Upgrade to Pro — share decks privately, control downloads, hide ads and more …

バグバウンティ入門してみた /Getting started with Bug Bounty

F02bd0511c69befe3dea0003d0e6c6c0?s=47 no1zy
February 23, 2019
4.1k

バグバウンティ入門してみた /Getting started with Bug Bounty

元祖 濱せっく #2での発表資料

F02bd0511c69befe3dea0003d0e6c6c0?s=128

no1zy

February 23, 2019
Tweet

Transcript

  1. όάό΢ϯςΟ ೖ໳ͯ͠Έͨ no1zy

  2. ࣗݾ঺հ • twitter: @no1zy_sec • ৘ใܥઐ໳ֶੜ • όάϋϯλʔྺ 8ϲ݄ •

    ڈ೥ͷ֫ಘใ঑ۚ૯ֹ 612ສԁ
  3. 2018೥αΠϘ΢ζใ঑੍ۚ౓ϥϯΩϯά࢑ఆ1Ґ

  4. όάό΢ϯςΟͱ͸ • اۀ͕੬ऑੑʹରͯ͠ό΢ϯςΟΛ͔͚ɺൃ ݟ͞Εͨ੬ऑੑͷॏཁ౓ʹԠͯ͡ใ঑ۚΛࢧ ෷͏੍౓ • HackerOne, Bugcrowd, BugBounty.jpͳͲͷ ϓϥοτϑΥʔϜ͕͋Δ

  5. ͳͥόάϋϯτΛ࢝Ίͨͷ͔ʁ • ϦΞϧϫʔϧυͷ੬ऑੑΛݟ͚ͭͯΈ͔ͨͬ ͨ • Ͳ͏ͤ୳͢ͳΒใ঑͕ۚग़Δํ͕͓ಘ͔ͳͬ ͯࢥͬͨ

  6. όάϋϯτͷखॱ 1.Recon and Content Discovery 2.Find Bug 3.Report

  7. 1.Recon and Content Discovery

  8. ͳͥͦΕ͕ॏཁ͔ʁ • ݟ͚ͭʹ͍͘ϦιʔεΛ୳͢͜ͱͰ੬ऑੑΛ ൃݟͰ͖ΔՄೳੑ্͕͕Δ • αϒυϝΠϯྻڍ • APIΤϯυϙΠϯτͷൃݟ • etc…

  9. ޿͍είʔϓͷϓϩάϥϜ͕Φεεϝ • *.example.com ←͜͏ͳ͍ͬͯΔ΋ͷ • ڱ͍είʔϓͩͱطʹ۷Γਚ͘͞Ε͍ͯΔՄ ೳੑ͕͋Δ • αϒυϝΠϯ͕ͨ͘͞Μ͋Δ΄ͲՄೳੑ΋޿ ͕Δ

  10. Sublist3r

  11. dirsearch

  12. relative-url-extractor

  13. LinkFinder

  14. JSParser

  15. Google Dorks • Googleݕࡧʹ͸ݕࡧԋࢉࢠΛ࢖༻͢Δ͜ͱ͕ Ͱ͖Δ • υϝΠϯɺϑΝΠϧλΠϓɺURLʹؚ·ΕΔจ ࣈྻͷࢦఆͳͲʹ໾ཱͭ

  16. Google Dorks • site - ࢦఆ͞ΕͨυϝΠϯͷwebαΠτΛݕࡧ site:www.example.com • inurl -

    ࢦఆ͞Εͨจࣈྻ͕URLʹؚ·ΕΔ WebαΠτΛݕࡧ inurl:callback
  17. Open RedirectΛ୳͢ • ϦμΠϨΫτઌʹϢʔβʔೖྗΛ࢖༻͢Δ৔ ߹ʹى͖΍͍͢ • ϦμΠϨΫτ࣌ʹΑ͘࢖ΘΕΔύϥϝʔλ໊ ΛGoogle DorksΛ࢖ͬͯݕࡧ͢Δ

  18. Α͘࢖༻͞ΕΔύϥϝʔλ໊ • url • uri • returnUrl • returnUri •

    next • nextPage • redirect • continue
  19. ݕࡧྫ site:example.com inurl:url

  20. 2.Find bug

  21. Open Redirectͷྫ ਖ਼͍͠ϦμΠϨΫτઌ͕ҎԼͱ͢Δ https://www.example.com/foo/bar

  22. Filter bypass Part1 ?redirect=https://www.example.com@evil.com

  23. Filter bypass Part2 ?redirect=///evil.com

  24. Filter bypass Part3 ?redirect=\/\/evil.com

  25. DOM Based XSSͷྫ JSϑΝΠϧͷSink͔ΒSourceΛḷ͍ͬͯ͘

  26. ॏ఺తʹݟΔ৔ॴ Source: • location.href • location.pathname • location.hash • location.search

    Sink: • innerHTML() • eval() • document.write() • location.replace()
  27. SSRFͷྫ ϝʔϧαʔόʔઃఆػೳʹ೚ҙͷURLΛࢦఆ Ͱ͖Δͱ͢Δ

  28. SSRFͷྫ αʔόʔઃఆػೳ͸೚ҙͷαʔόʔΛࢦఆͰ ͖ΔΑ͏ʹઃܭ͞Ε͍ͯΔ͜ͱ͕ଟ͍ͷͰ SSRF͕ى͜Γ΍͍͢ɻ

  29. Request host=127.0.0.1:22

  30. Response IOException: Unexpected response: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

  31. Request host=127.0.0.1:9999

  32. Response AuthenticationFailedException: Read timed out

  33. SSRFͷྫ Τϥʔϝοηʔδʹදࣔ͞ΕΔจࣈྻͷࠩҟʹΑͬ ͯ443'ʹΑΔϙʔτεΩϟϯ 941" ͕੒ޭͯ͠ ͍Δ͔൑அ͢Δ͜ͱ͕Ͱ͖Δ৔߹͕͋Δ

  34. 3.Report

  35. Golden Rule • ࣗ෼͕઀͞Ε͍ͨଶ౓Ͱ઀͢Δ • ใࠂͨ͠Ϩϙʔτ͕ͲͷΑ͏ʹײ͡ΒΕΔ͔ ߟ͑Δ • ϦεϖΫτ͕େ੾ •

    ։ൃऀʹ޲͚ͯॻ͘ɻಡΜͰ͍Δਓ͕ηΩϡ ϦςΟٕज़ऀͱ͸ݶΒͳ͍
  36. ͳͥͦΕ͕ॏཁͳͷ͔ʁ ྑ͍ใࠂॻ͕ॻ͔Ε͍ͯΔͱ • ೝఆ·Ͱͷ͕࣌ؒૣ͍ • ϓϩάϥϜͷΦʔφʔ͸ใࠂऀͷ͜ͱΛ֮͑ ͍ͯΔ • ࠶ݱੑͷ໰୊Ͱ࣌ؒΛແବʹ͠ͳͯ͘ࡁΉ

  37. Ϩϙʔτͷ࡞੒͸೉͘͠ͳ͍ • ӳޠ͸Google຋༁ͰͳΜͱ͔ͳΔ • ͍͍ͩͨͷϓϥοτϑΥʔϜ͸Markdown͕ ࢖͑Δ

  38. ใࠂॻͷߏ੒ͷྫ 1.Description - ੬ऑੑͷઆ໌ • ͲΜͳػೳ? • Ͳ͏͍ͬͨ੬ऑੑ? 2.Step to

    Reproduce - ࠶ݱखॱ • Ұૢ࡞Ұखॱ͕Θ͔Γ΍͘͢ॻ͘ίπ 3.Impact - ڴҖ • ͜ͷ੬ऑੑʹΑͬͯԿ͕৵֐͞ΕΔͷ͔Λઆ໌͢Δ
  39. PoCΛඞͣఴ෇͢Δ • ࠶ݱ͢ΔPayload෇͖ͷURL • εΫϦʔϯγϣοτ͔ಈը͸ຖճఴ෇͓ͯ͠ ͘ͱೝఆ·Ͱͷ͕࣌ؒૣ͍ • ࠶ݱ؀ڥ΋هࡌ͓ͯ͘͠ͱGood

  40. όάΛൃݟ͢Δٕज़ͷֶͼํ

  41. ৘ใऩू͕େ੾ • Twitterͷϋογϡλάͷ؂ࢹ • όάϋϯλʔͷϒϩά΍SNSΞΧ΢ϯτ • HackerOneͷϨϙʔτ • όάϋϯλʔҭ੒ϓϩδΣΫτͷ׆༻

  42. Twttierϋογϡλά • #bugbounty • #bugbountytips OR #bugbountytip

  43. HackerOneͷϨϙʔτΛಡΉ • HackerOne͸ใࠂ͞Εͨ੬ऑੑ͕ެ։͞Εͯ ͍Δ͜ͱ͕͋Δ • ެ։͞Ε͍ͯΔใࠂΛಡΉ͜ͱͰ੬ऑੑΛൃ ݟ͢ΔςΫχοΫ͔Βใࠂͷॻ͖ํ·ͰֶͿ ͜ͱ͕Ͱ͖Δ

  44. HackerOneͷϨϙʔτΛಡΉ

  45. όάϋϯλʔͷϒϩά΍SNSΞΧ΢ϯτ • όάϋϯλʔͷதʹ͸ൃݟͨ͠੬ऑੑ΍ςΫ χοΫΛެ։͍ͯ͠Δਓ͕͍Δ • ͦ͏͍ͬͨਓୡͷϒϩά΍εϥΠυΛಡΉ͜ ͱͰ஌ࣝ΍ؾ͖ͮΛಘΔ

  46. όάϋϯλʔͷϒϩά΍SNSΞΧ΢ϯτ • Frans Rosén - detectify labs • bl4de -

    @_bl4de • Emad Shanab - @Alra3ees • EdOverflow - edoverflow.com • INFOSEC WRITE-UPS
  47. όάϋϯλʔҭ੒ϓϩδΣΫτͷ׆༻ • Bugcrowd University • Hacker101

  48. Bugcrowd University • όάϋϯλʔΛҭ੒͢ΔΦʔϓ ϯιʔεϓϩδΣΫτ • ͞·͟·ͳ੬ऑੑΛൃݟ͢Δς ΫχοΫ͔Βྑ͍ใࠂͷఏग़ํ ๏·ͰֶͿ͜ͱ͕Ͱ͖Δ

  49. Hacker101 • CTFͱಈըͰֶͿ͜ͱ͕Ͱ͖ Δ • CTFͰҰఆϙΠϯτΛ௒͑Δ ͱHackerOneͷϓϥΠϕʔτ ϓϩάϥϜʹট଴ͯ͠΋Β͑ Δ

  50. Happy Hunting!