lets talk about bug hunting

#securitymeetup

“When big brick wall becomes wooden fence” or “how to get 1kk on

the Bug Bounty”

#:whoami?

• Known as ‘isox’• Web penetration tester• QIWI CISO• Member of “hall-of-fames” (Yandex, Mail.ru,

Apple, and so on)• JBFC participant ^___^

Hungry nomads

• Disparate groups• Attacking every tower they see• Using equal techniques and weapons• Really meticulous• Clever and creative• You and I

Castle with gold

• Ready to pay tribute for every successful attack

• Got enermous territory surrounding it• Provides protection for their citizen• Takes care about it’s borders• Makes friendship with neighbors

Looking at the frontend

• Huge strong (fire)walls• Musketeers and howitzers• Moat with crocodiles• Perfect gate citizenship control• Flawless architecture

… gentlemans, what we are waiting for?

Common assault

• 10 days for one embossed brick• Taked notice that walls are really pregnable• 100 gold coins of income• Got tired and went home

I worked using Burp Suite with plugins for a week.

Why so bad?

• Most of us took weapons from the same blacksmith

• Studied martial arts in one academy• There is very little of “unique attack

techniques”• Unless you are black (magic) fan or can make a

dozen of «PP» tricks• All easy ways are already found

Just stats for one day and one vector

Let’s dot the i’s and cross the t’s

• We are not making “security research”• We are working for our own• We came here to hack em for money• We are legal whitehats

Bad advice №1

Illusion of good network aggregation

• It does not really matter where this RCE or SQLi will be

• Common case: injection in aux DB leads to main DB takeover thru datalink

• Do you really believe writing “don’t hack this domains” will stop anybody?

• Hack everything you can find in target AS

Sometimes like this

Or like that

Or even like “I just hacked this IP”

Bad advice №2

Rabbit’s are not only puff

• 50$ is 50$• “I’m too cool for clickjacking, self-xss, bad

crossdomain.xml, POODLE, bad CSP”…forget about it

• If it is security issue – report it• Availability of bruteforce is also security bug• Missing captcha too• Information disclosure absolutely

Sometimes $140

10 clickjacks == 1 XSS

Bad advice №3

Enterprise toys are expensive

• Nessus SC for enterprise costs a lot as example• Sometimes security team just can’t configure

it well• Or does not use it at all• Scan it, validate it, report it!

For very nice bugs like this

Quagga is a routing software suite, providing implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms, particularly FreeBSD, Linux, Solaris and NetBSD.

Good advice №1

First2discover is first2pwn

• Find your target AS-es (radar.qrator.net as example)

• Find domains and regions (subbrute + google)

• Automate nmap for portscanning target AS

• Keep your eyes at the difference report

• Be the first bounty hunter to discover new service

Dev, test, debug…yummy!

Good advice №2

We are lazy

• RegEx for sanitizing “abG$2.###” is too lazy to write

• Huge frameworks and API’s are awesome• Just MD5 username and salt with IP, this will

be sessionid• Keep in mind that developers are humans too• Just imagine yourself at their place

Yandex.Disk case

• What we know: Our yandex id, 229857356• What we see in requests:

_model.0=tree&id.0=/disk• What we will try:

_model.0=tree&id.0=229857356:/disk• Profit. Access any disk by full URI just changing

it’s uid.

Good advice №3

Automate your ideas

• Don’t be lazy, write your own plugins• Automate every cool vector you can create• Automate even every good vector you can

find!• Your fuzzing and attacks must be uniq

Let’s try to find errors in a good way

Don’t take it all too serious

• Research new vulnerabilities• Don’t stop working hands on. Repeater is your

best friend.• Keep learning! It’s so much interesting you

don’t know!• Share information with bro’s• Money is nothing. Seriously.

Thanks :)

• @videns, u r a dick• @d0znpp for good parties• QIWI security team for a presented time to

write this slides• Mail.Ru for this great evening

Email party invitations at isox@vulners.com

QIWI IS HIRING

• Security Expert in Application Security Team– Write to videns@qiwi.com

• Security Expert in Infrastructure Security Team– Write to mona@qiwi.com

• Python programmer in Internal Development– Write to isox@qiwi.com

• Welcome