of MVH in Vegas! (Uber, Salesforce, Zenefits) H1-514 2018: Winner of MVH in Montreal! (Shopify) H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath) H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath) H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath) H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber) H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath) H1-202 2018: Winner Best bug in Washington (Mapbox) H1-3120 2018: Winner Best bug in Amsterdam (Dropbox) H1-514 2018: Winner Highest reputation in Montreal (Shopify)
of MVH in Vegas! (Uber, Salesforce, Zenefits) H1-514 2018: Winner of MVH in Montreal! (Shopify) H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath) H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath) H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath) H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber) H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath) H1-202 2018: Winner Best bug in Washington (Mapbox) H1-3120 2018: Winner Best bug in Amsterdam (Dropbox) H1-514 2018: Winner Highest reputation in Montreal (Shopify)
"hacker-meets-dev face-to-face" bug bounty with special targets • First by HackerOne in 2016 in Vegas • More companies runs these nowadays. H1, Bugcrowd, Facebook/Google, Visma. Smaller companies run their own also
a walkthrough • Hangout, slides, presented by the company itself • Ability to ask questions 2. Often a bigger scope • Often *.company.com, *.company.dev, infrastructure, IPs • Open source repos by the company • Enterprise access to products • One time social engineering(!)
do recon • This is a VERY important part • One time 48 hours. Hard! • Slack instance with the company! 4. Some allow pre-submissions • Awesome! Less preasure on final day • Faster payouts on event day
company • At HQ or hacking event (Defcon, Black Hat, Nullcon etc) • Discussions here == PRICELESS!! • Valid bugs because I could discuss with the company - This domain, what does it do? - Is this app supposed to work like this? - I noticed this weird behaviour, I think I can do this, what do you think?
early, shower and HACK • If no pre-submissions, get reports in! • Hacking day is special, sit in teams, collaboration(!) • Found many bugs on the actual day!
you have/know: • credentials needed • what domains are included, subdomains/acquisitions • what NOT to focus on (out-of-scope) • upgrades to enterprise accounts if promised
• put in "similar" effort to you • might know stuff you don't • helps you cover more target surface • you can communicate with and brainstorm Keep team small, 2-4. If 3 or more, effort will differ, allow to split differently For 2 people, 50% each is always the simplest.
• Best bugs! Example: trying all integrations from a list of 80. Read docs on how each worked Found a $20k bug due to one (1!!!) faulty implementation!
Desktop client • Web (API-paths in JS-files) • PHP/Java/Golang-SDKs • npm/composer/yarn Legacy versions of APIs? • Older versions working? • Are there docs? Web-archive?
Have integrations? (Slack, Trello, Zapier etc) • Allow integrations? (OAuth etc) • Public repos with examples? Company's Github repos • What software they use (Forks) • Synched with original repo? (No: vulns by diffing versions?)
Gists, Github, Google • "Internal indicators", search everywhere • Domains/AWS/GCP-tools in org: "org:xxx amazonaws" etc • Any users in organization? • Extract contributors from repos • Company name in users’ repos: "user:xxx company-name" • Search Github Issues, funky stuff by accident! • Non-forked repos in organization ‣ Package dependencies from employees? ‣ Still hired by the company? If not, bad
Bugs might mean bugs in prod! • Might mean company made other companies vulnerable (really bad PR for the company) LEGACY • Content from web-archive, read old documentation(!!!) • URLs from web-archive's CDX-api, commoncrawl etc. • Test all URLs. Distinguish status-codes / bytes received (Wfuzz) • Anything interesting? Filter file-types, deduplicate
here we can't cover it all. These are general things • DNS, Subbrute, sublist3r etc. So many tools! ‣ Customized subbrute with 3rd party data ‣ Generate DNS-wordlist based on findings • Existing routes from JS-files, Burp History • postMessage-tracker (logs all listener functions) • Wfuzz target (VPN with switchable IP if blocked)
here we can't cover it all. These are general things • DNS, Subbrute, sublist3r etc. So many tools! ‣ Customized subbrute with 3rd party data ‣ Generate DNS-wordlist based on findings • Existing routes from JS-files, Burp History • postMessage-tracker (logs all listener functions) • Wfuzz target (VPN with switchable IP if blocked) Best protip: Focus on BORING/HARD STUFF, other hackers won’t
Dir for target, TXT-file always open • Comments (snippets / indicators / urls) • Super helpful. Chaining bugs! - If an Open-Redirect, we can make a chain • Test-code, SDKs, screenshots in dir • Valid vulns in one place, separate from "interesting behaviour"
internal network (Both ipv4/ipv6) • Virtual host / kubernetes node is bad, due to requirement of Host-header. Not all SSRF send proper Host-header (HTTP/1.0, binding external DNS-host to internal IP etc) • Different files, depends on SSRF: MP3, ICS, XML, TXT, HTML, PNG, JPG, SVG etc. • If internal hosts can be reached without scanning internal network. One company had flags in files, simple to prove you could access.
fransrosen
kentosasaki
sosk
langstat
masatoto
skmr2348
okdt
a1da4
k951286
keisuke198619
sansan_randd
yukinobaba
samlambert
michaelherold
kneath
csswizardry
lara
lauravandoore
tammyeverts
honnibal
brettharned
hatefulcrawdad
jonrohan
