Bug Bounty Hunting Essentials E-Book

Bug Bounty Hunting Essentials

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Gebin GeorgeAcquisition Editor:Shrilekha InaniContent Development Editor:Abhishek JadhavTechnical Editor:Mohd Riyan KhanCopy Editor:Safis EditingProject Coordinator:Jagdish PrabhuProofreader: Safis EditingIndexer: Tejal Daruwale SoniGraphics:Tom ScariaProduction Coordinator: Shantanu Zagade

First published: November 2018

Production reference: 1301118

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78862-689-7

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the authors

Carlos A. Lozano is a security consultant with more than 15 years' experience in various security fields. He has worked in penetration tester, but most of his experience is with security application assessments. He has assessed financial applications, ISC/SCADA systems, and even low-level applications, such as drivers and embedded components. Two years ago, he started on public and private bug bounty programs and focused on web applications, source code review, and reversing projects. Also, Carlos works as Chief Operations Officer at Global CyberSec, an information security firm based in Mexico, with operations in USA and Chile.

Shahmeer Amir is ranked as the third most accomplished bug hunter worldwide and has helped more than 400 organizations, including Facebook, Microsoft, Yahoo, and Twitter, resolve critical security issues in their systems. Following his vision of a safer internet, Shahmeer Amir is the founder and CEO of a cyber security start-up in Pakistan, Veiliux, aiming to secure all kinds of organizations. Shahmeer also holds relevant certifications in the field of cyber security from renowned organizations such as EC-Council, Mile2, and ELearn Security. By profession, Shahmeer is an electrical engineer working on different IoT products to make the lives of people easier.

About the reviewers

Sachin Wagh is a young information security researcher from India. His core area of expertise includes penetration testing, vulnerability analysis, and exploit development. He has found security vulnerabilities in Google, Tesla Motors, LastPass, Microsoft, F-Secure, and other companies. Due to the severity of many bugs, he received numerous awards for his findings. He has participated as a speaker in several security conferences, such as Hack In Paris, Info Security Europe, and HAKON.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Bug Bounty Hunting Essentials

About Packt

Why subscribe?

Packt.com

Contributors

About the authors

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

Conventions used

Get in touch

Reviews

Disclaimer

Basics of Bug Bounty Hunting

Bug bounty hunting platforms

HackerOne

Bugcrowd

Cobalt

Synack

Types of bug bounty program

Public programs

Private programs

Bug bounty hunter statistics

Number of vulnerabilities

Number of halls of fame

Reputation points

Signal

Impact

Accuracy

Bug bounty hunting methodology

How to become a bug bounty hunter

Reading books

Practicing what you learned

Reading proof of concepts

Learning from reports

Starting bug bounty hunting

Learning and networking with others

Rules of bug bounty hunting

Targeting the right program

Approaching the target with clarity

Keeping your expectations low

Learning about vulnerabilities

Keeping yourself up-to-date

Automating your vulnerabilities

Gaining experience with bug bounty hunting

Chaining vulnerabilities

Summary

How to Write a Bug Bounty Report

Prerequisites of writing a bug bounty report

Referring to the policy of the program

Mission statement

Participating services

Excluded domains

Reward and qualifications

Eligibility for participation

Conduct guidelines

Nonqualifying vulnerabilities

Commitment to researchers

Salient features of a bug bounty report

Clarity

Depth

Estimation

Respect

Format of a bug bounty report

Writing title of a report

Writing the description of a report

Writing the proof of concept of a report

Writing exploitability of a report

Writing impact of a report

Writing remediation

Responding to the queries of the team

Summary

SQL Injection Vulnerabilities

SQL injection

Types of SQL injection vulnerability

In-band SQLi (classic SQLi)

Inferential SQLi (blind SQLi)

Out-of-band SQLi

Goals of an SQL injection attack for bug bounty hunters

Uber SQL injection

Key learning from this report

Grab taxi SQL Injection

Key learning from this report

Zomato SQL injection

Key learning from this report

LocalTapiola SQL injection

Key learning from this report

Summary

Cross-Site Request Forgery

Protecting the cookies

Why does the CSRF exist?

GET CSRF

POST CSRF

CSRF-unsafe protections

Secret cookies

Request restrictions

Complex flow

URL rewriting

Using HTTPS instead of HTTP

CSRF – more safe protection

Detecting and exploiting CSRF

Avoiding problems with authentication

XSS – CSRF's best friend

Cross-domain policies

HTML injection

JavaScript hijacking

CSRF in the wild

Shopify for exporting installed users

Shopify Twitter disconnect

Badoo full account takeover

Summary

Application Logic Vulnerabilities

Origins

What is the main problem?

Following the flow

Spidering

Points of interest

Analysis

User input

Out-band channels

Naming conventions

Keywords related to technologies

Analyzing the traffic

Application logic vulnerabilities in the wild

Bypassing the Shopify admin authentication

Starbucks race conditions

Binary.com vulnerability – stealing a user's money

HackerOne signal manipulation

Shopify S buckets open

HackerOne S buckets open

Bypassing the GitLab 2F authentication

Yahoo PHP info disclosure

Summary

Cross-Site Scripting Attacks

Types of cross-site scripting

Reflected cross-site scripting

Stored cross-site scripting

DOM-based XSS

Other types of XSS attacks

Blind XSS

Flash-based XSS

Self XSS

How do we detect XSS bugs?

Detecting XSS bugs in real life

Follow the flow

Avoiding input validation controls

Other common strings

Bypassing filters using encoding

Bypassing filters using tag modifiers

Bypassing filters using dynamic constructed strings

Workflow of an XSS attack

HackeroneXSS

Executing malicious JS

Embedding unauthorized images in the report

Redirecting users to a different website

Key learning from this report

Slack XSS

Embedding malicious links to infect other users on Slack

Key learning from this report

TrelloXSS

Key learning from this report

Shopify XSS

Key learning from this report

Twitter XSS

Key learning from this report

Real bug bounty examples

Shopify wholesale

Shopify Giftcard Cart

Shopify currency formatting

Yahoo Mail stored XSS

Google image search

Summary

SQL Injection

Origin

Types of SQL injection

In-band SQL injection

Inferential

Out-of-band SQL injection

Fundamental exploitation

Detecting and exploiting SQL injection as if tomorrow does not exist

Union

Interacting with the DBMS

Bypassing security controls

Blind exploitation

Out-band exploitations

Example

Automation

SQL injection in Drupal

Summary

Open Redirect Vulnerabilities

Redirecting to another URL

Constructing URLs

Executing code

URL shorteners

Why do open redirects work?

Detecting and exploiting open redirections

Exploitation

Impact

Black and white lists

Open redirects in the wild

Shopify theme install open redirect

Shopify login open redirect

HackerOne interstitial redirect

XSS and open redirect on Twitter

Facebook

Summary

Sub-Domain Takeovers

The sub-domain takeover

CNAME takeovers

NS takeover

MX takeovers

Internet-wide scans

Detecting possibly affected domains

Exploitation

Mitigation

Sub-domain takeovers in the wild

Ubiquiti sub-domain takeovers

Scan.me pointing to Zendesk

Starbucks' sub-domain takeover

Vine's sub-domain takeover

Uber's sub-domain takeover

Summary

XML External Entity Vulnerability

How XML works

How is an XXE produced?

Detecting and exploiting an XXE

Templates

XXEs in the wild

Read access to Google

A Facebook XXE with Word

The Wikiloc XXE

Summary

Template Injection

What's the problem?

Examples

Twig and FreeMaker

Smarty

Marko

Detection

Exploitation

Mitigation

SSTI in the wild

Uber Jinja2 TTSI

Uber Angular template injection

Yahoo SSTI vulnerability

Rails dynamic render

Summary

Top Bug Bounty Hunting Tools

HTTP proxies, requests, responses, and traffic analyzers

Burp Suite

Wireshark

Firebug

ZAP – Zed Attack Proxy

Fiddler

Automated vulnerability discovery and exploitation

Websecurify (SECAPPS)

Acunetix

Nikto

sqlmap

Recognize

Knockpy

HostileSubBruteforcer

Nmap

Shodan

What CMS

Recon-ng

Extensions

FoxyProxy

User-Agent Switcher

HackBar

Cookies Manager+

Summary

Top Learning Resources

Training

Platzi

Udemy

GIAC

Offensive Security

Books and resources

Web Application Hacker's Handbook

OWASP Testing Guide

Hacking 101

The Hacker Play Book

Exploiting Software

CTFs and wargames

Hack The Box

Damn Vulnerable Web Application

Badstore

Metasploitable

YouTube channels

Web Hacking Pro Tips

BugCrowd

HackerOne

Social networks and blogs

Exploitware Labs

Philippe Hare Wood

PortSwigger's blog

Meetings and networking

LiveOverflow

OWASP meetings

DEFCON meetings

2600 meetings

Conferences

DEFCON

BlackHat

BugCON

Ekoparty

Code Blue

CCC

H2HC

8.8

Podcasts

PaulDotCom

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Bug bounty programs are deals offered by prominent companies where white-hat hackers can be rewarded for finding bugs in applications. The number of prominent organizations with such programs has been on the increase, leading to a lot of opportunity for ethical hackers.

This book will start by introducing you to the concept of bug bounty hunting. After that, we will dig deeper into concepts of vulnerabilities and analysis, such as HTML injection and CRLF injection. Toward the end of the book, we will get hands-on experience working with different tools used for bug hunting and various blogs and communities to follow.

This book will get you started with bug bounty hunting and its fundamentals.

Who this book is for

This book is targeted at white-hat hackers or anyone who wants to understand the concept behind bug bounty hunting and this brilliant way of penetration testing.

This book does not require any knowledge of bug bounty hunting.

What this book covers

Chapter 1, Basics of Bug Bounty Hunting, gives you an overview of what bug bounty hunting is and what the key steps for doing it are, including the techniques, platforms, and tools that are necessary for it.

Chapter 2, How to Write a Bug Bounty Report, provides you with information on how to use a vulnerability coordination platform to write bug bounty reports and how to respond to company's questions with caution and respect. It will also provide tips on how to increase payouts.

Chapter 3, SQL Injection Vulnerabilities, focuses on CRLF bug bounty reports. A CRLF injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

Chapter 4, Cross-Site Request Forgery, is about basic Cross-Site Request Forgery (CSRF) attacks and bug bounty reports. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Chapter 5, Application Logic Vulnerabilities, is about business logic and application logic flaws. Application business logic flaws are unique to each custom application, potentially very damaging, and difficult to test. Attackers exploit business logic by using deductive reasoning to trick and ultimately exploit the application.

Chapter 6, Cross-Site Scripting Attacks, covers Cross-Site Scripting (XSS) vulnerabilities. XSS is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.

Chapter 7, SQL Injection, is mostly about finding SQL injection flaws in bug bounty programs. SQL injection is one of the most common web hacking techniques. SQL injection is the placement of malicious code in SQL statements via web page input.

Chapter 8, Open Redirect Vulnerabilities, is about open redirect vulnerabilities in web applications. Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

Chapter 9, Sub-Domain Takeover, focuses on sub-domain takeover vulnerabilities. A sub-domain takeover is considered a high-severity threat and boils down to the registration of a domain by somebody else (with malicious intentions) in order to gain control over one or more (sub-)domains.

Chapter 10, XML External Entity Vulnerability, is about XML External Entity (XXE) attacks. XXE refers to a specific type of Server-Side Request Forgery (SSRF) attack, whereby an attacker is able to cause Denial of Service (DoS) and access local or remote files and services by abusing a widely available, rarely used feature in an XML parser.

Chapter 11, Template Injection, is mainly about template injection vulnerabilities. Template injection vulnerabilities arise when applications using a client-side or server-side template framework dynamically embed user input in web pages.

Chapter 12, Top Bug Bounty Hunting Tools, reviews the most used tools for web application security assessments. Most of them are open source or for free, but we will also mention some tools that are licensed.

Chapter 13, Top Learning Resources, lists some resources to be updated in the new technologies, exploiting techniques and vulnerability disclosures.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "In a vulnerability example, the subdomain (hello.domain.com) uses a canoninal name"

A block of code is set as follows:

package subjack import ( "log" "sync" )

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

package subjack import (

"log"

"sync" )

Any command-line input or output is written as follows:

$ amass -d bigshot.beet

$ amass -src -ip -brute -min-for-recursive 3 -d example.com

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Right-click on a website and select Inspect Element"

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.

Basics of Bug Bounty Hunting

Bug bounty hunting is a method for finding flaws and vulnerabilities in web applications; application vendors reward bounties, and so the bug bounty hunter can earn money in the process of doing so. Application vendors pay hackers to detect and identify vulnerabilities in their software, web applications, and mobile applications. Whether it's a small or a large organization, internal security teams require an external audit from other real-world hackers to test their applications for them. That is the reason they approach vulnerability coordination platforms to provide them with private contractors, also known as bug bounty hunters, to assist them in this regard.

Bug bounty hunters possess a wide range of skills that they use to test applications of different vendors and expose security loopholes in them. Then they produce vulnerability reports and send them to the company that owns the program to fix those flaws quickly. If the report is accepted by the company, the reporter gets paid. There are a few hackers who earn thousands of dollars in a single year by just hunting for vulnerabilities in programs.

The bug bounty program, also known as the vulnerability rewards program (VRP), is a crowd-sourced mechanism that allows companies to pay hackers individually for their work in identifying vulnerabilities in their software. The bug bounty program can be incorporated into an organization's procedures to facilitate its security audits and vulnerability assessments so that it complements the overall information security strategy. Nowadays, there are a number of software and application vendors that have formed their own bug bounty programs, and they reward hackers who find vulnerabilities in their programs.

The bug bounty reports sent to the teams must have substantial information with proof of concept regarding the vulnerability so that the program owners can replicate the vulnerability as per how the researcher found it. Usually the rewards are subject to the size of the organization, the level of effort put in to identify the vulnerability, the severity of the vulnerability, and the effects on the users.

Statistics state that companies pay more for bugs with high severity than with normal ones. Facebook has paid up to 20,000 USD for a single bug report. Google has a collective record of paying 700,000 USD to researchers who reported vulnerabilities to them. Similarly, Mozilla pays up to 3,000 USD for vulnerabilities. A researcher from the UK called James Forshaw was rewarded 100,000 USD for identifying a vulnerability in Windows 8.1. In 2016, Apple also announced rewards up to 200,000 USD to find flaws in iOS components, such as remote execution with kernel privileges or unauthorized iCloud access.

In this chapter, we will cover the following topics:

Bug bounty hunting platforms

Types of bug bounty programs

Bug bounty hunter statistics

Bug bounty hunting methodology

How to become a bug bounty hunter

Rules of bug bounty hunting

Bug bounty hunting platforms

A few years ago, if someone found a vulnerability in a website, it was not easy to find the right method to contact the web application owners and then too after contacting them it was not guaranteed that they would respond in time or even at all. Then there was also the factor of the web application owners threatening to sue the reporter. All of these problems were solved by vulnerability co-ordination platforms or bug bounty platforms. A bug bounty platform is a platform that manages programs for different companies. The management includes:

Reports

Communication

Reward payments

There are a number of different bug bounty platforms being used by companies nowadays. The top six platforms are explained in the following sections.

HackerOne

HackerOne is a vulnerability collaboration and bug bounty hunting platform that connects companies with hackers. It was one of the first start-ups to commercialize and utilize crowd-sourced security and hackers as a part of its business model, and is the biggest cybersecurity firm of its kind.

Bugcrowd

Bugcrowd Inc. is a company that develops a coordination platform that connects businesses with researchers so as to test their applications. It offers testing solutions for web, mobile, source code, and client-side applications.

Cobalt

Cobalt's Penetration Testing as a Service (PTaaS) platform converts broken pentest models into a data-driven vulnerability co-ordination engine. Cobalt's crowdsourced SaaS platform delivers results that help agile teams to pinpoint, track, and remediate vulnerabilities.

Synack

Synack is an American technology company based in Redwood City, California. Synack's business includes a vulnerability intelligence platform that automates the discovery of exploitable vulnerabilities for reconnaissance and turns them over to the company's freelance hackers to create vulnerability reports for clients.

Types of bug bounty program

Bug bounty programs come in two different types based on their participation perspectives. This division is based on the bug bounty hunter's statistics and their level of indulgence overall on a platform. There are two kinds of bug bounty program: public programs and private programs.

Public programs

A public bug bounty program is one that is open to anyone who wants to participate. This program may prohibit some researchers from participating based on the researcher's level and track record, but in general, anyone can participate in a public bounty program and this includes the scope, the rules of engagement, as well as the bounty guidelines. A public program is accessible by all researchers on the platform, and all bug bounty programs outside of the platforms are also considered bug bounty programs.

Private programs

A private bug bounty program is one that is an invite-only program for selected researchers. This is a program that allows only a few researchers to participate and the researchers are invited based on their skill level and statistics. Private programs only select those researchers who are skilled in testing the kinds of applications that they have. The programs tend to go public after a certain amount of time but some of them may never go public at all. These programs provide access only to those researchers that have a strong track record of reporting good vulnerabilities, so to be invited to good programs, it is required to have a strong and positive record.

There are a few differences between a public and private program. Conventionally, programs tend to start as private and over time evolve into the public. This is not always true but, mostly, businesses start a private bug bounty program and invite a group of researchers that test their apps before the program goes public to the community. Companies usually consider a few factors before they start a public program. There has to be a defined testing timeline and it is advised that companies initially work with researchers who specialize in that particular area to identify the flaws and vulnerabilities.

Most of the time, the companies do not open their programs to the public and limit the scope of testing as well so as to allow researchers to test these applications specifically in the sections that are critical. This reduces the number of low-severity vulnerabilities in out-of-scope applications. Many organizations use this technique to verify their security posture. Many researchers hunt for bugs in applications mainly for financial gain, so it is crucial that the organization outlines their payout structure within the program's scope. There are a few questions before anyone would want to start to participate in a bug bounty program; the most important one is What is the end goal of the program going public versus keeping it private?

Bug bounty hunter statistics

A bug bounty hunter's profile contains substantial information about the track record that helps organizations identify the skill level and skill set of the user. The bug bounty hunter stats include a number of pointers in the profile that indicate the level of the researcher. Different pointers indicate different levels on different platforms. But generally you will see the following pointers and indicators based on which you can judge a researcher's potential.

Number of vulnerabilities