Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bug Hunting Tactics & Wins for 2021

Bug Hunting Tactics & Wins for 2021

An overview about Bug Hunting Landscape, how to win bug bounties in 2021, some of the interesting attacks to follow, and discussed issues such as Account Takeovers, 2FA Bypass, and going beyond traditional security issues.

Harsh Bothra

January 09, 2021
Tweet

More Decks by Harsh Bothra

Other Decks in Technology

Transcript

  1. Introduction Core Pentester @Cobalt.io Lazy Bug Hunter @Synack @Bugcrowd Bugcrowd

    TOP 150 Hackers & MVP Q1 – Q2 Author: Multiple Hacking Books Security Blogs @Medium Speaker @Multiple Security Conferences Poet | Writer | Learner @harshbothra_
  2. Agenda • Bug Bounty Landscape • Tactics for wins in

    2021 • Account Takeovers • 2FA Bypass • Other Interesting Issues • Tips & Tricks @harshbothra_
  3. Ways to Perform Account Takeovers CSRF XSS Broken Cryptography IDOR

    Session Hijacking Predictable Identifiers Security Misconfiguration Direct Request Missing Authorization Checks OAuth Misconfiguration Session Fixation @harshbothra_
  4. IDOR in Cookies to Account Takeover • Login as a

    victim user and capture the request with Burp. • In Cookies section there was a ROLE parameter which has a two-digit value 00. • Create an admin account and observe that now ROLE value in cookies is 11. • Upon further inspection and mapping User Role & Permission Matrix. I observed that the application uses binary bits for role definition. • 00 : User • 11 : Admin @harshbothra_
  5. IDOR in Password Reset to ATO • Password Reset page

    is Vulnerable to Host Header Attack. • Request a password reset link with malicious origin. • Victim will receive a password reset link with malicious origin like: Original Link: https://original_target.com/reset/token/<token_here> Spoofed Link: https://malicious_target.com/reset/token/<token_here> • Now set up a logger at attacker controlled malicious_target.com • Once the victim clicks on the password reset link, the token will be logged to malicious_target.com • Token has no expiry and thus attacker can utilize the token to reset the password. @harshbothra_
  6. Get in Touch At Website – https://harshbothra.tech Twitter - @harshbothra_

    Instagram - @harshbothra_ Medium - @hbothra22 LinkedIn - @harshbothra Speakerdeck - @harshbothra Email – [email protected] @harshbothra_