バグバウンティ入門してみた /Getting started with Bug Bounty

Transcript

1. όάό΢ϯςΟ ೖ໳ͯ͠Έͨ no1zy

2. ࣗݾ঺հ • twitter: @no1zy_sec • ৘ใܥઐ໳ֶੜ • όάϋϯλʔྺ 8ϲ݄ •

   ڈ೥ͷ֫ಘใ঑ۚ૯ֹ 612ສԁ

3. 2018೥αΠϘ΢ζใ঑੍ۚ౓ϥϯΩϯά࢑ఆ1Ґ

4. όάό΢ϯςΟͱ͸ • اۀ͕੬ऑੑʹରͯ͠ό΢ϯςΟΛ͔͚ɺൃ ݟ͞Εͨ੬ऑੑͷॏཁ౓ʹԠͯ͡ใ঑ۚΛࢧ ෷͏੍౓ • HackerOne, Bugcrowd, BugBounty.jpͳͲͷ ϓϥοτϑΥʔϜ͕͋Δ

5. ͳͥόάϋϯτΛ࢝Ίͨͷ͔ʁ • ϦΞϧϫʔϧυͷ੬ऑੑΛݟ͚ͭͯΈ͔ͨͬ ͨ • Ͳ͏ͤ୳͢ͳΒใ঑͕ۚग़Δํ͕͓ಘ͔ͳͬ ͯࢥͬͨ

6. όάϋϯτͷखॱ 1.Recon and Content Discovery 2.Find Bug 3.Report

7. 1.Recon and Content Discovery

8. ͳͥͦΕ͕ॏཁ͔ʁ • ݟ͚ͭʹ͍͘ϦιʔεΛ୳͢͜ͱͰ੬ऑੑΛ ൃݟͰ͖ΔՄೳੑ্͕͕Δ • αϒυϝΠϯྻڍ • APIΤϯυϙΠϯτͷൃݟ • etc…

9. ޿͍είʔϓͷϓϩάϥϜ͕Φεεϝ • *.example.com ←͜͏ͳ͍ͬͯΔ΋ͷ • ڱ͍είʔϓͩͱطʹ۷Γਚ͘͞Ε͍ͯΔՄ ೳੑ͕͋Δ • αϒυϝΠϯ͕ͨ͘͞Μ͋Δ΄ͲՄೳੑ΋޿ ͕Δ

10. Sublist3r

11. dirsearch

12. relative-url-extractor

13. LinkFinder

14. JSParser

15. Google Dorks • Googleݕࡧʹ͸ݕࡧԋࢉࢠΛ࢖༻͢Δ͜ͱ͕ Ͱ͖Δ • υϝΠϯɺϑΝΠϧλΠϓɺURLʹؚ·ΕΔจ ࣈྻͷࢦఆͳͲʹ໾ཱͭ

16. Google Dorks • site - ࢦఆ͞ΕͨυϝΠϯͷwebαΠτΛݕࡧ site:www.example.com • inurl -

    ࢦఆ͞Εͨจࣈྻ͕URLʹؚ·ΕΔ WebαΠτΛݕࡧ inurl:callback

17. Open RedirectΛ୳͢ • ϦμΠϨΫτઌʹϢʔβʔೖྗΛ࢖༻͢Δ৔ ߹ʹى͖΍͍͢ • ϦμΠϨΫτ࣌ʹΑ͘࢖ΘΕΔύϥϝʔλ໊ ΛGoogle DorksΛ࢖ͬͯݕࡧ͢Δ

18. Α͘࢖༻͞ΕΔύϥϝʔλ໊ • url • uri • returnUrl • returnUri •

    next • nextPage • redirect • continue

19. ݕࡧྫ site:example.com inurl:url

20. 2.Find bug

21. Open Redirectͷྫ ਖ਼͍͠ϦμΠϨΫτઌ͕ҎԼͱ͢Δ https://www.example.com/foo/bar

22. Filter bypass Part1 ?redirect=https://www.example.com@evil.com

23. Filter bypass Part2 ?redirect=///evil.com

24. Filter bypass Part3 ?redirect=\/\/evil.com

25. DOM Based XSSͷྫ JSϑΝΠϧͷSink͔ΒSourceΛḷ͍ͬͯ͘

26. ॏ఺తʹݟΔ৔ॴ Source: • location.href • location.pathname • location.hash • location.search

    Sink: • innerHTML() • eval() • document.write() • location.replace()

27. SSRFͷྫ ϝʔϧαʔόʔઃఆػೳʹ೚ҙͷURLΛࢦఆ Ͱ͖Δͱ͢Δ

28. SSRFͷྫ αʔόʔઃఆػೳ͸೚ҙͷαʔόʔΛࢦఆͰ ͖ΔΑ͏ʹઃܭ͞Ε͍ͯΔ͜ͱ͕ଟ͍ͷͰ SSRF͕ى͜Γ΍͍͢ɻ

29. Request host=127.0.0.1:22

30. Response IOException: Unexpected response: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

31. Request host=127.0.0.1:9999

32. Response AuthenticationFailedException: Read timed out

33. SSRFͷྫ Τϥʔϝοηʔδʹදࣔ͞ΕΔจࣈྻͷࠩҟʹΑͬ ͯ443'ʹΑΔϙʔτεΩϟϯ 941" ͕੒ޭͯ͠ ͍Δ͔൑அ͢Δ͜ͱ͕Ͱ͖Δ৔߹͕͋Δ

34. 3.Report

35. Golden Rule • ࣗ෼͕઀͞Ε͍ͨଶ౓Ͱ઀͢Δ • ใࠂͨ͠Ϩϙʔτ͕ͲͷΑ͏ʹײ͡ΒΕΔ͔ ߟ͑Δ • ϦεϖΫτ͕େ੾ •

    ։ൃऀʹ޲͚ͯॻ͘ɻಡΜͰ͍Δਓ͕ηΩϡ ϦςΟٕज़ऀͱ͸ݶΒͳ͍

36. ͳͥͦΕ͕ॏཁͳͷ͔ʁ ྑ͍ใࠂॻ͕ॻ͔Ε͍ͯΔͱ • ೝఆ·Ͱͷ͕࣌ؒૣ͍ • ϓϩάϥϜͷΦʔφʔ͸ใࠂऀͷ͜ͱΛ֮͑ ͍ͯΔ • ࠶ݱੑͷ໰୊Ͱ࣌ؒΛແବʹ͠ͳͯ͘ࡁΉ

37. Ϩϙʔτͷ࡞੒͸೉͘͠ͳ͍ • ӳޠ͸Google຋༁ͰͳΜͱ͔ͳΔ • ͍͍ͩͨͷϓϥοτϑΥʔϜ͸Markdown͕ ࢖͑Δ

38. ใࠂॻͷߏ੒ͷྫ 1.Description - ੬ऑੑͷઆ໌ • ͲΜͳػೳ? • Ͳ͏͍ͬͨ੬ऑੑ? 2.Step to

    Reproduce - ࠶ݱखॱ • Ұૢ࡞Ұखॱ͕Θ͔Γ΍͘͢ॻ͘ίπ 3.Impact - ڴҖ • ͜ͷ੬ऑੑʹΑͬͯԿ͕৵֐͞ΕΔͷ͔Λઆ໌͢Δ

39. PoCΛඞͣఴ෇͢Δ • ࠶ݱ͢ΔPayload෇͖ͷURL • εΫϦʔϯγϣοτ͔ಈը͸ຖճఴ෇͓ͯ͠ ͘ͱೝఆ·Ͱͷ͕࣌ؒૣ͍ • ࠶ݱ؀ڥ΋هࡌ͓ͯ͘͠ͱGood

40. όάΛൃݟ͢Δٕज़ͷֶͼํ

41. ৘ใऩू͕େ੾ • Twitterͷϋογϡλάͷ؂ࢹ • όάϋϯλʔͷϒϩά΍SNSΞΧ΢ϯτ • HackerOneͷϨϙʔτ • όάϋϯλʔҭ੒ϓϩδΣΫτͷ׆༻

42. Twttierϋογϡλά • #bugbounty • #bugbountytips OR #bugbountytip

43. HackerOneͷϨϙʔτΛಡΉ • HackerOne͸ใࠂ͞Εͨ੬ऑੑ͕ެ։͞Εͯ ͍Δ͜ͱ͕͋Δ • ެ։͞Ε͍ͯΔใࠂΛಡΉ͜ͱͰ੬ऑੑΛൃ ݟ͢ΔςΫχοΫ͔Βใࠂͷॻ͖ํ·ͰֶͿ ͜ͱ͕Ͱ͖Δ

44. HackerOneͷϨϙʔτΛಡΉ

45. όάϋϯλʔͷϒϩά΍SNSΞΧ΢ϯτ • όάϋϯλʔͷதʹ͸ൃݟͨ͠੬ऑੑ΍ςΫ χοΫΛެ։͍ͯ͠Δਓ͕͍Δ • ͦ͏͍ͬͨਓୡͷϒϩά΍εϥΠυΛಡΉ͜ ͱͰ஌ࣝ΍ؾ͖ͮΛಘΔ

46. όάϋϯλʔͷϒϩά΍SNSΞΧ΢ϯτ • Frans Rosén - detectify labs • bl4de -

    @_bl4de • Emad Shanab - @Alra3ees • EdOverflow - edoverflow.com • INFOSEC WRITE-UPS

47. όάϋϯλʔҭ੒ϓϩδΣΫτͷ׆༻ • Bugcrowd University • Hacker101

48. Bugcrowd University • όάϋϯλʔΛҭ੒͢ΔΦʔϓ ϯιʔεϓϩδΣΫτ • ͞·͟·ͳ੬ऑੑΛൃݟ͢Δς ΫχοΫ͔Βྑ͍ใࠂͷఏग़ํ ๏·ͰֶͿ͜ͱ͕Ͱ͖Δ

49. Hacker101 • CTFͱಈըͰֶͿ͜ͱ͕Ͱ͖ Δ • CTFͰҰఆϙΠϯτΛ௒͑Δ ͱHackerOneͷϓϥΠϕʔτ ϓϩάϥϜʹট଴ͯ͠΋Β͑ Δ

50. Happy Hunting!