Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Future of Bug-Bounty Hunting @Bsides Noida

Fardeen A.
August 16, 2021

The Future of Bug-Bounty Hunting @Bsides Noida

A Talk at Bsides Noida about how "The Bug-Bounty Industry is evolving security" and "API Penetration Testing to be the future of Bug-Bounty Hunting"

Fardeen A.

August 16, 2021
Tweet

More Decks by Fardeen A.

Other Decks in Technology

Transcript

  1. MY NAME IS FARDEEN AHMED, SECURITY ANALYST AND RESEARCHER, AND

    PROGRAMMER. MY WORKS MOSTLY INCLUDE AS A SECURITY ANALYST AND RESEARCHER APART FROM THAT IN MY FREE TIME I CODE. MY RECENT ACHIEVEMENTS INCLUDE FINDING CRITICAL BUGS AT CENTRAL INDUSTRIAL SECURITY FORCES , FOR WHICH I WILL BE GETTING AN AWARD FROM DEFENSE SECTOR FROM GOVERNMENT OF INDIA. APART FROM THAT, I HAVE SECURED CANVA, MASTERCARD, OLD-GAMES, ISC2, DELL AND OTHER COMPANIES
  2. 1) WHAT APPLICATION PROGRAMMING INTERFACE (API) IS AND ITS SIGNIFICANCE

    IN WEB- APPLICATION 2) TYPES OF API AND HOW THEY ARE IMPLEMENTED. 3) A DISCUSSION OVER OWASP TOP 10 API VULNERABILITIES 4) BUG-BOUNTY SECTION 1 : RECONNAISSANCE FOR API VULNERABILITIES. 5) BUG-BOUNTY SECTION 2 : FINDING YOUR FIRST API VULNERABILITY AND EXPLOITING THEM ETHICALLY 6) APPROACH TO API PENETRATION TESTING 7) DEALING WITH DIFFICULTIES AND DUPLICATES UNDER VDP AND RDP 8) CONCLUSION WITH STRONG MOTIVATION FOR NEW BUG-BOUNTY HUNTERS, PENTESTERS AND SECURITY RESEARCHER. TOPIC OF DISCUSSIONS
  3. APPLICATION PROGRAMMING INTERFACE A.K.A API APPLICATION PROGRAMMING INTERFACE WORKS AS

    AN INTERMEDIARY THAT ALLOWS TO TALK TO EACH OTHER THE APPS WE USE SUCH AS FACEBOOOK, INSTAGRAM, TWITTER, WHATSAPP ETC ALL ARE WORKING ON API THE WORK OF API INCLUDES SENDING AND RECIEVING REQUESTS, PARAMETERIZING THE INPUTS AND INCREASING THE AFFECTED LEGITIMITY OF FUNCTIONALITY WITH RESPECT TO WEBSITE / WEB-APPLICATION
  4. TYPES OF API THERE ARE BASICALLY THESE TYPES API'S 1)

    OPEN API OR PUBLIC API 2) PARTNER API 3) PRIVATE OR INTERNAL API 4) COMPOSITE API WHAT WE HAVE TO PAY ATTENTION TO 1) REST API 2) SOAP API 3) RPC API
  5. OWASP TOP 10 API VULNERABILITIES BROKEN OBJECT LEVEL AUTHORIZATION BROKEN

    AUTHENTICATION EXCESSIVE DATA DISCLOSURE LACK OF RESOURCES AND RATE LIMITING BROKEN FUNCTION LEVEL AUTHORIZATION MASS ASSIGNMENT SECURITY MISCONFIGURATION INJECTION IMPROPER ASSETS MANAGEMENT INSUFFICIENT LOGGING AND MONITORING
  6. BUG-BOUNTY SECTION : RECONNAISSANCE FOR API VULNERABILITIES INSPECTING THE SCOPE.

    USING PRIME-SCANNERS TO FILTER OUT MORE OF SCOPES RECON AT PLACES SUCH AS GITHUB, EXPLOIT-DB, CVE AND NIST REPORT RECONNAISSANCE passive passive passive active active active exploit exploit exploit after after after effects effects effects
  7. BUG-BOUNTY SECTION : END-POINTS TO TEST 1) /api/v1/api.php/ -> /api/v2/api.php/users

    2) /api/v1/api.php/ -> /api/v1/api.php/users/<fuzz end-point> 2) /api/v2/api.php/etc/password -> /api/v2/api.php/&ampetc/password 3) /api/v2/api.php/file= -> /api/v2/api.php/file=%20order By -> 4) /api/v2/api.php/dest?= -> /api/v2/api.php/dest?=<encoded injection code>
  8. 0) LEARN POSTMAN TOOL AND CONFIGURE POSTMAN TOOL WITH RESPECT

    TO BURPSUITE. 1) THE KEY TO API PENTESTING IS RECON. SO RECON ON END-POINTS 2) SELECT THE START, MID AND END-POINT OF THE GENERATED API REQUEST 3) USE OF FUZZERS MAKES WORK A LOT EASY, BUT NOT CONFIRMATORY (DIRBUSTER, DIRB, MANUAL TOOLS) 4) GENERAL FLAWS TO BE FOUND OUT :- SQL-INJECTION AND OTHER VARIOUS INJECTION ATTACKS, CROSS-SITE SCRIPTING, BOLA, SENSITIVE INFORMATION DISCLOSURE (PII, API-KEYS AS WELL AS SENSITIVE TOKEN) AND IMPROPER ASSETS MANAGEMENT. 5) YOUR BEST FRIEND IS GITHUB, EXPLOIT-DB, GOOGLE AND SHODAN. USE THEM WISELY BUG-BOUNTY SECTION : APPROACH TO LEARN API-PENETRATION TESTING
  9. 1) LEARNING PLACES :- KONTRA, PORTSWIGGER LABS 2) POSTMAN TOOL

    3) BURPSUITE 4) BOOKS : MODERN WEB-PENETRATION TESTING & ADVANCE API TESTING BUG-BOUNTY SECTION : GETTING STARTED AS AN API TESTER
  10. BUG-BOUNTY SECTION : DEALING WITH DUPLICATES AND DIFFICULTIES 1) LEAVE

    EXPECTATIONS ABOUT BOUNTY, MONETARY AWARDS OR SWAGS & LAY STRESS ON GETTING BUG TO BE EXPECTED. KEEP YOUR SYLLABUS MINIMUM. 2) ONE FLAW/BUG AT A TIME...!!!!!! 3) THINK CREATIVELY. YOUR CREATIVITY SHOULD BE DIFFERENT THEN OTHER FELLOW SECURITY RESEARCHER OR BUG-HUNTERS. 4) BE READY FOR BEST TO COME, AND PREPARE YOURSELF FOR WORST. 5) HAVE A READY TO LEARN MINDSET, THEN READY TO EARN 6) FINDING DUPE BUGS ARE MORE REWARDABLE SOMETIMES THEN GETTING BOUNTY THROUGH IT. 7) KNOW THE DIFFERENCE BETWEEN "RISK" AND "VULNERABILITY" 8) ACCEPT YOUR FAILURES AND LEARN FROM IT. 9) IF YOU DON'T KNOW, ASK. EITHER FROM GOOGLE OR FROM A FRIEND. AND COLLABORATE AND FIND BUGS IF YOU ARE COMFORTABLE. 10) READ WRITE-UPS EVERYDAY..!!!!!