2. $$Bug_Bounty$$
#whoami
• Sagar M Parmar
• Active #$> Synack Red Team
• <3 $$ Bug Bounties.
• Working as a Security Analyst at Network Intelligence India Pvt. Lt
• Chapter Leader of OWASP_Jodhpur
• Email: sagar.parmar@owasp.org
• Follow> https://twitter.com/sagarparmar121
sagar.parmar@owasp.org
3. $$> Bug Bounty <$$
• What is Bug Bounty?
• I am new, how should I start?
• How should I take It forward?
• How should I become Pro?
• What I should do when I am Pro?
sagar.parmar@owasp.org
4. • What is bug bounty?
Also calls as VRP (Vulnerability Reward Program)
• Company (Security Team/Vendor)
Improve Security, Business Grow,
Create Program.
Offer Cash , HOF , Swag.
Acknowledge Your Work.
• Researchers / Bug Hunter
Hit Target and Get Bugs.
Sometimes Duplicates , Sometime $$$ , Sometime Swag,
Sometime HOF, Sometime Only Thanks :P
Recheck Bug After Fix.
sagar.parmar@owasp.org
5. • A Brief History of Bug Bounty Programs.
sagar.parmar@owasp.org
Google ~ 30k USD
Facebook ~ 40k USD
Yahoo ~ 15k USD
PayPal, GitHub, AT&T, Twitter, Square,
Mozilla, Microsoft etc.
Well-known Platform,
- 2012
- 2013
- 2013
7. sagar.parmar@owasp.org
I am new, how should I start?
Dont’s
Do’s
Learn about your target.
Pick any company.
Learn about it thoroughly.
Its services.
All subdomains
All mobile applications.
Monitor any changes.
Read Program rules carefully.
Expect learning something new.
Give respect to
Breakers
Defenders
Decisions
I want money, I don’t care about your policy.
But, that X company gives money for this.
I will hack you to the death.
F**k the repeater, I love Burp Scanner, Acunitix.
I love cookies & session related bugs and version
disclosure.
SQLmap is good only when risk=3
8. sagar.parmar@owasp.org
Have Some <Patience>
• Duplicate
• Wait for response time
• Forget about submission.
• Learn and find new Bugs
• Find New target.
• Go as deep as possible (Chain attack)
• NEVER Ever run a Scanner.
• Do Manual testing.
9. sagar.parmar@owasp.org
Tips
• Make a list for all type of vulnerability
• Make a database for all type of targets. Like:
php, asp, WordPress, apache, angulers.
• Make a list for all public exploit.
• Do fuzzing
• Create Google Alerts for page change in list
of bounty programs OR any other thing of
your choice.
15. sagar.parmar@owasp.org
Bug Bounty Report Format
Vulnerability Reporting
------------------------------
Vulnerability Name :
Vulnerability Description & Impact :
Vulnerable URL :
Vulnerable Parameter :
Payload Used :
Steps to Reproduce :
How to Fix (Recommandation) :
Proof of Concept(Screenshot) :
Or
Video POC
18. sagar.parmar@owasp.org
But I want more money..
• Look out for less exposed areas of site.
• Injection Attacks _ every one doing it.
• Authorization issues are hard to find, less
duplicate.
• Privilege escalations on a least exposed
entity in the site have good chances of
hitting a good bug.
19. sagar.parmar@owasp.org
Much More Money…
• Make a checklist of test cases.
• Divide it in two parts.
• Normal bugs
• Everyone knows about them.
• Abnormal bugs.
• You / Someone else found this.
• Only active researchers know about them.
20. `
sagar.parmar@owasp.org
Hell lot of money…
• Find more logical bugs.
• ~ More mone
• ~ Less Dupes
• ~ More reputation
• Read blogs. Voila! What a bug! I will test this too.
• OMG! I tested this app too. Why I missed?
• Be aware of every damn new test case to hit a bug.
• One NEW + UNIQUE + CRITICAL bug to rule them all.
22. sagar.parmar@owasp.org
XSS (Cross Site Scripting)
Cross site script a type of attack attacker can injection malicious script in web application
whether these script many type like java, xml, html. By this attacker can get so many things
like cookies stealing, change content, phishing and many things.
Payload:
“><script>alert(1)</script>
/*is this blocked? try other payload and check the behaviour of WAF*/
“><img src=x onerror=alert(1)>
“><svg/onload=alert(1)>
<a href=javascript:alert(1)>helloxss
Also try other event handlers like:
(onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy,
onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint,
onbeforeunload, onbeforeupdate, onblur… many more…)
Payload: Test” onfocus=alert(1) autofocus=“
24. sagar.parmar@owasp.org
SQLi(Structed Query Language Injection)
What: SQL injection is type of attack in which attacker passes some malicious query
and exploit the backend (get) database information.
What vulnerability. : Authentication bypass is vulnerability.
Type: 3 types of SQL Injection: (1) union based, 2) error based 3) blind SQL injection.
How To Check For SQL Injection?
1.Check any User Input with quotes(single ‘ or double “ or / ) if it breaks the SQL Query or
not.
2.If some content is missing or an error is there then do further testing
3.Balance the SQL Query by using quotes and SQL Comments like (#,-- -)
4.Find The Number of Columns Used in table of the Running Query
Eg: username=admin’order by 1-- - loads normally
username=admin’order by 2-- - loads normally
username=admin’order by 3-- - Gives Error/Content Missing
Which means There are only 2 columns
25. sagar.parmar@owasp.org
SQLi
5. Create/Join another row using Union clause
Eg. Username=admin’ union select 1,2-- -// will create another row
6. False the Query by using some Boolean logic like :
Eg. Username=admin’ and 1=2 union select 1,2-- -// will create another row
This will make the Column(s) To be shown in the Page
7.Now You can Extract The information by using SQL Queries in the visible column
26. sagar.parmar@owasp.org
SSRF (Server Side Request Forgery)
• Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker
has the ability to create requests from the vulnerable server.
• Usually, Server Side Request Forgery (SSRF) attacks target internal systems behind the
firewall that are normally inaccessible from the outside world (but using SSRF it’s
possible to access these systems).
• With SSRF it’s also possible to access services from the same server that is
listening on the loopback interface.
How to Look for SSRF?
1.Check For Different Requests where some parameters contains some URL To External/
Internal hostname/IP.
2.We could try putting our own IP/hostname in that parameter and Simply Check your Server
Logs.
3.If there is a Request in logs from their IP then You need to Look for internal services.
4.You can do various stuffs like Port scanning, Fingerprinting Services and also use their Server
As a proxy to attack others.
5.You Can Enter http://localhost:port to check for services or if its blocked then you could use
127.0.0.1 or also you could use IPv6 localhost : http://[::]:port
27. sagar.parmar@owasp.org
LFI (Local File Inclusion)
Local File Inclusion (also known as LFI) is the process of including files, that are already locally
present on the server, through the exploiting of vulnerable inclusion procedures
implemented in the application. This vulnerability occurs, for example, when a page receives,
as input, the path to the file that has to be included and this input is not properly sanitized,
allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most
examples point to vulnerable PHP scripts, we should keep in mind that it is also common in
other technologies such as JSP, ASP and others.
How To Check for Inclusion Vulnerabilities?
1.Check For parameters where you feel there’s another file included
Eg: http://www.site.com/?page=somepage
http://www.site.com/?file=somepage.php
2. Use file:// protocol or Directory Traversal techniques to read files like :
Eg: http://www.site.com/?page=../../../../../../etc/passwd #for *nix
http://www.site.com/?page=C:/Windows/System32/drivers/etc/hosts #for Windows
3. Also you could use file:///etc/passwd or file://c://windows/system32/drivers/etc/hosts
4. For PHP specific applications you could use php://filter wrapper to read files too.
5. It Could be used to Escalate to RCE in some cases where you are able to include external files
Or use data: wrapper(Remote File Inclusion)
28. sagar.parmar@owasp.org
Remote Code Execution (RCE)
Remote Code Execution can be defined as In computer security, arbitrary code execution or
remote code execution is used to describe an attacker's ability to execute any commands of the
attacker's choice on a target machine or in a target process.
It happens When a user input is unvalidated and directly used in Command line arguments or in
Eval-ish like functions.
How to Check For RCE?
1.Fuzz Every possible parameters/User Inputs for Command Execution.
2.Vulnerabilites like RCEs are found much more when source code is there.
3.Functionalities like “pinging”, “dns” lookups should be tested well for RCE.
4.Various Ways for testing command execution:
1. Pipes(|) or ||(double pipes) eg: ||ls
2. Ampersand (&) or double Ampersand(&&) eg. & dir
3. $(ls) /* For *nix only
4. (Backticks) `ls` /* For *nix only */
5. May be some switches/options could be used related to Running commands
29. sagar.parmar@owasp.org
How should I become PRO?
• Follow Top Researchers
• Read blogs
• Read about vulnerability
• Create your own logics
• Follow twitter
30. sagar.parmar@owasp.org
Reference Links or researcher blogs
XSS & Sqli:> http://securityidiots.com
http://www.pwntester.com
https://www.hackerone.com/resources/hack-learn-earn
www.geekboy.ninja
https://blog.bugcrowd.com/topic/bug-hunter-tips-and-
tricks
Publiclydisclosed hackerone
All top Researcher blogs and twitter account.