Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
バグバウンティ入門してみた /Getting started with Bug Bounty
Search
no1zy
February 23, 2019
14
4.7k
バグバウンティ入門してみた /Getting started with Bug Bounty
元祖 濱せっく #2での発表資料
no1zy
February 23, 2019
Tweet
Share
More Decks by no1zy
See All by no1zy
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function
no1zy
5
1.6k
Featured
See All Featured
For a Future-Friendly Web
brad_frost
176
9.6k
Designing for Performance
lara
604
68k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
100
18k
Scaling GitHub
holman
459
140k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.3k
Why Our Code Smells
bkeepers
PRO
336
57k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
The Invisible Side of Design
smashingmag
299
50k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Making the Leap to Tech Lead
cromwellryan
133
9.1k
Building a Scalable Design System with Sketch
lauravandoore
461
33k
Transcript
όάόϯςΟ ೖͯ͠Έͨ no1zy
ࣗݾհ • twitter: @no1zy_sec • ใܥઐֶੜ • όάϋϯλʔྺ 8ϲ݄ •
ڈͷ֫ಘใۚ૯ֹ 612ສԁ
2018αΠϘζใ੍ۚϥϯΩϯάఆ1Ґ
όάόϯςΟͱ • اۀ͕੬ऑੑʹରͯ͠όϯςΟΛ͔͚ɺൃ ݟ͞Εͨ੬ऑੑͷॏཁʹԠͯ͡ใۚΛࢧ ͏੍ • HackerOne, Bugcrowd, BugBounty.jpͳͲͷ ϓϥοτϑΥʔϜ͕͋Δ
ͳͥόάϋϯτΛ࢝Ίͨͷ͔ʁ • ϦΞϧϫʔϧυͷ੬ऑੑΛݟ͚ͭͯΈ͔ͨͬ ͨ • Ͳ͏ͤ୳͢ͳΒใ͕ۚग़Δํ͕͓ಘ͔ͳͬ ͯࢥͬͨ
όάϋϯτͷखॱ 1.Recon and Content Discovery 2.Find Bug 3.Report
1.Recon and Content Discovery
ͳͥͦΕ͕ॏཁ͔ʁ • ݟ͚ͭʹ͍͘ϦιʔεΛ୳͢͜ͱͰ੬ऑੑΛ ൃݟͰ͖ΔՄೳੑ্͕͕Δ • αϒυϝΠϯྻڍ • APIΤϯυϙΠϯτͷൃݟ • etc…
͍είʔϓͷϓϩάϥϜ͕Φεεϝ • *.example.com ←͜͏ͳ͍ͬͯΔͷ • ڱ͍είʔϓͩͱطʹ۷Γਚ͘͞Ε͍ͯΔՄ ೳੑ͕͋Δ • αϒυϝΠϯ͕ͨ͘͞Μ͋Δ΄ͲՄೳੑ ͕Δ
Sublist3r
dirsearch
relative-url-extractor
LinkFinder
JSParser
Google Dorks • GoogleݕࡧʹݕࡧԋࢉࢠΛ༻͢Δ͜ͱ͕ Ͱ͖Δ • υϝΠϯɺϑΝΠϧλΠϓɺURLʹؚ·ΕΔจ ࣈྻͷࢦఆͳͲʹཱͭ
Google Dorks • site - ࢦఆ͞ΕͨυϝΠϯͷwebαΠτΛݕࡧ site:www.example.com • inurl -
ࢦఆ͞Εͨจࣈྻ͕URLʹؚ·ΕΔ WebαΠτΛݕࡧ inurl:callback
Open RedirectΛ୳͢ • ϦμΠϨΫτઌʹϢʔβʔೖྗΛ༻͢Δ ߹ʹى͖͍͢ • ϦμΠϨΫτ࣌ʹΑ͘ΘΕΔύϥϝʔλ໊ ΛGoogle DorksΛͬͯݕࡧ͢Δ
Α͘༻͞ΕΔύϥϝʔλ໊ • url • uri • returnUrl • returnUri •
next • nextPage • redirect • continue
ݕࡧྫ site:example.com inurl:url
2.Find bug
Open Redirectͷྫ ਖ਼͍͠ϦμΠϨΫτઌ͕ҎԼͱ͢Δ https://www.example.com/foo/bar
Filter bypass Part1 ?redirect=https://www.example.com@evil.com
Filter bypass Part2 ?redirect=///evil.com
Filter bypass Part3 ?redirect=\/\/evil.com
DOM Based XSSͷྫ JSϑΝΠϧͷSink͔ΒSourceΛḷ͍ͬͯ͘
ॏతʹݟΔॴ Source: • location.href • location.pathname • location.hash • location.search
Sink: • innerHTML() • eval() • document.write() • location.replace()
SSRFͷྫ ϝʔϧαʔόʔઃఆػೳʹҙͷURLΛࢦఆ Ͱ͖Δͱ͢Δ
SSRFͷྫ αʔόʔઃఆػೳҙͷαʔόʔΛࢦఆͰ ͖ΔΑ͏ʹઃܭ͞Ε͍ͯΔ͜ͱ͕ଟ͍ͷͰ SSRF͕ى͜Γ͍͢ɻ
Request host=127.0.0.1:22
Response IOException: Unexpected response: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
Request host=127.0.0.1:9999
Response AuthenticationFailedException: Read timed out
SSRFͷྫ Τϥʔϝοηʔδʹදࣔ͞ΕΔจࣈྻͷࠩҟʹΑͬ ͯ443'ʹΑΔϙʔτεΩϟϯ 941" ͕ޭͯ͠ ͍Δ͔அ͢Δ͜ͱ͕Ͱ͖Δ߹͕͋Δ
3.Report
Golden Rule • ͕ࣗ͞Ε͍ͨଶͰ͢Δ • ใࠂͨ͠Ϩϙʔτ͕ͲͷΑ͏ʹײ͡ΒΕΔ͔ ߟ͑Δ • ϦεϖΫτ͕େ •
։ൃऀʹ͚ͯॻ͘ɻಡΜͰ͍Δਓ͕ηΩϡ ϦςΟٕज़ऀͱݶΒͳ͍
ͳͥͦΕ͕ॏཁͳͷ͔ʁ ྑ͍ใࠂॻ͕ॻ͔Ε͍ͯΔͱ • ೝఆ·Ͱͷ͕࣌ؒૣ͍ • ϓϩάϥϜͷΦʔφʔใࠂऀͷ͜ͱΛ֮͑ ͍ͯΔ • ࠶ݱੑͷͰ࣌ؒΛແବʹ͠ͳͯ͘ࡁΉ
Ϩϙʔτͷ࡞͘͠ͳ͍ • ӳޠGoogle༁ͰͳΜͱ͔ͳΔ • ͍͍ͩͨͷϓϥοτϑΥʔϜMarkdown͕ ͑Δ
ใࠂॻͷߏͷྫ 1.Description - ੬ऑੑͷઆ໌ • ͲΜͳػೳ? • Ͳ͏͍ͬͨ੬ऑੑ? 2.Step to
Reproduce - ࠶ݱखॱ • Ұૢ࡞Ұखॱ͕Θ͔Γ͘͢ॻ͘ίπ 3.Impact - ڴҖ • ͜ͷ੬ऑੑʹΑͬͯԿ͕৵͞ΕΔͷ͔Λઆ໌͢Δ
PoCΛඞͣఴ͢Δ • ࠶ݱ͢ΔPayload͖ͷURL • εΫϦʔϯγϣοτ͔ಈըຖճఴ͓ͯ͠ ͘ͱೝఆ·Ͱͷ͕࣌ؒૣ͍ • ࠶ݱڥهࡌ͓ͯ͘͠ͱGood
όάΛൃݟ͢Δٕज़ͷֶͼํ
ใऩू͕େ • Twitterͷϋογϡλάͷࢹ • όάϋϯλʔͷϒϩάSNSΞΧϯτ • HackerOneͷϨϙʔτ • όάϋϯλʔҭϓϩδΣΫτͷ׆༻
Twttierϋογϡλά • #bugbounty • #bugbountytips OR #bugbountytip
HackerOneͷϨϙʔτΛಡΉ • HackerOneใࠂ͞Εͨ੬ऑੑ͕ެ։͞Εͯ ͍Δ͜ͱ͕͋Δ • ެ։͞Ε͍ͯΔใࠂΛಡΉ͜ͱͰ੬ऑੑΛൃ ݟ͢ΔςΫχοΫ͔Βใࠂͷॻ͖ํ·ͰֶͿ ͜ͱ͕Ͱ͖Δ
HackerOneͷϨϙʔτΛಡΉ
όάϋϯλʔͷϒϩάSNSΞΧϯτ • όάϋϯλʔͷதʹൃݟͨ͠੬ऑੑςΫ χοΫΛެ։͍ͯ͠Δਓ͕͍Δ • ͦ͏͍ͬͨਓୡͷϒϩάεϥΠυΛಡΉ͜ ͱͰࣝؾ͖ͮΛಘΔ
όάϋϯλʔͷϒϩάSNSΞΧϯτ • Frans Rosén - detectify labs • bl4de -
@_bl4de • Emad Shanab - @Alra3ees • EdOverflow - edoverflow.com • INFOSEC WRITE-UPS
όάϋϯλʔҭϓϩδΣΫτͷ׆༻ • Bugcrowd University • Hacker101
Bugcrowd University • όάϋϯλʔΛҭ͢ΔΦʔϓ ϯιʔεϓϩδΣΫτ • ͞·͟·ͳ੬ऑੑΛൃݟ͢Δς ΫχοΫ͔Βྑ͍ใࠂͷఏग़ํ ๏·ͰֶͿ͜ͱ͕Ͱ͖Δ
Hacker101 • CTFͱಈըͰֶͿ͜ͱ͕Ͱ͖ Δ • CTFͰҰఆϙΠϯτΛ͑Δ ͱHackerOneͷϓϥΠϕʔτ ϓϩάϥϜʹটͯ͠Β͑ Δ
Happy Hunting!