SlideShare a Scribd company logo

Bug bounty null_owasp_2k17

Sagar M Parmar
Sagar M Parmar

Bug Hunting Battlefield_Null_Mumbai_Humla_29_April2017

Engineering
1 of 33
Download to read offline
sagar.parmar@owasp.org Bug Bounty Battlefield Null_Mumbai Humla Session
$$Bug_Bounty$$ #whoami • Sagar M Parmar • Active #$> Synack Red Team • <3 $$ Bug Bounties. • Working as a Security Analyst at Network Intelligence India Pvt. Lt • Chapter Leader of OWASP_Jodhpur • Email: sagar.parmar@owasp.org • Follow> https://twitter.com/sagarparmar121 sagar.parmar@owasp.org
$$> Bug Bounty <$$ • What is Bug Bounty? • I am new, how should I start? • How should I take It forward? • How should I become Pro? • What I should do when I am Pro? sagar.parmar@owasp.org
• What is bug bounty? Also calls as VRP (Vulnerability Reward Program) • Company (Security Team/Vendor) Improve Security, Business Grow, Create Program. Offer Cash , HOF , Swag. Acknowledge Your Work. • Researchers / Bug Hunter Hit Target and Get Bugs. Sometimes Duplicates , Sometime $$$ , Sometime Swag, Sometime HOF, Sometime Only Thanks :P Recheck Bug After Fix. sagar.parmar@owasp.org
• A Brief History of Bug Bounty Programs. sagar.parmar@owasp.org Google ~ 30k USD Facebook ~ 40k USD Yahoo ~ 15k USD PayPal, GitHub, AT&T, Twitter, Square, Mozilla, Microsoft etc. Well-known Platform, - 2012 - 2013 - 2013
sagar.parmar@owasp.org Popular Platform BugCrowd Managed Security Program for Company 27125 World Wide Researcher 250+ Programs HackerOne H1 Security Inbox for Company 200+ Public Program SynAck Private Bug Bounty Program Everyone Want To Join
sagar.parmar@owasp.org I am new, how should I start? Dont’s Do’s Learn about your target. Pick any company. Learn about it thoroughly. Its services. All subdomains All mobile applications. Monitor any changes. Read Program rules carefully. Expect learning something new. Give respect to Breakers Defenders Decisions I want money, I don’t care about your policy. But, that X company gives money for this. I will hack you to the death. F**k the repeater, I love Burp Scanner, Acunitix. I love cookies & session related bugs and version disclosure. SQLmap is good only when risk=3
sagar.parmar@owasp.org Have Some <Patience> • Duplicate • Wait for response time • Forget about submission. • Learn and find new Bugs • Find New target. • Go as deep as possible (Chain attack) • NEVER Ever run a Scanner. • Do Manual testing.
sagar.parmar@owasp.org Tips • Make a list for all type of vulnerability • Make a database for all type of targets. Like: php, asp, WordPress, apache, angulers. • Make a list for all public exploit. • Do fuzzing • Create Google Alerts for page change in list of bounty programs OR any other thing of your choice.
sagar.parmar@owasp.org Private Target • site:ohmylovelywebsite.com –repititive_pages -www - forums -answers -discussions • inurl: src|path|link|url • - filetype:asp|aspx|jsp|jspa|php • Intitle: bitcoin|money
sagar.parmar@owasp.org • Shodan - Computer Search Engine • Use this for finding domains/services which are not exposed.
sagar.parmar@owasp.org NerdyData>> Search Engine • Source Code Search Engine – Search for specific vulnerable codes. Any match with target site is good.
sagar.parmar@owasp.org Bing: IP Search
sagar.parmar@owasp.org Yandex: Awesome Search Engine.
sagar.parmar@owasp.org Bug Bounty Report Format Vulnerability Reporting ------------------------------ Vulnerability Name : Vulnerability Description & Impact : Vulnerable URL : Vulnerable Parameter : Payload Used : Steps to Reproduce : How to Fix (Recommandation) : Proof of Concept(Screenshot) : Or Video POC
sagar.parmar@owasp.org Private Target Approach Find support email id in website or with help of google and other search engine
sagar.parmar@owasp.org Wait for Response after submit vulnerability
sagar.parmar@owasp.org But I want more money.. • Look out for less exposed areas of site. • Injection Attacks _ every one doing it. • Authorization issues are hard to find, less duplicate. • Privilege escalations on a least exposed entity in the site have good chances of hitting a good bug.
sagar.parmar@owasp.org Much More Money… • Make a checklist of test cases. • Divide it in two parts. • Normal bugs • Everyone knows about them. • Abnormal bugs. • You / Someone else found this. • Only active researchers know about them.
` sagar.parmar@owasp.org Hell lot of money… • Find more logical bugs. • ~ More mone • ~ Less Dupes • ~ More reputation • Read blogs. Voila! What a bug! I will test this too. • OMG! I tested this app too. Why I missed? • Be aware of every damn new test case to hit a bug. • One NEW + UNIQUE + CRITICAL bug to rule them all.
sagar.parmar@owasp.org How should I take It forward?
sagar.parmar@owasp.org XSS (Cross Site Scripting) Cross site script a type of attack attacker can injection malicious script in web application whether these script many type like java, xml, html. By this attacker can get so many things like cookies stealing, change content, phishing and many things. Payload: “><script>alert(1)</script> /*is this blocked? try other payload and check the behaviour of WAF*/ “><img src=x onerror=alert(1)> “><svg/onload=alert(1)> <a href=javascript:alert(1)>helloxss Also try other event handlers like: (onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur… many more…) Payload: Test” onfocus=alert(1) autofocus=“
sagar.parmar@owasp.org XSS (Cross Site Scripting) Try Harder!! Lesser known tags and event handlers
sagar.parmar@owasp.org SQLi(Structed Query Language Injection) What: SQL injection is type of attack in which attacker passes some malicious query and exploit the backend (get) database information. What vulnerability. : Authentication bypass is vulnerability. Type: 3 types of SQL Injection: (1) union based, 2) error based 3) blind SQL injection. How To Check For SQL Injection? 1.Check any User Input with quotes(single ‘ or double “ or / ) if it breaks the SQL Query or not. 2.If some content is missing or an error is there then do further testing 3.Balance the SQL Query by using quotes and SQL Comments like (#,-- -) 4.Find The Number of Columns Used in table of the Running Query Eg: username=admin’order by 1-- - loads normally username=admin’order by 2-- - loads normally username=admin’order by 3-- - Gives Error/Content Missing Which means There are only 2 columns
sagar.parmar@owasp.org SQLi 5. Create/Join another row using Union clause Eg. Username=admin’ union select 1,2-- -// will create another row 6. False the Query by using some Boolean logic like : Eg. Username=admin’ and 1=2 union select 1,2-- -// will create another row This will make the Column(s) To be shown in the Page 7.Now You can Extract The information by using SQL Queries in the visible column
sagar.parmar@owasp.org SSRF (Server Side Request Forgery) • Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server. • Usually, Server Side Request Forgery (SSRF) attacks target internal systems behind the firewall that are normally inaccessible from the outside world (but using SSRF it’s possible to access these systems). • With SSRF it’s also possible to access services from the same server that is listening on the loopback interface. How to Look for SSRF? 1.Check For Different Requests where some parameters contains some URL To External/ Internal hostname/IP. 2.We could try putting our own IP/hostname in that parameter and Simply Check your Server Logs. 3.If there is a Request in logs from their IP then You need to Look for internal services. 4.You can do various stuffs like Port scanning, Fingerprinting Services and also use their Server As a proxy to attack others. 5.You Can Enter http://localhost:port to check for services or if its blocked then you could use 127.0.0.1 or also you could use IPv6 localhost : http://[::]:port
sagar.parmar@owasp.org LFI (Local File Inclusion) Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others. How To Check for Inclusion Vulnerabilities? 1.Check For parameters where you feel there’s another file included Eg: http://www.site.com/?page=somepage http://www.site.com/?file=somepage.php 2. Use file:// protocol or Directory Traversal techniques to read files like : Eg: http://www.site.com/?page=../../../../../../etc/passwd #for *nix http://www.site.com/?page=C:/Windows/System32/drivers/etc/hosts #for Windows 3. Also you could use file:///etc/passwd or file://c://windows/system32/drivers/etc/hosts 4. For PHP specific applications you could use php://filter wrapper to read files too. 5. It Could be used to Escalate to RCE in some cases where you are able to include external files Or use data: wrapper(Remote File Inclusion)
sagar.parmar@owasp.org Remote Code Execution (RCE) Remote Code Execution can be defined as In computer security, arbitrary code execution or remote code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It happens When a user input is unvalidated and directly used in Command line arguments or in Eval-ish like functions. How to Check For RCE? 1.Fuzz Every possible parameters/User Inputs for Command Execution. 2.Vulnerabilites like RCEs are found much more when source code is there. 3.Functionalities like “pinging”, “dns” lookups should be tested well for RCE. 4.Various Ways for testing command execution: 1. Pipes(|) or ||(double pipes) eg: ||ls 2. Ampersand (&) or double Ampersand(&&) eg. & dir 3. $(ls) /* For *nix only 4. (Backticks) `ls` /* For *nix only */ 5. May be some switches/options could be used related to Running commands
sagar.parmar@owasp.org How should I become PRO? • Follow Top Researchers • Read blogs • Read about vulnerability • Create your own logics • Follow twitter
sagar.parmar@owasp.org Reference Links or researcher blogs XSS & Sqli:> http://securityidiots.com http://www.pwntester.com https://www.hackerone.com/resources/hack-learn-earn www.geekboy.ninja https://blog.bugcrowd.com/topic/bug-hunter-tips-and- tricks Publiclydisclosed hackerone All top Researcher blogs and twitter account.
sagar.parmar@owasp.org Challenge>> cAPTURE tHE fLAG (CTF) 3L33t time starts :P
sagar.parmar@owasp.org http://securityidiots.com/ null.co.in owasp.org
sagar.parmar@owasp.org https://github.com/infosecninjaa/Bug_bounty_nulll

Recommended

Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets n|u - The Open Security Community
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 

Recommended

Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets n|u - The Open Security Community
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty BasicsHackerOne
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug BountyNull Bhubaneswar
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Abhijeth D
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The WebMichael Coates
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydn|u - The Open Security Community
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 

More Related Content

What's hot

Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty BasicsHackerOne
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Abhijeth D
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The WebMichael Coates
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 

What's hot (20)

Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhyd
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Burp suite
Burp suiteBurp suite
Burp suite
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 

Similar to Bug bounty null_owasp_2k17

VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewSecurity Bootcamp
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Google Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docxGoogle Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docxwhittemorelucilla
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP DevSecCon
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
 

Similar to Bug bounty null_owasp_2k17 (20)

VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Google Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docxGoogle Hacking Lab ClassNameDate This is an introducti.docx
Google Hacking Lab ClassNameDate This is an introducti.docx
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP Simon Bennetts - Automating ZAP
Simon Bennetts - Automating ZAP
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
 

Recently uploaded

Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesPrabhanshu Chaturvedi
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 

Recently uploaded (20)

Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and Properties
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 

Bug bounty null_owasp_2k17

  • 2. $$Bug_Bounty$$ #whoami • Sagar M Parmar • Active #$> Synack Red Team • <3 $$ Bug Bounties. • Working as a Security Analyst at Network Intelligence India Pvt. Lt • Chapter Leader of OWASP_Jodhpur • Email: sagar.parmar@owasp.org • Follow> https://twitter.com/sagarparmar121 sagar.parmar@owasp.org
  • 3. $$> Bug Bounty <$$ • What is Bug Bounty? • I am new, how should I start? • How should I take It forward? • How should I become Pro? • What I should do when I am Pro? sagar.parmar@owasp.org
  • 4. • What is bug bounty? Also calls as VRP (Vulnerability Reward Program) • Company (Security Team/Vendor) Improve Security, Business Grow, Create Program. Offer Cash , HOF , Swag. Acknowledge Your Work. • Researchers / Bug Hunter Hit Target and Get Bugs. Sometimes Duplicates , Sometime $$$ , Sometime Swag, Sometime HOF, Sometime Only Thanks :P Recheck Bug After Fix. sagar.parmar@owasp.org
  • 5. • A Brief History of Bug Bounty Programs. sagar.parmar@owasp.org Google ~ 30k USD Facebook ~ 40k USD Yahoo ~ 15k USD PayPal, GitHub, AT&T, Twitter, Square, Mozilla, Microsoft etc. Well-known Platform, - 2012 - 2013 - 2013
  • 6. sagar.parmar@owasp.org Popular Platform BugCrowd Managed Security Program for Company 27125 World Wide Researcher 250+ Programs HackerOne H1 Security Inbox for Company 200+ Public Program SynAck Private Bug Bounty Program Everyone Want To Join
  • 7. sagar.parmar@owasp.org I am new, how should I start? Dont’s Do’s Learn about your target. Pick any company. Learn about it thoroughly. Its services. All subdomains All mobile applications. Monitor any changes. Read Program rules carefully. Expect learning something new. Give respect to Breakers Defenders Decisions I want money, I don’t care about your policy. But, that X company gives money for this. I will hack you to the death. F**k the repeater, I love Burp Scanner, Acunitix. I love cookies & session related bugs and version disclosure. SQLmap is good only when risk=3
  • 8. sagar.parmar@owasp.org Have Some <Patience> • Duplicate • Wait for response time • Forget about submission. • Learn and find new Bugs • Find New target. • Go as deep as possible (Chain attack) • NEVER Ever run a Scanner. • Do Manual testing.
  • 9. sagar.parmar@owasp.org Tips • Make a list for all type of vulnerability • Make a database for all type of targets. Like: php, asp, WordPress, apache, angulers. • Make a list for all public exploit. • Do fuzzing • Create Google Alerts for page change in list of bounty programs OR any other thing of your choice.
  • 10. sagar.parmar@owasp.org Private Target • site:ohmylovelywebsite.com –repititive_pages -www - forums -answers -discussions • inurl: src|path|link|url • - filetype:asp|aspx|jsp|jspa|php • Intitle: bitcoin|money
  • 11. sagar.parmar@owasp.org • Shodan - Computer Search Engine • Use this for finding domains/services which are not exposed.
  • 12. sagar.parmar@owasp.org NerdyData>> Search Engine • Source Code Search Engine – Search for specific vulnerable codes. Any match with target site is good.
  • 15. sagar.parmar@owasp.org Bug Bounty Report Format Vulnerability Reporting ------------------------------ Vulnerability Name : Vulnerability Description & Impact : Vulnerable URL : Vulnerable Parameter : Payload Used : Steps to Reproduce : How to Fix (Recommandation) : Proof of Concept(Screenshot) : Or Video POC
  • 16. sagar.parmar@owasp.org Private Target Approach Find support email id in website or with help of google and other search engine
  • 17. sagar.parmar@owasp.org Wait for Response after submit vulnerability
  • 18. sagar.parmar@owasp.org But I want more money.. • Look out for less exposed areas of site. • Injection Attacks _ every one doing it. • Authorization issues are hard to find, less duplicate. • Privilege escalations on a least exposed entity in the site have good chances of hitting a good bug.
  • 19. sagar.parmar@owasp.org Much More Money… • Make a checklist of test cases. • Divide it in two parts. • Normal bugs • Everyone knows about them. • Abnormal bugs. • You / Someone else found this. • Only active researchers know about them.
  • 20. ` sagar.parmar@owasp.org Hell lot of money… • Find more logical bugs. • ~ More mone • ~ Less Dupes • ~ More reputation • Read blogs. Voila! What a bug! I will test this too. • OMG! I tested this app too. Why I missed? • Be aware of every damn new test case to hit a bug. • One NEW + UNIQUE + CRITICAL bug to rule them all.
  • 22. sagar.parmar@owasp.org XSS (Cross Site Scripting) Cross site script a type of attack attacker can injection malicious script in web application whether these script many type like java, xml, html. By this attacker can get so many things like cookies stealing, change content, phishing and many things. Payload: “><script>alert(1)</script> /*is this blocked? try other payload and check the behaviour of WAF*/ “><img src=x onerror=alert(1)> “><svg/onload=alert(1)> <a href=javascript:alert(1)>helloxss Also try other event handlers like: (onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur… many more…) Payload: Test” onfocus=alert(1) autofocus=“
  • 23. sagar.parmar@owasp.org XSS (Cross Site Scripting) Try Harder!! Lesser known tags and event handlers
  • 24. sagar.parmar@owasp.org SQLi(Structed Query Language Injection) What: SQL injection is type of attack in which attacker passes some malicious query and exploit the backend (get) database information. What vulnerability. : Authentication bypass is vulnerability. Type: 3 types of SQL Injection: (1) union based, 2) error based 3) blind SQL injection. How To Check For SQL Injection? 1.Check any User Input with quotes(single ‘ or double “ or / ) if it breaks the SQL Query or not. 2.If some content is missing or an error is there then do further testing 3.Balance the SQL Query by using quotes and SQL Comments like (#,-- -) 4.Find The Number of Columns Used in table of the Running Query Eg: username=admin’order by 1-- - loads normally username=admin’order by 2-- - loads normally username=admin’order by 3-- - Gives Error/Content Missing Which means There are only 2 columns
  • 25. sagar.parmar@owasp.org SQLi 5. Create/Join another row using Union clause Eg. Username=admin’ union select 1,2-- -// will create another row 6. False the Query by using some Boolean logic like : Eg. Username=admin’ and 1=2 union select 1,2-- -// will create another row This will make the Column(s) To be shown in the Page 7.Now You can Extract The information by using SQL Queries in the visible column
  • 26. sagar.parmar@owasp.org SSRF (Server Side Request Forgery) • Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server. • Usually, Server Side Request Forgery (SSRF) attacks target internal systems behind the firewall that are normally inaccessible from the outside world (but using SSRF it’s possible to access these systems). • With SSRF it’s also possible to access services from the same server that is listening on the loopback interface. How to Look for SSRF? 1.Check For Different Requests where some parameters contains some URL To External/ Internal hostname/IP. 2.We could try putting our own IP/hostname in that parameter and Simply Check your Server Logs. 3.If there is a Request in logs from their IP then You need to Look for internal services. 4.You can do various stuffs like Port scanning, Fingerprinting Services and also use their Server As a proxy to attack others. 5.You Can Enter http://localhost:port to check for services or if its blocked then you could use 127.0.0.1 or also you could use IPv6 localhost : http://[::]:port
  • 27. sagar.parmar@owasp.org LFI (Local File Inclusion) Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others. How To Check for Inclusion Vulnerabilities? 1.Check For parameters where you feel there’s another file included Eg: http://www.site.com/?page=somepage http://www.site.com/?file=somepage.php 2. Use file:// protocol or Directory Traversal techniques to read files like : Eg: http://www.site.com/?page=../../../../../../etc/passwd #for *nix http://www.site.com/?page=C:/Windows/System32/drivers/etc/hosts #for Windows 3. Also you could use file:///etc/passwd or file://c://windows/system32/drivers/etc/hosts 4. For PHP specific applications you could use php://filter wrapper to read files too. 5. It Could be used to Escalate to RCE in some cases where you are able to include external files Or use data: wrapper(Remote File Inclusion)
  • 28. sagar.parmar@owasp.org Remote Code Execution (RCE) Remote Code Execution can be defined as In computer security, arbitrary code execution or remote code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It happens When a user input is unvalidated and directly used in Command line arguments or in Eval-ish like functions. How to Check For RCE? 1.Fuzz Every possible parameters/User Inputs for Command Execution. 2.Vulnerabilites like RCEs are found much more when source code is there. 3.Functionalities like “pinging”, “dns” lookups should be tested well for RCE. 4.Various Ways for testing command execution: 1. Pipes(|) or ||(double pipes) eg: ||ls 2. Ampersand (&) or double Ampersand(&&) eg. & dir 3. $(ls) /* For *nix only 4. (Backticks) `ls` /* For *nix only */ 5. May be some switches/options could be used related to Running commands
  • 29. sagar.parmar@owasp.org How should I become PRO? • Follow Top Researchers • Read blogs • Read about vulnerability • Create your own logics • Follow twitter
  • 30. sagar.parmar@owasp.org Reference Links or researcher blogs XSS & Sqli:> http://securityidiots.com http://www.pwntester.com https://www.hackerone.com/resources/hack-learn-earn www.geekboy.ninja https://blog.bugcrowd.com/topic/bug-hunter-tips-and- tricks Publiclydisclosed hackerone All top Researcher blogs and twitter account.
  • 31. sagar.parmar@owasp.org Challenge>> cAPTURE tHE fLAG (CTF) 3L33t time starts :P