Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bug Hunting Tactics & Wins for 2021

Harsh Bothra
January 09, 2021
Technology
3
1k

Bug Hunting Tactics & Wins for 2021

An overview about Bug Hunting Landscape, how to win bug bounties in 2021, some of the interesting attacks to follow, and discussed issues such as Account Takeovers, 2FA Bypass, and going beyond traditional security issues.

Harsh Bothra

January 09, 2021
Tweet

More Decks by Harsh Bothra

See All by Harsh Bothra
Demystifying_Application_Security.pdf
harshbothra
0
91
Tale of Chaining Bugs for Account Takeover
harshbothra
2
2.6k
Trending Vulnerabilities with Insights to OWASP TOP 10
harshbothra
0
460
Exploiting Misconfigured Jira Instances for $$$
harshbothra
0
1k
Got Cookies? Cookie Based Authentication Vulnerabilities
harshbothra
0
820
Bug Hunting Tactics
harshbothra
3
1.4k
Application Testing Methodology & Scope Based Recon
harshbothra
2
2k
Having Fun with RegEx
harshbothra
2
1.6k
Broken Cryptography & Account Takeovers
harshbothra
1
2.8k

Other Decks in Technology

See All in Technology
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
120
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
0
110
Amazon Personalizeの レコメンドシステム構築、実際何するの? 〜大体10分で具体的なイメージをつかむ〜
kniino
1
100
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
160
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
AGIについてChatGPTに聞いてみた
blueb
0
130
複雑なState管理からの脱却
sansantech
PRO
1
150
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430

Featured

See All Featured
A Philosophy of Restraint
colly
203
16k
A better future with KSS
kneath
238
17k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Code Reviewing Like a Champion
maltzj
520
39k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Site-Speed That Sticks
csswizardry
0
25
Scaling GitHub
holman
458
140k
Happy Clients
brianwarren
98
6.7k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Music & Morning Musume
bryan
46
6.2k

Transcript

  1. Bug Bounty Tactics & Wins for 2021! By: Harsh Bothra

    @harshbothra_

  2. Introduction Core Pentester @Cobalt.io Lazy Bug Hunter @Synack @Bugcrowd Bugcrowd

    TOP 150 Hackers & MVP Q1 – Q2 Author: Multiple Hacking Books Security Blogs @Medium Speaker @Multiple Security Conferences Poet | Writer | Learner @harshbothra_

  3. Agenda • Bug Bounty Landscape • Tactics for wins in

    2021 • Account Takeovers • 2FA Bypass • Other Interesting Issues • Tips & Tricks @harshbothra_

  4. Bug Bounty Landscape @harshbothra_

  5. Tactics for Wins in 2021 @harshbothra_

  6. Account Takeovers Logical Wins for 2021 @harshbothra_

  7. Ways to Perform Account Takeovers CSRF XSS Broken Cryptography IDOR

    Session Hijacking Predictable Identifiers Security Misconfiguration Direct Request Missing Authorization Checks OAuth Misconfiguration Session Fixation @harshbothra_

  8. Case Studies @harshbothra_

  9. Broken Cryptography to ATO @harshbothra_

  10. @harshbothra_

  11. @harshbothra_

  12. CSRF & Client – Side Validation Bypass to ATO @harshbothra_

  13. @harshbothra_

  14. @harshbothra_

  15. @harshbothra_

  16. Cross-Site Scripting to Admin Session Hijacking & Privilege Escalation @harshbothra_

  17. @harshbothra_

  18. @harshbothra_

  19. @harshbothra_

  20. IDOR in Cookies to Account Takeover • Login as a

    victim user and capture the request with Burp. • In Cookies section there was a ROLE parameter which has a two-digit value 00. • Create an admin account and observe that now ROLE value in cookies is 11. • Upon further inspection and mapping User Role & Permission Matrix. I observed that the application uses binary bits for role definition. • 00 : User • 11 : Admin @harshbothra_

  21. IDOR in Password Reset to ATO • Password Reset page

    is Vulnerable to Host Header Attack. • Request a password reset link with malicious origin. • Victim will receive a password reset link with malicious origin like: Original Link: https://original_target.com/reset/token/<token_here> Spoofed Link: https://malicious_target.com/reset/token/<token_here> • Now set up a logger at attacker controlled malicious_target.com • Once the victim clicks on the password reset link, the token will be logged to malicious_target.com • Token has no expiry and thus attacker can utilize the token to reset the password. @harshbothra_

  22. 2FA Bypass Tactics Easy Wins & More Bounty @harshbothra_

  23. We will look at this using following Mind Map https://www.mindmeister.com/1736437018?t=SEeZOmvt01

    @harshbothra_

  24. Other Interesting Attacks to Look for in 2021 @harshbothra_

  25. Tips & Tricks @harshbothra_

  26. Get in Touch At Website – https://harshbothra.tech Twitter - @harshbothra_

    Instagram - @harshbothra_ Medium - @hbothra22 LinkedIn - @harshbothra Speakerdeck - @harshbothra Email – [email protected] @harshbothra_

  27. Thank You