…Wow here we go..
alright so. people have been asking me a lot about stök how do you do your recon?
and the thing is that I don’t really do any recon. But when it comes down to
discussing what you do when you first approach a new target.
there’s different kinds of ideas of what you should do so.. i just decided to ask Jason Haddix about it..
So Jason when when you approach a new target what are the
things that are crucial… that a new bounty hunter doesn’t miss?
yeah I think a lot of the new bounty hunters will look at a target like something you have
to login to they’ll just start poking around if the external stuff like
external search forms and parameters on the outside and not really dive into
learning the application like actually using it like a user would if you think
of it like an iceberg and all you’re seeing is the tip when you start but you
need to get way down to the bottom of that iceberg where all the the sensitive
functionality probably is.
-oh yeah absolutely I get it so instead of just
poking around on the outside..
Access Privileges comes in play. Me
personally, what I do is that I you spin up burp and then i spend an hour
or two just walking through the website and trying different kind of things
logging out, logging into another user doing it again, and then eventually I’m
replaying these sessions to see if I’m able to do something as an unprivileged
user and then eventually as an admin – That’s exactly what I do in fact there’s
there’s some burp plug-ins for that kind of stuff but but I just keep everything
marked by hand honestly you sort like a spreadsheet or something and I say X
user can do x and y user can do Y and let’s see if they can do stuff to each
other and that’s the beginning of like my access control testing part which is
like the second tip I usually give people access control bugs and IDOR’s
are really important to to look for in bounty programs because there’s no like
library that fixes those types of bugs if you think of injection bugs a
patch couldn’t fix could fix an injection bug you know applying a
third-party library can fix cross-site scripting bugs but it’s really hard to
fix access control bugs And they are all logical right? yeah all logical – Cool.
Alright so next one.
yeah so when you’re on the site you’re gonna want to see how the site references you as a
user right it’s not it’s not always the cookies that register what you’re
doing or what you’re allowed to do on the site sometimes you know there’s a
unique identifier passed either in the URL or in some parameters someone
identifies you and that’s the first place I look for IDOR’s and stuff
like that but shortly after that its File uploads.
have found a majority of bugs this year on functionality for file uploads so when you log into the
application there’s always like a profile page on
enterprise application stuff or your image when I’m looking at a site I want
to find all the file uploads and identify them right there’s our RCE’s
where you piggyback command injection like image tragic and embedding
file format is based on XML like Word docs and stuff like that so file uploads
have just like a crazy amount of attack surface based on them and so I look at em. And its so challenging for people just to make sure that they sanitize it
all right and this is all that is also where some of the really golden goose
bugs appears it’s a great area to put a lot of research in I spend shit loads of
time you’re designing PDFs payloads inside them manually and I
learned how to write PDFs by hand now it’s a lot of waste of time but then
again my payloads are mmmm´ they are mint.
– yeah and then you
have next time right like once you put the investment in to make the template
for one of those uploads like you have it for next time – in fact mario from
cure 53 they have a repository that you can start with it’s got a on Cure 53s
github there’s a project where they have a whole bunch of file formats that have
XSS attacks in them and you can move off there and start modifying creating your
own directory for file formats and bugs associated to them.
yeah and the other tip there is a lot of days you’re not gonna get the direct feedback
from those types of bugs where the the application view actually shows you
that you have a bug, alot of them are blind nowadays right and what I do is I use
named in certain ways and use unique DNS
lookups for them and have this excel sheet where I overtime just log traffic
to my DNS server so I receive something hits and I know I remember that one
that’s like a month ago since I put that one in and then they you spun
it up again and this shit fucking happens..
Awesome.. alright so third place
where to look now? – what I’m doing is I’m looking at all the parameters and all of
the endpoints that took data so those are called dynamic parameters right and
I’m looking at with what kind of data they took was it a string was it a you
know was an alpha numeric was it just numerals and then eventually the places
that actually take paths and URLs and parse them parameters I’m gonna look at
those very very strictly for bugs like SSRF, local file includes, path
traversal, remote file includes any place that parses a path or a page
or references another place I’m gonna pay special attention to.
– if you are totally new at this, where would you recommend people to start.
um so a lot of times when you get into an application you know there’s an integration section
if it’s an enterprise application they’re trying to hook up other services
to their own site like a lot of fortune 100 companies use API is to pull in all
kinds of stuff. aaah. so its cross-platform
right so in that section of the app first to see if there’s any integrations
that they want to hook up via either web hook those are likely vulnerable, those
integration places are likely vulnerable to SSRF’s I see them a lot of times.
– And those are primarily not always automatable right, so it takes you a
little bit tweaking? it takes me alot of tweaking to find them. And if anyone
tells you SSRF’s are easy they are lying right, unless youre or generic SSRF payload really work out
of the box right it’s either the padding has to be changed like you gotta do
double or triple like you know forward or back slashes you got to reference
your domain like an octal its like all this crazy stuff right so
like I have to play around with them alot very rewarding, but when they pop it’s like I… get goosebumps just thinking about it they are so amazing the the feeling you
have where you can see that it hits your collaborator or hits your DNS server you
know like oh yeah yeah yeah I’ve got something. FOUR: a lot of people focus on
RCE and bugs that I actually think that private data, leaking private
data can be just as damaging in fact most of my authentication bypass type
bugs or logic type bugs or whatever you want to call them so content discovery
is king in this world right basically looking to our hidden paths that are not
linked anywhere on the web site administration panels you know log pages
-Are we talking brute forcing here?
-yeah we’re talking about brute forceing. here yeah so I mean I use a list that I’ve published pretty exclusively to do my my brute
forcing and my content discovery – The Jason Haddix ALL.TXT?
I wonder if its that one? ;)))
– I use that in my content discovery, its a huge list. by finding stuff off that list.
so directory brute forcing is something you wanna you want to do.
– And also if you new try to save all the endpoints that you stumble upon to your list curate your
word list is key Jason crate has created one of the best
lists out there but you have to redefine it because that way you will bring
a unique perspective to each and every engagement you enter.
Yeah and there’s there’s some people out there doing cool research right like the asset note guys
naffy and shubs and michael over there they released the common speak
dictionary which is pretty cool the but as you go you know add add your own
stuff there add your own paths and links when a new open-source project comes out
parse all the paths and add them to your content discovery right eventually
someone’s gonna make a mistake with access control.
Final and last tip. (FIVE)
If you’re on an app that is a messaging platform right the security of
the messages themselves the text of the message is just as important to them as
leaking you know piece of credit card information or getting an RCE
right so like what other than technical vulnerabilities do
care about and that gives me more like space to work in the application if I’m
not just looking for tech bugs absolutely and I totally agree I’ve
found something really really really nice high paying bugs, non-technical stuff
that we just “lying” around there but it didn’t execute until you did certain
kind of step.. fun times okay so thank you very much Jason hopefully this
would be a couple of tips for anyone that’s hungry to get started and starting to
look for ways about testing and bug bounties.. Have a good one and I’ll see
you around buddy