The #bugbounty comic

Transcript

1. The #bugbounty comic [email protected] Tags: #Bugbounty, #YahoO, #BKAV, #Tetcon, #Writeups

2. #/usr/bin/whoami (a bit of self promotion :) • OWASP Viet

   Nam Leader • CTF Player/Organizer • Bounty Hunter (in spare time) • The professional billiards/ pingpong/ badminton player

3. What is Bug Bounty?

4. What is Bug Bounty? Vendor : • Create a program

   • Offer HOF (or) Swag (or) Reward (or) Duplicate • Get the all vulnerabilities and Fix asap ! • Make products and applications secure Researcher : • Find the vulnerabilities in target • Get mostly duplicates :P • Other wise Hof, Swag (or) Reward ! • Share in Social Network

5. What is Bug Bounty?

6. Many years ago, when I was young... A brief of

   history

7. A few years later

8. What are some popular programs?

9. Why bug bounties? • Hacking without going to JAIL •

   Chances of finding bugs to put on your resume • Possibility of getting a job in the industry • Opportunity to make money while attending college • Working with researchers/hackers from all over the world

10. The #bugbounty core rules • First-come, first-served, be quick if

    you don't want to be an underdog. • Do not use any automated scanners/ It's lame (It's ok if you use your own tools. Don't tell me you're the Author of Acunetix scanner =]], pretty lame). • Do not make any information public until the issue has been resolved. • Do not report of missed protection mechanism / inconsistent with best practices (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system.

11. The #bugbounty core rules (cont) • Don’t make any threats.

    • Don’t ask for money or “swag” if it’s not mentioned in the rules. • Don’t compare two programs. Two programs = different budgets. • Don’t audit without permission. Legal issues • Respect the program’s decisions. • Respect other researchers. • Quality vs Quantity. Reputation in the industry.

12. Keep Calm and Respect the rules !!!!

13. My experience with bug bounties

14. The boring PoC ...

15. ...maybe got the unexpected results !!! (Hall of Fame only,

    No Ca$h !!, WTBeeeeep)

16. Duplicate submission

17. Sql Injection in http://hk.promotion.yahoo.net (out of scope). Yahoo! Rewarded $1.000

    Meanwhile Sql Injection in http://br.educacao.yahoo.net (out of scope), Yahoo decided this report is not eligible for a bounty. It's OK, It's Yahoo's logic.

18. …......

19. From Mobile app to PWN the backend

20. From Mobile app to pwn the backend

21. From the feature to pwn the backend

22. From the feature to pwn the backend (cont)

23. From the feature to pwn the backend (cont)

24. From the feature to pwn the backend (cont3)

25. Pwn in the first sight

26. Pwn in the first sight.

27. Pwn in the first sight (cont) Open Beta is the

    great time to pwn!!!

28. Root Cause

29. The first patch

30. How to bypass the first patch? Demo • _https://www.youtube.com/watch?v=nlhjgBOaDHs

31. Happy End !!!

32. References • Decoding Bug Bounty Programs https://www.owasp.org/images/1/14/Rose.pdf http://bluemoon.com.vn/advisories/bmsa200905.html http://bluemoon.com.vn/advisories/bmsa201102.html •

    Bugbounty 101 http://nahamsec.com/Presentations/NBTCon-December-2014-Slides.pdf • Fun & profit with bug bounties http://www.slideshare.net/null0x00/fun-profit-with-bug-bounties • Tìm Lỗ Lấy Tiền http://vnhacker.blogspot.com/2011/11/tim-lo-lay-tien.html

33. Any Questions?

34. Thank you &