanel/[bruteforce here now]
19
 Mapping/Vuln Discovery using OSINT
Find previous/existing problem:
● Xssed.com
● Reddit XSS - /r/xss
● Punkspider
● xss.cx
● xssposed.org
● twitter searching
● ++
Issues might already reported but use the flaw area
and injection type to guide you to further injections or
filter bypass.

20
 Auth and Session

21
 Auth (better be quick)
Auth Related (more in logic, priv, and transport sections)

● User/pass discrepancy flaw

● Registration page harvesting
● Login page harvesting
● Password reset page harvesting
● No account lockout
● Weak password policy
● Password not required for account updates
● Password reset tokens (no expiry or re-use)

22
 Session (better be quick)
Session Related

● Failure to invalidate old cookies

● No new cookies on login/logout/timeout
● Never ending cookie length
● Multiple sessions allowed
● Easily reversible cookie (base64 most often)

23
 Tactical Fuzzing - XSS

24
 XSS

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCh
arCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRI
PT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Multi-context, filter bypass based polyglot payload #1 (Rsnake XSS Cheat Sheet)

25
 XSS
'">><marquee><img src=x
onerror=confirm(1)></marquee>"></plaintext\></|\><plaintex
t/onmouseover=prompt(1)><script>prompt(1)</script>@gmai
l.com<isindex formaction=javascript:alert(/XSS/)
type=submit>'-->"></script><script>alert(1)</script>"><img/id
="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"
><img src="http://i.imgur.com/P8mL8.jpg">
26
Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)
 XSS

“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//

Multi-context polyglot payload (Mathias Karlsson)

http://polyglot.innerht.ml/

27
 XSS
http://polyglot.innerht.ml

28
 Other XSS Input Vectors

Observations Customizable Themes & Profiles via CSS

Event or meeting names

URI based

Imported from a 3rd party (think Facebook integration)

JSON POST Values (check returning content type)

File Upload names

Uploaded files (swf, HTML, ++)

Custom Error pages

fake params - ?realparam=1&foo=bar’+alert(/XSS/)+’

Login and Forgot password forms

29
 SWF Parameter XSS
Common Params:

Common Params:

onload, allowedDomain, movieplayer, xmlPath, eventhandler, callback (more on OWASP page)

Common Injection Strings:

\%22})))}catch(e){alert(document.domain);}//

"]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//

"a")(({type:"ready"}));}catch(e){alert(1)}//

30
 SWF Parameter XSS

31
 Tactical Fuzzing - SQLi

32
 SQL Injection
Core Idea: Does the page look like it might need to call on stored data?

There exist some SQLi polyglots, i.e;

SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/

Works in single quote context, works in double quote context, works in “straight into query”
context! (Mathias Karlsson)
33
 SQL Injection
You can also leverage the large database of fuzzing
lists from Seclists here:

34
 SQL Injection Observations
Common Parameters or Injection points
Blind is predominant, Error based is highly unlikely.
ID

‘%2Bbenchmark(3200,SHA1(1))%2B’ Currency Values

‘+BENCHMARK(40000000,SHA1(1337))+’ Item number values

SQLMap is king! sorting parameters (i.e order, sort, etc)

JSON and XML values

● Use -l to parse a Burp log file.
● Use Tamper Scripts for blacklists. Cookie values (really?)
● SQLiPy Burp plugin works well to instrument SQLmap quickly.
Custom headers (look for possible
Lots of injection in web services! integrations with CDN’s or WAF’s)

REST based Services

35
 SQLmap SQLiPy

36
 SQLmap All Tamper Scripts

--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base6
4encode,between,bluecoat,chardoubleencode,charencode,charunicodee
ncode,concat2concatws,equaltolike,greatest,halfversionedmorekeywo
rds,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned
,multiplespaces,nonrecursivereplacement,percentage,randomcase,ran
domcomments,securesphere,space2comment,space2dash,space2hash,spac
e2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,spac
e2mysqldash,space2plus,space2randomblank,sp_password,unionalltoun
ion,unmagicquotes,versionedkeywords,versionedmorekeywords

37
https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423
 SQLmap Targeted Tamper Scripts
General:
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,e
qualtolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,s
pace2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL:
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percent
age,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,sp
ace2randomblank,unionalltounion,unmagicquotes

MySQL:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeyw
ords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,perce
ntage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randombl
ank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
38
 Best SQL injection resources
DBMS Specific Resources
mySQL PentestMonkey's mySQL injection cheat sheet
Reiners mySQL injection Filter Evasion Cheatsheet
MSSQL Evil SQL Error/Union/Blind MSSQL Cheatsheet
PentestMonkey's MSSQL SQLi injection Cheat Sheet
ORACLE PentestMonkey's Oracle SQLi Cheatsheet

POSTGRESQL PentestMonkey's Postgres SQLi Cheatsheet

Others Access SQLi Cheatsheet

PentestMonkey's Ingres SQL Injection Cheat Sheet
pentestmonkey's DB2 SQL Injection Cheat Sheet
pentestmonkey's Informix SQL Injection Cheat Sheet
SQLite3 Injection Cheat sheet
Ruby on Rails (Active Record) SQL Injection Guide
39
Tactical Fuzzing - FI & Uploads

40
 Local file inclusion
Core Idea: Does it (or can it) interact with the server file system?

Liffy is new and cool here but you can also use Seclists: Common Parameters or Injection points

file=

location=

locale=

path=

display=

load=

read=

41 retrieve=
 Remote file includes and redirects

Look for any param with another web address Redirections Common Parameters or Injection
points
in it. Same params from LFI can present here too.
dest=

Common blacklist bypasses: continue=

● escape "/" with "\/" or “//” with “\/\/”
redirect=
● try single "/" instead of "//"
● remove http i.e. "continue=//google.com" url= (or anything with “url” in it)
● “/\/\” , “|/” , “/%09/”
● encode, slashes uri= (same as above)
● ”./” CHANGE TO “..//”
● ”../” CHANGE TO “….//” window=
● ”/” CHANGE TO “//”
next=
42
 Remote file includes and redirects
RFI Common Parameters or Injection points

File= document=

Folder= root=

Path= pg=

style= pdf=

template=

php_path=

43
doc=
 Command injection
https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/os-cmd-execution/
command-execution-unix.fuzz.txt

https://github.com/stasinopoulos/commix

44
 Malicious File Upload ++
File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:

● content type spoofing

● extension trickery
● File in the hole! presentaion - http://goo.gl/VCXPh6

45
 Malicious File Upload ++
This is an important and common attack vector in this type of testing

A file upload functions need a lot of protections to be adequately secure.

Attacks:

● Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells
or...
● Execute XSS via same types of files. Images as well!
● Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
● Bypass security zones and store malware on target site via file polyglots

46
 Malicious File Upload ++

As referenced file polyglots can be used

to store malware on servers!

See @dan_crowley ‘s talk:

http://goo.gl/pquXC2

and @angealbertini research:

corkami.com

47
 CSRF

48
 CSRF
Everyone knows CSRF but the TLDR
here is find sensitive functions and
attempt to CSRF.

Burps CSRF PoC is fast and easy for

this:

49
 CSRF
Many sites will have CSRF protection, focus on CSRF bypass!

Common bypasses:

● Remove CSRF token from request

● Remove CSRF token parameter value
● Add bad control chars to CSRF parameter value
● Use a second identical CSRF param
● Change POST to GET

Check this out...

50
 CSRF
Debasish Mandal wrote a python tool to automate finding CSRF bypasses called
Burpy.

Step 1: Enable logging in Burp. Crawl a site with Burp completely executing all
functions.

Step 2: Create a template...

51
52
53
54
 CSRF
Or focus on pages without the token in Burp:

https://github.com/arvinddoraiswamy/mywebappscripts/blob/master/BurpExtensions/
csrf_token_detect.py

55
 CSRF
CSRF Common Critical functions

Add / Upload file Password change

Email change Transfer Money /

Currency

Delete File Profile edit

56
 Privilege, Transport, Logic

57
 Privilege
Often logic, priv, auth bugs are blurred.

Testing user priv:

1. admin has power

2. peon has none
3. peon can use function only meant for
admin

58
 Privilege
1. Find site functionality that is restricted to certain Common Functions or Views
user types Add user function
2. Try accessing those functions with lesser/other
Delete user function
user roles
3. Try to directly browse to views with sensitive start project / campaign / etc function
information as a lesser priv user
change account info (pass, CC, etc) function

customer analytics view

Autorize Burp plugin is pretty neat here...
payment processing view

https://github.com/Quitten/Autorize any view with PII

59
 1. Browse using high priv user
2. Login with a lower priv user
3. Burp Plugin re-requests to see if low priv can access high priv

60
 Insecure direct object references
IDORs are common place in bounties, and hard
to catch with scanners.

Find any and all UIDs

● increment
● decrement
● negative values
● Attempt to perform sensitive functions
substituting another UID
○ change password
○ forgot password
○ admin only functions
61
 Idor’s
Common Functions , Views, or Files

Everything from the CSRF Table, trying cross account attacks

Sub: UIDs, user hashes, or emails

Images that are non-public

Receipts

Private Files (pdfs, ++)

Shipping info & Purchase Orders

Sending / Deleting messages

62
63
 Transport
Most security concerned sites will enable HTTPs. It’s
your job to ensure they’ve done it EVERYWHERE. Most
of the time they miss something.

Examples:

● Sensitive images transported over HTTP

● Analytics with session data / PII leaked over HTTP

64
 Transport

https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/ForceSSL

65
 Logic
Logic flaws that are tricky, mostly manual:

● substituting hashed parameters

● step manipulation
● use negatives in quantities
● authentication bypass
● application level DoS
● Timing attacks

66
 Auxiliary

67
 The vulns formerly known as “noise”
● Content Spoofing or HTML injection
● Referer leakage
● security headers
● path disclosure
● clickjacking
● ++

68
 How to test a web app in n minutes
How can you get maximum results within a
given time window?

69
 Data Driven Assessment (diminishing return FTW)
1. Visit the search, registration, contact, password reset, and comment
forms and hit them with your polyglot strings
2. Scan those specific functions with Burp’s built-in scanner
3. Check your cookie, log out, check cookie, log in, check cookie. Submit old
cookie, see if access.
4. Perform user enumeration checks on login, registration, and password
reset.
5. Do a reset and see if; the password comes plaintext, uses a URL based
token, is predictable, can be used multiple times, or logs you in
automatically
6. Find numeric account identifiers anywhere in URLs and rotate them for
context change
7. Find the security-sensitive function(s) or files and see if vulnerable to
non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection
bypass, and see if they can be done over HTTP.
8. Directory brute for top short list on SecLists
9. Check upload functions for alternate file types that can execute code (xss
or php/etc/etc)
70
~ 30 minutes
 Things to take with you…
1. Crowdsourced testing is different enough to pay attention to
2. Crowdsourcing focuses on the 20% because the 80% goes quick
3. Data analysis can yield the most successfully attacked areas
4. A 15 minute web test, done right, could yield a majority of your critical vulns
5. Add polyglots to your toolbelt
6. Use SecLists to power your scanners
7. Remember to periodically refresh your game with the wisdom of other techniques and
other approaches

Follow these ninjas who I profiled: https://twitter.com/Jhaddix/lists/bninjas

71
 Bug Hunters Methodology
This preso ended up to be way too much to fit in an 45min talk . 50% of research still unparsed

● More tooling to automate

● XXE and parser attacks
● SSRF
● Captcha bypass
● Detailed logic flaws
● More mobile

72
Meme Count:

13
73
 Attribution and Thanks

74
 Tim Tomes - Recon-ng
Joe Giron - RFI params
Soroush Dalili - File in the Hole preso
Mathias Karlsson - polyglot research
Ashar Javed - polyglot/xss research
Ryan Dewhurst & Wpscan Team
Bitquark - for being a ninja, bsqli string
rotlogix - liffy LFI scanner
Arvind Doraiswamy - HTTPs, CSRF Burp Plugins
Barak Tawily - Autorize burp plugin
the RAFT list authors
Ferruh Mavituna - SVNDigger
Jaime Filson aka wick2o - GitDigger
Robert Hansen aka rsnake - polyglot / xss
Dan Crowley - polyglot research
Daniel Miessler - methodology, slide, and data contributions
My awesome team at Bugcrowd (Jon, Tod, Shpend, Ben, Grant, Fatih, Patrik, Kati, Kym, Abby, Casey, Chris, Sam, Payton ++)
75
Rootcon & All the bug hunting community!!!
 Mobile

76
 Data Storage

Its common to see mobile apps not applying

encryption to the files that store PII. Common places to find PII unencrypted

Phone system logs (avail to all apps)

webkit cache (cache.db)

plists, dbs, etc

hardcoded in the binary

77
 Quick spin-up for iOS
Daniel Mayers idb tool:

78
 Logs!

79