Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Abusing functions for bug bounty

Aditya Shende
September 26, 2020

Abusing functions for bug bounty

Slides for function exploits by Aditya Shnede

Aditya Shende

September 26, 2020
Tweet

More Decks by Aditya Shende

Other Decks in Technology

Transcript

  1. whoami ADITYA SHENDE -Proud Indian -Bug Bounty Hunter -Listed in

    top 100 researchers on Bugcrowd -Trader and investor
  2. Functions ? What ? Type ? BASIC What we can

    do on website or how it works AUTHENTICATED In this type we need to use our credentials to perform activities or changes NON-AUTHENTICATED Simple opposite of authenticated, In which we dot need to provide creds or identity
  3. What to check ? REGISTER FUNCTION Creating new user in

    site as per function LOGIN FUCNTION Providing creds to access registered account ACCOUNT SETTINGS Most buggy section with multiple functions WEB APP + ANDROID APP For checking activity reflections in both Always check whole website as normal user. No need to use burpsuite all time. Functions are easy to understand
  4. Register account -Creating account on web + android with same

    id -Crafting id for takeover [email protected]@target.com -Username + reset function with collaborator link [email protected] -Creating account with company mail addresses to gain extra authorities. Use hunter.io
  5. Account Login -Using multiple usernames at a time. "aditya","victim": It

    may give you weird response or error disclosing information. -As usual perfoming Long DOS attack but ever tried "username=z||ping+- c+10+0.0.0.0 |" for time delay resposne -Sending reset link with email : 1. [email protected] [email protected] to gain link in SMTP conversation.
  6. Account Settings -Multiple functions: Add link, Attach file, Add number,

    Password functions, email functions etc. -Using null payloads everywhere to get weird response, time delay, Blind SSRF, IDOR's, Long DOS everywhere -Try to perform same actions without log in. Opening sensitive URL like site.com/uvsgkushdjnxlj2s1a/account- settings.
  7. Web + Android app -Creating account with same email-id on

    web and android app. -Bypassing it with response tampering(mostly works) in web app. -For verification do some changes into android app and verify it with web app Example: Updating name, number, data change, deleting account.
  8. Burnout and time management FUSTRATION Getting duplicates is okay, You

    found valid bug just need to increase speed SCREENSHOTS Don't focus on money . Learning always leads to $$$$. Better ignore screenshots. TIME Read 2 hours daily. Increase your report ratio and finally do not compare.