Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
バグバウンティ入門してみた /Getting started with Bug Bounty
Search
no1zy
February 23, 2019
14
4.7k
バグバウンティ入門してみた /Getting started with Bug Bounty
元祖 濱せっく #2での発表資料
no1zy
February 23, 2019
Tweet
Share
More Decks by no1zy
See All by no1zy
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function
no1zy
5
1.7k
Featured
See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
30
2.1k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
For a Future-Friendly Web
brad_frost
179
9.8k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
BBQ
matthewcrist
89
9.7k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
138
34k
Adopting Sorbet at Scale
ufuk
77
9.4k
The Cost Of JavaScript in 2023
addyosmani
51
8.5k
Visualization
eitanlees
146
16k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Stop Working from a Prison Cell
hatefulcrawdad
270
20k
Transcript
όάόϯςΟ ೖͯ͠Έͨ no1zy
ࣗݾհ • twitter: @no1zy_sec • ใܥઐֶੜ • όάϋϯλʔྺ 8ϲ݄ •
ڈͷ֫ಘใۚ૯ֹ 612ສԁ
2018αΠϘζใ੍ۚϥϯΩϯάఆ1Ґ
όάόϯςΟͱ • اۀ͕੬ऑੑʹରͯ͠όϯςΟΛ͔͚ɺൃ ݟ͞Εͨ੬ऑੑͷॏཁʹԠͯ͡ใۚΛࢧ ͏੍ • HackerOne, Bugcrowd, BugBounty.jpͳͲͷ ϓϥοτϑΥʔϜ͕͋Δ
ͳͥόάϋϯτΛ࢝Ίͨͷ͔ʁ • ϦΞϧϫʔϧυͷ੬ऑੑΛݟ͚ͭͯΈ͔ͨͬ ͨ • Ͳ͏ͤ୳͢ͳΒใ͕ۚग़Δํ͕͓ಘ͔ͳͬ ͯࢥͬͨ
όάϋϯτͷखॱ 1.Recon and Content Discovery 2.Find Bug 3.Report
1.Recon and Content Discovery
ͳͥͦΕ͕ॏཁ͔ʁ • ݟ͚ͭʹ͍͘ϦιʔεΛ୳͢͜ͱͰ੬ऑੑΛ ൃݟͰ͖ΔՄೳੑ্͕͕Δ • αϒυϝΠϯྻڍ • APIΤϯυϙΠϯτͷൃݟ • etc…
͍είʔϓͷϓϩάϥϜ͕Φεεϝ • *.example.com ←͜͏ͳ͍ͬͯΔͷ • ڱ͍είʔϓͩͱطʹ۷Γਚ͘͞Ε͍ͯΔՄ ೳੑ͕͋Δ • αϒυϝΠϯ͕ͨ͘͞Μ͋Δ΄ͲՄೳੑ ͕Δ
Sublist3r
dirsearch
relative-url-extractor
LinkFinder
JSParser
Google Dorks • GoogleݕࡧʹݕࡧԋࢉࢠΛ༻͢Δ͜ͱ͕ Ͱ͖Δ • υϝΠϯɺϑΝΠϧλΠϓɺURLʹؚ·ΕΔจ ࣈྻͷࢦఆͳͲʹཱͭ
Google Dorks • site - ࢦఆ͞ΕͨυϝΠϯͷwebαΠτΛݕࡧ site:www.example.com • inurl -
ࢦఆ͞Εͨจࣈྻ͕URLʹؚ·ΕΔ WebαΠτΛݕࡧ inurl:callback
Open RedirectΛ୳͢ • ϦμΠϨΫτઌʹϢʔβʔೖྗΛ༻͢Δ ߹ʹى͖͍͢ • ϦμΠϨΫτ࣌ʹΑ͘ΘΕΔύϥϝʔλ໊ ΛGoogle DorksΛͬͯݕࡧ͢Δ
Α͘༻͞ΕΔύϥϝʔλ໊ • url • uri • returnUrl • returnUri •
next • nextPage • redirect • continue
ݕࡧྫ site:example.com inurl:url
2.Find bug
Open Redirectͷྫ ਖ਼͍͠ϦμΠϨΫτઌ͕ҎԼͱ͢Δ https://www.example.com/foo/bar
Filter bypass Part1 ?redirect=https://
[email protected]
Filter bypass Part2 ?redirect=///evil.com
Filter bypass Part3 ?redirect=\/\/evil.com
DOM Based XSSͷྫ JSϑΝΠϧͷSink͔ΒSourceΛḷ͍ͬͯ͘
ॏతʹݟΔॴ Source: • location.href • location.pathname • location.hash • location.search
Sink: • innerHTML() • eval() • document.write() • location.replace()
SSRFͷྫ ϝʔϧαʔόʔઃఆػೳʹҙͷURLΛࢦఆ Ͱ͖Δͱ͢Δ
SSRFͷྫ αʔόʔઃఆػೳҙͷαʔόʔΛࢦఆͰ ͖ΔΑ͏ʹઃܭ͞Ε͍ͯΔ͜ͱ͕ଟ͍ͷͰ SSRF͕ى͜Γ͍͢ɻ
Request host=127.0.0.1:22
Response IOException: Unexpected response: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
Request host=127.0.0.1:9999
Response AuthenticationFailedException: Read timed out
SSRFͷྫ Τϥʔϝοηʔδʹදࣔ͞ΕΔจࣈྻͷࠩҟʹΑͬ ͯ443'ʹΑΔϙʔτεΩϟϯ 941" ͕ޭͯ͠ ͍Δ͔அ͢Δ͜ͱ͕Ͱ͖Δ߹͕͋Δ
3.Report
Golden Rule • ͕ࣗ͞Ε͍ͨଶͰ͢Δ • ใࠂͨ͠Ϩϙʔτ͕ͲͷΑ͏ʹײ͡ΒΕΔ͔ ߟ͑Δ • ϦεϖΫτ͕େ •
։ൃऀʹ͚ͯॻ͘ɻಡΜͰ͍Δਓ͕ηΩϡ ϦςΟٕज़ऀͱݶΒͳ͍
ͳͥͦΕ͕ॏཁͳͷ͔ʁ ྑ͍ใࠂॻ͕ॻ͔Ε͍ͯΔͱ • ೝఆ·Ͱͷ͕࣌ؒૣ͍ • ϓϩάϥϜͷΦʔφʔใࠂऀͷ͜ͱΛ֮͑ ͍ͯΔ • ࠶ݱੑͷͰ࣌ؒΛແବʹ͠ͳͯ͘ࡁΉ
Ϩϙʔτͷ࡞͘͠ͳ͍ • ӳޠGoogle༁ͰͳΜͱ͔ͳΔ • ͍͍ͩͨͷϓϥοτϑΥʔϜMarkdown͕ ͑Δ
ใࠂॻͷߏͷྫ 1.Description - ੬ऑੑͷઆ໌ • ͲΜͳػೳ? • Ͳ͏͍ͬͨ੬ऑੑ? 2.Step to
Reproduce - ࠶ݱखॱ • Ұૢ࡞Ұखॱ͕Θ͔Γ͘͢ॻ͘ίπ 3.Impact - ڴҖ • ͜ͷ੬ऑੑʹΑͬͯԿ͕৵͞ΕΔͷ͔Λઆ໌͢Δ
PoCΛඞͣఴ͢Δ • ࠶ݱ͢ΔPayload͖ͷURL • εΫϦʔϯγϣοτ͔ಈըຖճఴ͓ͯ͠ ͘ͱೝఆ·Ͱͷ͕࣌ؒૣ͍ • ࠶ݱڥهࡌ͓ͯ͘͠ͱGood
όάΛൃݟ͢Δٕज़ͷֶͼํ
ใऩू͕େ • Twitterͷϋογϡλάͷࢹ • όάϋϯλʔͷϒϩάSNSΞΧϯτ • HackerOneͷϨϙʔτ • όάϋϯλʔҭϓϩδΣΫτͷ׆༻
Twttierϋογϡλά • #bugbounty • #bugbountytips OR #bugbountytip
HackerOneͷϨϙʔτΛಡΉ • HackerOneใࠂ͞Εͨ੬ऑੑ͕ެ։͞Εͯ ͍Δ͜ͱ͕͋Δ • ެ։͞Ε͍ͯΔใࠂΛಡΉ͜ͱͰ੬ऑੑΛൃ ݟ͢ΔςΫχοΫ͔Βใࠂͷॻ͖ํ·ͰֶͿ ͜ͱ͕Ͱ͖Δ
HackerOneͷϨϙʔτΛಡΉ
όάϋϯλʔͷϒϩάSNSΞΧϯτ • όάϋϯλʔͷதʹൃݟͨ͠੬ऑੑςΫ χοΫΛެ։͍ͯ͠Δਓ͕͍Δ • ͦ͏͍ͬͨਓୡͷϒϩάεϥΠυΛಡΉ͜ ͱͰࣝؾ͖ͮΛಘΔ
όάϋϯλʔͷϒϩάSNSΞΧϯτ • Frans Rosén - detectify labs • bl4de -
@_bl4de • Emad Shanab - @Alra3ees • EdOverflow - edoverflow.com • INFOSEC WRITE-UPS
όάϋϯλʔҭϓϩδΣΫτͷ׆༻ • Bugcrowd University • Hacker101
Bugcrowd University • όάϋϯλʔΛҭ͢ΔΦʔϓ ϯιʔεϓϩδΣΫτ • ͞·͟·ͳ੬ऑੑΛൃݟ͢Δς ΫχοΫ͔Βྑ͍ใࠂͷఏग़ํ ๏·ͰֶͿ͜ͱ͕Ͱ͖Δ
Hacker101 • CTFͱಈըͰֶͿ͜ͱ͕Ͱ͖ Δ • CTFͰҰఆϙΠϯτΛ͑Δ ͱHackerOneͷϓϥΠϕʔτ ϓϩάϥϜʹটͯ͠Β͑ Δ
Happy Hunting!