Bug Hunting Tactics & Wins for 2021

Slide 1

Slide 1 text

Bug Bounty Tactics & Wins for 2021! By: Harsh Bothra @harshbothra_

Slide 2

Slide 2 text

Introduction Core Pentester @Cobalt.io Lazy Bug Hunter @Synack @Bugcrowd Bugcrowd TOP 150 Hackers & MVP Q1 – Q2 Author: Multiple Hacking Books Security Blogs @Medium Speaker @Multiple Security Conferences Poet | Writer | Learner @harshbothra_

Slide 3

Slide 3 text

Agenda • Bug Bounty Landscape • Tactics for wins in 2021 • Account Takeovers • 2FA Bypass • Other Interesting Issues • Tips & Tricks @harshbothra_

Slide 4

Slide 4 text

Bug Bounty Landscape @harshbothra_

Slide 5

Slide 5 text

Tactics for Wins in 2021 @harshbothra_

Slide 6

Slide 6 text

Account Takeovers Logical Wins for 2021 @harshbothra_

Slide 7

Slide 7 text

Ways to Perform Account Takeovers CSRF XSS Broken Cryptography IDOR Session Hijacking Predictable Identifiers Security Misconfiguration Direct Request Missing Authorization Checks OAuth Misconfiguration Session Fixation @harshbothra_

Slide 8

Slide 8 text

Case Studies @harshbothra_

Slide 9

Slide 9 text

Broken Cryptography to ATO @harshbothra_

Slide 10

Slide 10 text

@harshbothra_

Slide 11

Slide 11 text

@harshbothra_

Slide 12

Slide 12 text

CSRF & Client – Side Validation Bypass to ATO @harshbothra_

Slide 13

Slide 13 text

@harshbothra_

Slide 14

Slide 14 text

@harshbothra_

Slide 15

Slide 15 text

@harshbothra_

Slide 16

Slide 16 text

Cross-Site Scripting to Admin Session Hijacking & Privilege Escalation @harshbothra_

Slide 17

Slide 17 text

@harshbothra_

Slide 18

Slide 18 text

@harshbothra_

Slide 19

Slide 19 text

@harshbothra_

Slide 20

Slide 20 text

IDOR in Cookies to Account Takeover • Login as a victim user and capture the request with Burp. • In Cookies section there was a ROLE parameter which has a two-digit value 00. • Create an admin account and observe that now ROLE value in cookies is 11. • Upon further inspection and mapping User Role & Permission Matrix. I observed that the application uses binary bits for role definition. • 00 : User • 11 : Admin @harshbothra_

Slide 21

Slide 21 text

IDOR in Password Reset to ATO • Password Reset page is Vulnerable to Host Header Attack. • Request a password reset link with malicious origin. • Victim will receive a password reset link with malicious origin like: Original Link: https://original_target.com/reset/token/ Spoofed Link: https://malicious_target.com/reset/token/ • Now set up a logger at attacker controlled malicious_target.com • Once the victim clicks on the password reset link, the token will be logged to malicious_target.com • Token has no expiry and thus attacker can utilize the token to reset the password. @harshbothra_

Slide 22

Slide 22 text

2FA Bypass Tactics Easy Wins & More Bounty @harshbothra_

Slide 23

Slide 23 text

We will look at this using following Mind Map https://www.mindmeister.com/1736437018?t=SEeZOmvt01 @harshbothra_

Slide 24

Slide 24 text

Other Interesting Attacks to Look for in 2021 @harshbothra_

Slide 25

Slide 25 text

Tips & Tricks @harshbothra_

Slide 26

Slide 26 text

Get in Touch At Website – https://harshbothra.tech Twitter - @harshbothra_ Instagram - @harshbothra_ Medium - @hbothra22 LinkedIn - @harshbothra Speakerdeck - @harshbothra Email – [email protected] @harshbothra_

Slide 27

Slide 27 text

Thank You