Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bug Hunting Tactics & Wins for 2021

Harsh Bothra
January 09, 2021
Technology
3
1k

Bug Hunting Tactics & Wins for 2021

An overview about Bug Hunting Landscape, how to win bug bounties in 2021, some of the interesting attacks to follow, and discussed issues such as Account Takeovers, 2FA Bypass, and going beyond traditional security issues.

Harsh Bothra

January 09, 2021
Tweet

More Decks by Harsh Bothra

See All by Harsh Bothra
Demystifying_Application_Security.pdf
harshbothra
0
90
Tale of Chaining Bugs for Account Takeover
harshbothra
2
2.6k
Trending Vulnerabilities with Insights to OWASP TOP 10
harshbothra
0
460
Exploiting Misconfigured Jira Instances for $$$
harshbothra
0
1k
Got Cookies? Cookie Based Authentication Vulnerabilities
harshbothra
0
820
Bug Hunting Tactics
harshbothra
3
1.4k
Application Testing Methodology & Scope Based Recon
harshbothra
2
2k
Having Fun with RegEx
harshbothra
2
1.6k
Broken Cryptography & Account Takeovers
harshbothra
1
2.8k

Other Decks in Technology

See All in Technology
「最高のチューニング」をしないために / hack@delta 24.10
fujiwara3
21
3.4k
よくわからんサービスについての問い合わせが来たときの強い味方 Amazon Q について
kazzpapa3
0
220
バクラクにおける可観測性向上の取り組み
yuu26
3
410
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
6
1.1k
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170
日経電子版におけるリアルタイムレコメンドシステム開発の事例紹介/nikkei-realtime-recommender-system
yng87
1
500
急成長中のWINTICKETにおける品質と開発スピードと向き合ったQA戦略と今後の展望 / winticket-autify
cyberagentdevelopers
PRO
1
160
クライアントサイドでよく使われる Debounce処理 をサーバサイドで3回実装した話
yoshiori
1
150
チームを主語にしてみる / Making "Team" the Subject
ar_tama
4
310
いまならこう作りたい AWSコンテナ[本格]入門ハンズオン 〜2024年版 ハンズオンの構想〜
horsewin
9
2.1k
ガチ勢によるPipeCD運用大全〜滑らかなCI/CDを添えて〜 / ai-pipecd-encyclopedia
cyberagentdevelopers
PRO
3
200
Commitment vs Harrisonism - Keynote for Scrum Niseko 2024
miholovesq
6
1.1k

Featured

See All Featured
A designer walks into a library…
pauljervisheath
202
24k
Designing the Hi-DPI Web
ddemaree
280
34k
Fireside Chat
paigeccino
32
3k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Automating Front-end Workflow
addyosmani
1365
200k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
The Language of Interfaces
destraynor
154
24k
Documentation Writing (for coders)
carmenintech
65
4.4k
Ruby is Unlike a Banana
tanoku
96
11k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k
A Modern Web Designer's Workflow
chriscoyier
692
190k

Transcript

  1. Bug Bounty Tactics & Wins for 2021! By: Harsh Bothra

    @harshbothra_

  2. Introduction Core Pentester @Cobalt.io Lazy Bug Hunter @Synack @Bugcrowd Bugcrowd

    TOP 150 Hackers & MVP Q1 – Q2 Author: Multiple Hacking Books Security Blogs @Medium Speaker @Multiple Security Conferences Poet | Writer | Learner @harshbothra_

  3. Agenda • Bug Bounty Landscape • Tactics for wins in

    2021 • Account Takeovers • 2FA Bypass • Other Interesting Issues • Tips & Tricks @harshbothra_

  4. Bug Bounty Landscape @harshbothra_

  5. Tactics for Wins in 2021 @harshbothra_

  6. Account Takeovers Logical Wins for 2021 @harshbothra_

  7. Ways to Perform Account Takeovers CSRF XSS Broken Cryptography IDOR

    Session Hijacking Predictable Identifiers Security Misconfiguration Direct Request Missing Authorization Checks OAuth Misconfiguration Session Fixation @harshbothra_

  8. Case Studies @harshbothra_

  9. Broken Cryptography to ATO @harshbothra_

  10. @harshbothra_

  11. @harshbothra_

  12. CSRF & Client – Side Validation Bypass to ATO @harshbothra_

  13. @harshbothra_

  14. @harshbothra_

  15. @harshbothra_

  16. Cross-Site Scripting to Admin Session Hijacking & Privilege Escalation @harshbothra_

  17. @harshbothra_

  18. @harshbothra_

  19. @harshbothra_

  20. IDOR in Cookies to Account Takeover • Login as a

    victim user and capture the request with Burp. • In Cookies section there was a ROLE parameter which has a two-digit value 00. • Create an admin account and observe that now ROLE value in cookies is 11. • Upon further inspection and mapping User Role & Permission Matrix. I observed that the application uses binary bits for role definition. • 00 : User • 11 : Admin @harshbothra_

  21. IDOR in Password Reset to ATO • Password Reset page

    is Vulnerable to Host Header Attack. • Request a password reset link with malicious origin. • Victim will receive a password reset link with malicious origin like: Original Link: https://original_target.com/reset/token/<token_here> Spoofed Link: https://malicious_target.com/reset/token/<token_here> • Now set up a logger at attacker controlled malicious_target.com • Once the victim clicks on the password reset link, the token will be logged to malicious_target.com • Token has no expiry and thus attacker can utilize the token to reset the password. @harshbothra_

  22. 2FA Bypass Tactics Easy Wins & More Bounty @harshbothra_

  23. We will look at this using following Mind Map https://www.mindmeister.com/1736437018?t=SEeZOmvt01

    @harshbothra_

  24. Other Interesting Attacks to Look for in 2021 @harshbothra_

  25. Tips & Tricks @harshbothra_

  26. Get in Touch At Website – https://harshbothra.tech Twitter - @harshbothra_

    Instagram - @harshbothra_ Medium - @hbothra22 LinkedIn - @harshbothra Speakerdeck - @harshbothra Email – [email protected] @harshbothra_

  27. Thank You