Testers, get into security bug bounties!
-
Upload
eusebiu-blindu -
Category
Technology
-
view
3.110 -
download
3
description
Transcript of Testers, get into security bug bounties!
![Page 1: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/1.jpg)
Testers, get into security bug bounties!
by Eusebiu Blindu
CzechTest 2013
![Page 2: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/2.jpg)
I am a tester, not a security expert
![Page 3: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/3.jpg)
![Page 4: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/4.jpg)
![Page 5: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/5.jpg)
![Page 6: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/6.jpg)
http://www.utest.com/
![Page 7: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/7.jpg)
• potential cash
• some reputation
• experience
• skill improvement
![Page 8: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/8.jpg)
• "It's hard and I never did security
stuff before" (psychological)
• "I don't have the skills" (technical)
• "I don't have time, I have to do something else, I can't fit it in my schedule" (logistics)
![Page 9: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/9.jpg)
• you don't have to totally hack exposing a major flaw in order to be rewarded in security bug bounties
• you don't have to know that "much" to get started in sending bug reports
• you don't need to be an expert in the field of security
![Page 10: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/10.jpg)
• Try to find small vulnerabilities
• Try bug bounty programs that don't offer cash, only mentions
• Try to read blog containing reports of already rewarded bugs
![Page 11: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/11.jpg)
• A tester has the reflex of finding and sending general bug reports
• Can send "without shame" a bug report without fear of rejection
• Has a lot of skills that can be focused on security
![Page 12: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/12.jpg)
Reasons:
• it is usually rewarded by every bug bounty program
• most feasible to look for ( considering time spent, chances of finding and the reward value)
• for testers should be easy, because there is not too much new techical knowledge
![Page 13: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/13.jpg)
(for testers to understand)
Simply put: "Make the website popup a window with your desired message on the vulnerable domain by inserting an input"
(but read more about it on the "internets"...)
![Page 14: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/14.jpg)
![Page 15: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/15.jpg)
(... a tester might ask)
• With an XSS you can attack other users (not the server)
• It's one of the most common attacks
![Page 16: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/16.jpg)
1) Attacker sends email with a link to victim
2) Victim clicks on the link
3) Attacker steals session cookie and has access to victim's account
![Page 17: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/17.jpg)
• error pages
• server banner pages
• clickjacking
![Page 18: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/18.jpg)
![Page 19: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/19.jpg)
• payed much more
• harder to find
• requires more "out of the box" thinking
• need little bit of luck
• can be find as a result of one or more low level bug findings
![Page 20: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/20.jpg)
![Page 21: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/21.jpg)
![Page 22: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/22.jpg)
![Page 23: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/23.jpg)
• https://www.site_to_be_tested.com/
• https://www.site_to_be_tested.com/download?filename=D://www_conten
t/reports/12_01_2010.csv
![Page 24: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/24.jpg)
• Main tool should be your brain
• Scanners: Acunetix WVS, Burp Suite Pro, Dirbuster, SqlMap
• Visibility : Fiddler2
• Flash: HP SWFScan
• -... and Google Advanced Search
![Page 25: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/25.jpg)
![Page 26: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/26.jpg)
• it will show you types of bugs on a website that you might not be familiar with
• do a crawling of a website
• do certain activities faster than you
• find occasionally small or medium bugs that are rewardable
![Page 27: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/27.jpg)
• think like a human
• find major flaws
• it will find lots of false positives (fake bugs)
• guarantee a totally safe product
![Page 28: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/28.jpg)
Recommandation:
You can use the tool in the beginning, after you identified an area. Then go try manually with complex steps and deeper investigation.
![Page 29: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/29.jpg)
Battlefield attack
Bug bounty field
Small Plan
Know where you can search for bugs
![Page 30: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/30.jpg)
• more chances to find bugs in newer bug bounty programs
• more chances to find bugs in newly added functionalities
• more chances to find bugs in products that are part of new acquisitions
![Page 31: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/31.jpg)
![Page 32: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/32.jpg)
• you have to be faster especially in the beginning of a new bug bounty program than the competition
• you have to be more creative than the competition to find complex issues
![Page 33: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/33.jpg)
• you can learn from what others already reported before you
• Little bit of healthy competition increases motivation
• the application will seem easier to hack after you saw someone else doing it
![Page 34: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/34.jpg)
• read the requirements and see what is rewardable
• list all the rewardable domains
• list all the rewardable subdomains
(see if Android or iOS platforms are rewardable etc)
![Page 35: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/35.jpg)
• read bug bounty requirements
• read about the product (on main website for example)
• read what was rewarded (social media, blogs, news articles)
• similar domains with the known valid ones
• whois records for domains belonging to the same company
• decrypt data from client app (Desktop,Android,iOS)
![Page 36: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/36.jpg)
• DNS records lookup
• similar IPs (consecutive) as other valid subdomains
• brute force for possible subdomain name "qa.domain.com,db.domain.com"
• Google search: "site:domain.com", "site:domain.com -site:www.domain.com"
• data analysed (image files on main site are listed on a different unknown subdomain)
![Page 37: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/37.jpg)
Just send something!
![Page 38: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/38.jpg)
![Page 39: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/39.jpg)
• tools (helps, but it's not the main thing)
• learning about the business logic and complex functionality helps
• similar bugs in another area could exist
• the same techniques work differently for different people
![Page 40: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/40.jpg)
• hack the database by finding credentials using scanners and manually analyzing files
• hack the database credentials by decompressing a flash file
• hack the database credentials by using an unfiltered download functionality
![Page 41: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/41.jpg)
• keep an open mind (Avoid "I will use only Ubuntu")
• overcome fear of succeeding (subconscious fear of winning, fear or envious reprisals at workplace)
• see more ideas and approaches (social media)
• avoid "expert complex" (fear of trying "stupid" stuff)
![Page 42: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/42.jpg)
• social media can help you
• your personal standards go higher so you aim for higher
![Page 43: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/43.jpg)
• there are not too many testers to promote it
• the current format of bug bounties is new
• seen a as a separate domain
![Page 44: Testers, get into security bug bounties!](https://reader036.fdocuments.us/reader036/viewer/2022062419/55763075d8b42a015c8b4a16/html5/thumbnails/44.jpg)
Give a try to security bug bounties
And..
See if it works for you