Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
バグバウンティ入門してみた /Getting started with Bug Bounty
Search
no1zy
February 23, 2019
14
4.8k
バグバウンティ入門してみた /Getting started with Bug Bounty
元祖 濱せっく #2での発表資料
no1zy
February 23, 2019
Tweet
Share
More Decks by no1zy
See All by no1zy
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function
no1zy
5
1.7k
Featured
See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.8k
The World Runs on Bad Software
bkeepers
PRO
70
11k
The Invisible Side of Design
smashingmag
301
51k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.8k
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.5k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.5k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
890
Facilitating Awesome Meetings
lara
55
6.5k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
[RailsConf 2023] Rails as a piece of cake
palkan
56
5.8k
Transcript
όάόϯςΟ ೖͯ͠Έͨ no1zy
ࣗݾհ • twitter: @no1zy_sec • ใܥઐֶੜ • όάϋϯλʔྺ 8ϲ݄ •
ڈͷ֫ಘใۚ૯ֹ 612ສԁ
2018αΠϘζใ੍ۚϥϯΩϯάఆ1Ґ
όάόϯςΟͱ • اۀ͕੬ऑੑʹରͯ͠όϯςΟΛ͔͚ɺൃ ݟ͞Εͨ੬ऑੑͷॏཁʹԠͯ͡ใۚΛࢧ ͏੍ • HackerOne, Bugcrowd, BugBounty.jpͳͲͷ ϓϥοτϑΥʔϜ͕͋Δ
ͳͥόάϋϯτΛ࢝Ίͨͷ͔ʁ • ϦΞϧϫʔϧυͷ੬ऑੑΛݟ͚ͭͯΈ͔ͨͬ ͨ • Ͳ͏ͤ୳͢ͳΒใ͕ۚग़Δํ͕͓ಘ͔ͳͬ ͯࢥͬͨ
όάϋϯτͷखॱ 1.Recon and Content Discovery 2.Find Bug 3.Report
1.Recon and Content Discovery
ͳͥͦΕ͕ॏཁ͔ʁ • ݟ͚ͭʹ͍͘ϦιʔεΛ୳͢͜ͱͰ੬ऑੑΛ ൃݟͰ͖ΔՄೳੑ্͕͕Δ • αϒυϝΠϯྻڍ • APIΤϯυϙΠϯτͷൃݟ • etc…
͍είʔϓͷϓϩάϥϜ͕Φεεϝ • *.example.com ←͜͏ͳ͍ͬͯΔͷ • ڱ͍είʔϓͩͱطʹ۷Γਚ͘͞Ε͍ͯΔՄ ೳੑ͕͋Δ • αϒυϝΠϯ͕ͨ͘͞Μ͋Δ΄ͲՄೳੑ ͕Δ
Sublist3r
dirsearch
relative-url-extractor
LinkFinder
JSParser
Google Dorks • GoogleݕࡧʹݕࡧԋࢉࢠΛ༻͢Δ͜ͱ͕ Ͱ͖Δ • υϝΠϯɺϑΝΠϧλΠϓɺURLʹؚ·ΕΔจ ࣈྻͷࢦఆͳͲʹཱͭ
Google Dorks • site - ࢦఆ͞ΕͨυϝΠϯͷwebαΠτΛݕࡧ site:www.example.com • inurl -
ࢦఆ͞Εͨจࣈྻ͕URLʹؚ·ΕΔ WebαΠτΛݕࡧ inurl:callback
Open RedirectΛ୳͢ • ϦμΠϨΫτઌʹϢʔβʔೖྗΛ༻͢Δ ߹ʹى͖͍͢ • ϦμΠϨΫτ࣌ʹΑ͘ΘΕΔύϥϝʔλ໊ ΛGoogle DorksΛͬͯݕࡧ͢Δ
Α͘༻͞ΕΔύϥϝʔλ໊ • url • uri • returnUrl • returnUri •
next • nextPage • redirect • continue
ݕࡧྫ site:example.com inurl:url
2.Find bug
Open Redirectͷྫ ਖ਼͍͠ϦμΠϨΫτઌ͕ҎԼͱ͢Δ https://www.example.com/foo/bar
Filter bypass Part1 ?redirect=https://
[email protected]
Filter bypass Part2 ?redirect=///evil.com
Filter bypass Part3 ?redirect=\/\/evil.com
DOM Based XSSͷྫ JSϑΝΠϧͷSink͔ΒSourceΛḷ͍ͬͯ͘
ॏతʹݟΔॴ Source: • location.href • location.pathname • location.hash • location.search
Sink: • innerHTML() • eval() • document.write() • location.replace()
SSRFͷྫ ϝʔϧαʔόʔઃఆػೳʹҙͷURLΛࢦఆ Ͱ͖Δͱ͢Δ
SSRFͷྫ αʔόʔઃఆػೳҙͷαʔόʔΛࢦఆͰ ͖ΔΑ͏ʹઃܭ͞Ε͍ͯΔ͜ͱ͕ଟ͍ͷͰ SSRF͕ى͜Γ͍͢ɻ
Request host=127.0.0.1:22
Response IOException: Unexpected response: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
Request host=127.0.0.1:9999
Response AuthenticationFailedException: Read timed out
SSRFͷྫ Τϥʔϝοηʔδʹදࣔ͞ΕΔจࣈྻͷࠩҟʹΑͬ ͯ443'ʹΑΔϙʔτεΩϟϯ 941" ͕ޭͯ͠ ͍Δ͔அ͢Δ͜ͱ͕Ͱ͖Δ߹͕͋Δ
3.Report
Golden Rule • ͕ࣗ͞Ε͍ͨଶͰ͢Δ • ใࠂͨ͠Ϩϙʔτ͕ͲͷΑ͏ʹײ͡ΒΕΔ͔ ߟ͑Δ • ϦεϖΫτ͕େ •
։ൃऀʹ͚ͯॻ͘ɻಡΜͰ͍Δਓ͕ηΩϡ ϦςΟٕज़ऀͱݶΒͳ͍
ͳͥͦΕ͕ॏཁͳͷ͔ʁ ྑ͍ใࠂॻ͕ॻ͔Ε͍ͯΔͱ • ೝఆ·Ͱͷ͕࣌ؒૣ͍ • ϓϩάϥϜͷΦʔφʔใࠂऀͷ͜ͱΛ֮͑ ͍ͯΔ • ࠶ݱੑͷͰ࣌ؒΛແବʹ͠ͳͯ͘ࡁΉ
Ϩϙʔτͷ࡞͘͠ͳ͍ • ӳޠGoogle༁ͰͳΜͱ͔ͳΔ • ͍͍ͩͨͷϓϥοτϑΥʔϜMarkdown͕ ͑Δ
ใࠂॻͷߏͷྫ 1.Description - ੬ऑੑͷઆ໌ • ͲΜͳػೳ? • Ͳ͏͍ͬͨ੬ऑੑ? 2.Step to
Reproduce - ࠶ݱखॱ • Ұૢ࡞Ұखॱ͕Θ͔Γ͘͢ॻ͘ίπ 3.Impact - ڴҖ • ͜ͷ੬ऑੑʹΑͬͯԿ͕৵͞ΕΔͷ͔Λઆ໌͢Δ
PoCΛඞͣఴ͢Δ • ࠶ݱ͢ΔPayload͖ͷURL • εΫϦʔϯγϣοτ͔ಈըຖճఴ͓ͯ͠ ͘ͱೝఆ·Ͱͷ͕࣌ؒૣ͍ • ࠶ݱڥهࡌ͓ͯ͘͠ͱGood
όάΛൃݟ͢Δٕज़ͷֶͼํ
ใऩू͕େ • Twitterͷϋογϡλάͷࢹ • όάϋϯλʔͷϒϩάSNSΞΧϯτ • HackerOneͷϨϙʔτ • όάϋϯλʔҭϓϩδΣΫτͷ׆༻
Twttierϋογϡλά • #bugbounty • #bugbountytips OR #bugbountytip
HackerOneͷϨϙʔτΛಡΉ • HackerOneใࠂ͞Εͨ੬ऑੑ͕ެ։͞Εͯ ͍Δ͜ͱ͕͋Δ • ެ։͞Ε͍ͯΔใࠂΛಡΉ͜ͱͰ੬ऑੑΛൃ ݟ͢ΔςΫχοΫ͔Βใࠂͷॻ͖ํ·ͰֶͿ ͜ͱ͕Ͱ͖Δ
HackerOneͷϨϙʔτΛಡΉ
όάϋϯλʔͷϒϩάSNSΞΧϯτ • όάϋϯλʔͷதʹൃݟͨ͠੬ऑੑςΫ χοΫΛެ։͍ͯ͠Δਓ͕͍Δ • ͦ͏͍ͬͨਓୡͷϒϩάεϥΠυΛಡΉ͜ ͱͰࣝؾ͖ͮΛಘΔ
όάϋϯλʔͷϒϩάSNSΞΧϯτ • Frans Rosén - detectify labs • bl4de -
@_bl4de • Emad Shanab - @Alra3ees • EdOverflow - edoverflow.com • INFOSEC WRITE-UPS
όάϋϯλʔҭϓϩδΣΫτͷ׆༻ • Bugcrowd University • Hacker101
Bugcrowd University • όάϋϯλʔΛҭ͢ΔΦʔϓ ϯιʔεϓϩδΣΫτ • ͞·͟·ͳ੬ऑੑΛൃݟ͢Δς ΫχοΫ͔Βྑ͍ใࠂͷఏग़ํ ๏·ͰֶͿ͜ͱ͕Ͱ͖Δ
Hacker101 • CTFͱಈըͰֶͿ͜ͱ͕Ͱ͖ Δ • CTFͰҰఆϙΠϯτΛ͑Δ ͱHackerOneͷϓϥΠϕʔτ ϓϩάϥϜʹটͯ͠Β͑ Δ
Happy Hunting!