Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
バグバウンティ入門してみた /Getting started with Bug Bounty
Search
no1zy
February 23, 2019
14
4.7k
バグバウンティ入門してみた /Getting started with Bug Bounty
元祖 濱せっく #2での発表資料
no1zy
February 23, 2019
Tweet
Share
More Decks by no1zy
See All by no1zy
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function
no1zy
5
1.7k
Featured
See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
31
8.7k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Six Lessons from altMBA
skipperchong
28
3.9k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
4 Signs Your Business is Dying
shpigford
184
22k
Navigating Team Friction
lara
187
15k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Producing Creativity
orderedlist
PRO
346
40k
The Cost Of JavaScript in 2023
addyosmani
51
8.5k
YesSQL, Process and Tooling at Scale
rocio
173
14k
A designer walks into a library…
pauljervisheath
207
24k
Transcript
όάόϯςΟ ೖͯ͠Έͨ no1zy
ࣗݾհ • twitter: @no1zy_sec • ใܥઐֶੜ • όάϋϯλʔྺ 8ϲ݄ •
ڈͷ֫ಘใۚ૯ֹ 612ສԁ
2018αΠϘζใ੍ۚϥϯΩϯάఆ1Ґ
όάόϯςΟͱ • اۀ͕੬ऑੑʹରͯ͠όϯςΟΛ͔͚ɺൃ ݟ͞Εͨ੬ऑੑͷॏཁʹԠͯ͡ใۚΛࢧ ͏੍ • HackerOne, Bugcrowd, BugBounty.jpͳͲͷ ϓϥοτϑΥʔϜ͕͋Δ
ͳͥόάϋϯτΛ࢝Ίͨͷ͔ʁ • ϦΞϧϫʔϧυͷ੬ऑੑΛݟ͚ͭͯΈ͔ͨͬ ͨ • Ͳ͏ͤ୳͢ͳΒใ͕ۚग़Δํ͕͓ಘ͔ͳͬ ͯࢥͬͨ
όάϋϯτͷखॱ 1.Recon and Content Discovery 2.Find Bug 3.Report
1.Recon and Content Discovery
ͳͥͦΕ͕ॏཁ͔ʁ • ݟ͚ͭʹ͍͘ϦιʔεΛ୳͢͜ͱͰ੬ऑੑΛ ൃݟͰ͖ΔՄೳੑ্͕͕Δ • αϒυϝΠϯྻڍ • APIΤϯυϙΠϯτͷൃݟ • etc…
͍είʔϓͷϓϩάϥϜ͕Φεεϝ • *.example.com ←͜͏ͳ͍ͬͯΔͷ • ڱ͍είʔϓͩͱطʹ۷Γਚ͘͞Ε͍ͯΔՄ ೳੑ͕͋Δ • αϒυϝΠϯ͕ͨ͘͞Μ͋Δ΄ͲՄೳੑ ͕Δ
Sublist3r
dirsearch
relative-url-extractor
LinkFinder
JSParser
Google Dorks • GoogleݕࡧʹݕࡧԋࢉࢠΛ༻͢Δ͜ͱ͕ Ͱ͖Δ • υϝΠϯɺϑΝΠϧλΠϓɺURLʹؚ·ΕΔจ ࣈྻͷࢦఆͳͲʹཱͭ
Google Dorks • site - ࢦఆ͞ΕͨυϝΠϯͷwebαΠτΛݕࡧ site:www.example.com • inurl -
ࢦఆ͞Εͨจࣈྻ͕URLʹؚ·ΕΔ WebαΠτΛݕࡧ inurl:callback
Open RedirectΛ୳͢ • ϦμΠϨΫτઌʹϢʔβʔೖྗΛ༻͢Δ ߹ʹى͖͍͢ • ϦμΠϨΫτ࣌ʹΑ͘ΘΕΔύϥϝʔλ໊ ΛGoogle DorksΛͬͯݕࡧ͢Δ
Α͘༻͞ΕΔύϥϝʔλ໊ • url • uri • returnUrl • returnUri •
next • nextPage • redirect • continue
ݕࡧྫ site:example.com inurl:url
2.Find bug
Open Redirectͷྫ ਖ਼͍͠ϦμΠϨΫτઌ͕ҎԼͱ͢Δ https://www.example.com/foo/bar
Filter bypass Part1 ?redirect=https://
[email protected]
Filter bypass Part2 ?redirect=///evil.com
Filter bypass Part3 ?redirect=\/\/evil.com
DOM Based XSSͷྫ JSϑΝΠϧͷSink͔ΒSourceΛḷ͍ͬͯ͘
ॏతʹݟΔॴ Source: • location.href • location.pathname • location.hash • location.search
Sink: • innerHTML() • eval() • document.write() • location.replace()
SSRFͷྫ ϝʔϧαʔόʔઃఆػೳʹҙͷURLΛࢦఆ Ͱ͖Δͱ͢Δ
SSRFͷྫ αʔόʔઃఆػೳҙͷαʔόʔΛࢦఆͰ ͖ΔΑ͏ʹઃܭ͞Ε͍ͯΔ͜ͱ͕ଟ͍ͷͰ SSRF͕ى͜Γ͍͢ɻ
Request host=127.0.0.1:22
Response IOException: Unexpected response: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
Request host=127.0.0.1:9999
Response AuthenticationFailedException: Read timed out
SSRFͷྫ Τϥʔϝοηʔδʹදࣔ͞ΕΔจࣈྻͷࠩҟʹΑͬ ͯ443'ʹΑΔϙʔτεΩϟϯ 941" ͕ޭͯ͠ ͍Δ͔அ͢Δ͜ͱ͕Ͱ͖Δ߹͕͋Δ
3.Report
Golden Rule • ͕ࣗ͞Ε͍ͨଶͰ͢Δ • ใࠂͨ͠Ϩϙʔτ͕ͲͷΑ͏ʹײ͡ΒΕΔ͔ ߟ͑Δ • ϦεϖΫτ͕େ •
։ൃऀʹ͚ͯॻ͘ɻಡΜͰ͍Δਓ͕ηΩϡ ϦςΟٕज़ऀͱݶΒͳ͍
ͳͥͦΕ͕ॏཁͳͷ͔ʁ ྑ͍ใࠂॻ͕ॻ͔Ε͍ͯΔͱ • ೝఆ·Ͱͷ͕࣌ؒૣ͍ • ϓϩάϥϜͷΦʔφʔใࠂऀͷ͜ͱΛ֮͑ ͍ͯΔ • ࠶ݱੑͷͰ࣌ؒΛແବʹ͠ͳͯ͘ࡁΉ
Ϩϙʔτͷ࡞͘͠ͳ͍ • ӳޠGoogle༁ͰͳΜͱ͔ͳΔ • ͍͍ͩͨͷϓϥοτϑΥʔϜMarkdown͕ ͑Δ
ใࠂॻͷߏͷྫ 1.Description - ੬ऑੑͷઆ໌ • ͲΜͳػೳ? • Ͳ͏͍ͬͨ੬ऑੑ? 2.Step to
Reproduce - ࠶ݱखॱ • Ұૢ࡞Ұखॱ͕Θ͔Γ͘͢ॻ͘ίπ 3.Impact - ڴҖ • ͜ͷ੬ऑੑʹΑͬͯԿ͕৵͞ΕΔͷ͔Λઆ໌͢Δ
PoCΛඞͣఴ͢Δ • ࠶ݱ͢ΔPayload͖ͷURL • εΫϦʔϯγϣοτ͔ಈըຖճఴ͓ͯ͠ ͘ͱೝఆ·Ͱͷ͕࣌ؒૣ͍ • ࠶ݱڥهࡌ͓ͯ͘͠ͱGood
όάΛൃݟ͢Δٕज़ͷֶͼํ
ใऩू͕େ • Twitterͷϋογϡλάͷࢹ • όάϋϯλʔͷϒϩάSNSΞΧϯτ • HackerOneͷϨϙʔτ • όάϋϯλʔҭϓϩδΣΫτͷ׆༻
Twttierϋογϡλά • #bugbounty • #bugbountytips OR #bugbountytip
HackerOneͷϨϙʔτΛಡΉ • HackerOneใࠂ͞Εͨ੬ऑੑ͕ެ։͞Εͯ ͍Δ͜ͱ͕͋Δ • ެ։͞Ε͍ͯΔใࠂΛಡΉ͜ͱͰ੬ऑੑΛൃ ݟ͢ΔςΫχοΫ͔Βใࠂͷॻ͖ํ·ͰֶͿ ͜ͱ͕Ͱ͖Δ
HackerOneͷϨϙʔτΛಡΉ
όάϋϯλʔͷϒϩάSNSΞΧϯτ • όάϋϯλʔͷதʹൃݟͨ͠੬ऑੑςΫ χοΫΛެ։͍ͯ͠Δਓ͕͍Δ • ͦ͏͍ͬͨਓୡͷϒϩάεϥΠυΛಡΉ͜ ͱͰࣝؾ͖ͮΛಘΔ
όάϋϯλʔͷϒϩάSNSΞΧϯτ • Frans Rosén - detectify labs • bl4de -
@_bl4de • Emad Shanab - @Alra3ees • EdOverflow - edoverflow.com • INFOSEC WRITE-UPS
όάϋϯλʔҭϓϩδΣΫτͷ׆༻ • Bugcrowd University • Hacker101
Bugcrowd University • όάϋϯλʔΛҭ͢ΔΦʔϓ ϯιʔεϓϩδΣΫτ • ͞·͟·ͳ੬ऑੑΛൃݟ͢Δς ΫχοΫ͔Βྑ͍ใࠂͷఏग़ํ ๏·ͰֶͿ͜ͱ͕Ͱ͖Δ
Hacker101 • CTFͱಈըͰֶͿ͜ͱ͕Ͱ͖ Δ • CTFͰҰఆϙΠϯτΛ͑Δ ͱHackerOneͷϓϥΠϕʔτ ϓϩάϥϜʹটͯ͠Β͑ Δ
Happy Hunting!