Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bug Bounty Hunting on Steroids

BountyMachine
August 11, 2018
Technology
1
3.2k

Bug Bounty Hunting on Steroids

Not all hacking is fun. A lot of repetitive manual work is usually required to map the target infrastructure and decide which assets are worthy of giving attention to first. Surely there’s a better approach.

BountyMachine

August 11, 2018
Tweet

Other Decks in Technology

See All in Technology
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM, Prompt Engineering and Building Tutors
ks91
PRO
1
210
AIと開発者の共創: エージェント時代におけるAIフレンドリーなDevOpsの実践
bicstone
1
220
MCP Documentation Server @AI Coding Meetup #1
yyoshiki41
2
2.6k
Cursor AgentによるパーソナルAIアシスタント育成入門―業務のプロンプト化・MCPの活用
os1ma
7
1.7k
OSSコントリビュートをphp-srcメンテナの立場から語る / OSS Contribute
sakitakamachi
0
1.2k
JPOUG Tech Talk #12 UNDO Tablespace Reintroduction
nori_shinoda
1
100
Classmethod AI Talks(CATs) #21 司会進行スライド(2025.04.17) / classmethod-ai-talks-aka-cats_moderator-slides_vol21_2025-04-17
shinyaa31
0
370
7,000名規模の​ 人材サービス企業における​ プロダクト戦略・戦術と課題​ / Product strategy, tactics and challenges for a 7,000-employee staffing company
techtekt
0
250
はじめてのSDET / My first challenge as a SDET
bun913
1
190
.mdc駆動ナレッジマネジメント/.mdc-driven knowledge management
yodakeisuke
24
10k
All You Need Is Kusa 〜Slackデータで始めるデータドリブン〜
jonnojun
0
140
Ops-JAWS_Organizations小ネタ3選.pdf
chunkof
2
110

Featured

See All Featured
How to Ace a Technical Interview
jacobian
276
23k
Building Adaptive Systems
keathley
41
2.5k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.2k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
135
33k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
How to train your dragon (web standard)
notwaldorf
91
6k
RailsConf 2023
tenderlove
30
1.1k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
32
4.9k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k

Transcript

  1. @anshuman_bh @_devalias @mhmdiaa Bug Bounty Hunting on Steroids

  2. @anshuman_bh @_devalias @mhmdiaa Mohammed Diaa @mhmdiaa Developer, Bug Hunter Never

    send a human to do a machine’s job Glenn ‘devalias’ Grant @_devalias Hacker, Polyglot Developer, Bounty Hunter, #SecDevOpsInTheCloudCyber™ enthusiast... Penetration Tester and Offensive Capability Development at TSS The Team Anshuman Bhartiya @anshuman_bh Security Engineer, Bug Bounty Hunter Automate all the things!! All things as code!! 2

  3. @anshuman_bh @_devalias @mhmdiaa Agenda • Problem? • Current Situation •

    Target: Ellingson Mineral Corporation • Introducing BountyMachine • Lessons Learned • Conclusion 3

  4. @anshuman_bh @_devalias @mhmdiaa Problem? • Not all hacking is fun.

    A lot of manual repetitive work. • Building everything from scratch is a bad idea.. • How do we scale across thousands of targets? • Things change all the time, we need continuous monitoring 4

  5. @anshuman_bh @_devalias @mhmdiaa Current Situation 5

  6. @anshuman_bh @_devalias @mhmdiaa Redundancy Between Tools Not invented here /

    anti unix philosophy is prevalent

  7. @anshuman_bh @_devalias @mhmdiaa An unmaintained tool is born 7 https://xkcd.com/927/

    ToolA released: does a few things ToolB released: handles some missing bits, but fails in other areas Maintainers (often a single point of failure) move on to something new.. Back to square one!

  8. @anshuman_bh @_devalias @mhmdiaa 8 You can’t build everything from scratch

    shouldn’t

  9. @anshuman_bh @_devalias @mhmdiaa Lack of Reliable Tool Comparisons You don’t

    know the right tool for the job unless you try all of them.. and there are a lot...

  10. @anshuman_bh @_devalias @mhmdiaa The situation is improving! The Bug Hunter’s

    Methodology by Jason Haddix (@jhaddix) https://github.com/jhaddix/tbhm Thanks, Jason! You’re awesome \m/ 10

  11. @anshuman_bh @_devalias @mhmdiaa 11

  12. @anshuman_bh @_devalias @mhmdiaa Poor Interoperability Many tools just don’t play

    nicely with each other

  13. @anshuman_bh @_devalias @mhmdiaa • JSON-based recon tool data output standard

    • Increase interoperability between tools • Enable a unix-philosophy recon tooling digital utopia! Join the discussion: https://github.com/ReconJSON/ReconJSON ReconJSON 13

  14. @anshuman_bh @_devalias @mhmdiaa Scaling & Reliability Learning from the dev

    side of the tech world

  15. @anshuman_bh @_devalias @mhmdiaa Scaling & Reliability • Vertical scaling ◦

    More server, more money, more problems • Horizontal scaling ◦ Flexible, fault tolerant, cheaper • Learn from the tech giants ◦ Great architectures and tools to leverage 15

  16. @anshuman_bh @_devalias @mhmdiaa Practical Research Environment There are tons of

    assets that you can hack legally

  17. @anshuman_bh @_devalias @mhmdiaa I just want to hack things... Wouldn’t

    it be nice to have: • An organized database with all the assets that are legal to hack ◦ Stick to the scope • A supporting platform that collects data about these assets ◦ Fast feedback loop • A way to easily explore the asset data ◦ Locate targets and #HackAllTheThings™ 17

  18. @anshuman_bh @_devalias @mhmdiaa It’s all about identifying assets What you

    don’t know about, you can’t protect

  19. @anshuman_bh @_devalias @mhmdiaa Unmaintained assets cause breaches 19 https://snyk.io/blog/owasp-top-10-breaches

  20. @anshuman_bh @_devalias @mhmdiaa Unmaintained assets cause breaches A9-Using Components with

    Known Vulnerabilities 12/50 breaches 24% A5-Security Misconfiguration 10/50 breaches 20% 20

  21. @anshuman_bh @_devalias @mhmdiaa Real-time inventory of target assets Ephemeral assets,

    they said. It will be fine, they said.

  22. @anshuman_bh @_devalias @mhmdiaa Attack surface is always evolving Code changes

    Bugs/regressions New code Backups New assets Hosts Cloud services Subdomains 22

  23. @anshuman_bh @_devalias @mhmdiaa Target 23

  24. @anshuman_bh @_devalias @mhmdiaa 24

  25. @anshuman_bh @_devalias @mhmdiaa What we know... 25

  26. @anshuman_bh @_devalias @mhmdiaa 26 Let’s start the demo...

  27. @anshuman_bh @_devalias @mhmdiaa Introducing BountyMachine 27

  28. @anshuman_bh @_devalias @mhmdiaa 28 Technologies

  29. @anshuman_bh @_devalias @mhmdiaa Golang 29 https://golang.org/

  30. @anshuman_bh @_devalias @mhmdiaa Docker 30 https://www.docker.com

  31. @anshuman_bh @_devalias @mhmdiaa Kubernetes 31 https://kubernetes.io/

  32. @anshuman_bh @_devalias @mhmdiaa Argo 32 https://argoproj.github.io/argo

  33. @anshuman_bh @_devalias @mhmdiaa Architecture 33

  34. @anshuman_bh @_devalias @mhmdiaa It starts with a target 34

  35. @anshuman_bh @_devalias @mhmdiaa Everything is managed by queues 35

  36. @anshuman_bh @_devalias @mhmdiaa The output of a workflow can be

    passed to another 36

  37. @anshuman_bh @_devalias @mhmdiaa New results are identified by a diff

    worker 37

  38. @anshuman_bh @_devalias @mhmdiaa Notifications only include new results 38

  39. @anshuman_bh @_devalias @mhmdiaa The monitoring worker re-checks things as scheduled

    39

  40. @anshuman_bh @_devalias @mhmdiaa 40 To sum up...

  41. @anshuman_bh @_devalias @mhmdiaa 41 Lessons Learned

  42. @anshuman_bh @_devalias @mhmdiaa Geographic Limitations 42

  43. @anshuman_bh @_devalias @mhmdiaa World Domination Headquarters 43 GMT+2 GMT-7 GMT+10

  44. @anshuman_bh @_devalias @mhmdiaa Communication 44

  45. @anshuman_bh @_devalias @mhmdiaa Dealing with conflicts 45 • Check your

    ego • Communicate openly, honestly and thoroughly! • Stay open to new suggestions • Delegate responsibilities • Be flexible • Code/data trumps assumptions

  46. @anshuman_bh @_devalias @mhmdiaa Technology 46

  47. @anshuman_bh @_devalias @mhmdiaa Technology 47 • Keep an open mind

    • Explore what is out there • Dig deep, understand how the underlying tech works • Sometimes what you want doesn’t quite exist yet.. and that’s ok • ‘Simple’ problems sometimes take a while to solve well

  48. @anshuman_bh @_devalias @mhmdiaa MVP? JIT! 48

  49. @anshuman_bh @_devalias @mhmdiaa MVP? JIT! 49 • Plan at the

    macro level • Handle intricate details Just In Time (JIT) • Backlog anything not needed now • Move fast and (hopefully don’t) break (too many) things • Done is better than perfect

  50. @anshuman_bh @_devalias @mhmdiaa About that demo... Remember Ellingson Mineral Corp?

    50

  51. @anshuman_bh @_devalias @mhmdiaa We started with... 51

  52. @anshuman_bh @_devalias @mhmdiaa BountyMachine’s Bounty 52

  53. @anshuman_bh @_devalias @mhmdiaa GitHub 53

  54. @anshuman_bh @_devalias @mhmdiaa S3 54

  55. @anshuman_bh @_devalias @mhmdiaa DNS 55

  56. @anshuman_bh @_devalias @mhmdiaa www.ellingsoncorp.com 56

  57. @anshuman_bh @_devalias @mhmdiaa press.ellingsoncorp.com 57

  58. @anshuman_bh @_devalias @mhmdiaa support.ellingsoncorp.com 58

  59. @anshuman_bh @_devalias @mhmdiaa blog.ellingsoncorp.com 59

  60. @anshuman_bh @_devalias @mhmdiaa help.ellingsoncorp.com 60

  61. @anshuman_bh @_devalias @mhmdiaa gibson.ellingsoncorp.com 61

  62. @anshuman_bh @_devalias @mhmdiaa Conclusion 62

  63. @anshuman_bh @_devalias @mhmdiaa Conclusion 63 • We can’t automate everything,

    but there is a lot we can • Less wasted time means more fun hacks! • Explore new tech, don’t be afraid to innovate • Keep tooling simple and consumable (unix philosophy) • Improve existing tools, don’t reinvent the wheel! • Check your ego, collaborate, learn, share, and keep an open mind

  64. @anshuman_bh @_devalias @mhmdiaa Special Thanks Thanks to the people who

    write open source tools. Those who understand that “Sharing is Caring”. For in the end, “None of us is good as all of us.” 64

  65. @anshuman_bh @_devalias @mhmdiaa 65 Thanks! Any questions? Reach out to

    us! @anshuman_bh @_devalias @mhmdiaa