Tweet
Tweet

Slide 1

Slide 1 text

όάό΢ϯςΟ ೖ໳ͯ͠Έͨ no1zy

Slide 2

Slide 2 text

ࣗݾ঺հ • twitter: @no1zy_sec • ৘ใܥઐ໳ֶੜ • όάϋϯλʔྺ 8ϲ݄ • ڈ೥ͷ֫ಘใ঑ۚ૯ֹ 612ສԁ

Slide 3

Slide 3 text

2018೥αΠϘ΢ζใ঑੍ۚ౓ϥϯΩϯά࢑ఆ1Ґ

Slide 4

Slide 4 text

όάό΢ϯςΟͱ͸ • اۀ͕੬ऑੑʹରͯ͠ό΢ϯςΟΛ͔͚ɺൃ ݟ͞Εͨ੬ऑੑͷॏཁ౓ʹԠͯ͡ใ঑ۚΛࢧ ෷͏੍౓ • HackerOne, Bugcrowd, BugBounty.jpͳͲͷ ϓϥοτϑΥʔϜ͕͋Δ

Slide 5

Slide 5 text

ͳͥόάϋϯτΛ࢝Ίͨͷ͔ʁ • ϦΞϧϫʔϧυͷ੬ऑੑΛݟ͚ͭͯΈ͔ͨͬ ͨ • Ͳ͏ͤ୳͢ͳΒใ঑͕ۚग़Δํ͕͓ಘ͔ͳͬ ͯࢥͬͨ

Slide 6

Slide 6 text

όάϋϯτͷखॱ 1.Recon and Content Discovery 2.Find Bug 3.Report

Slide 7

Slide 7 text

1.Recon and Content Discovery

Slide 8

Slide 8 text

ͳͥͦΕ͕ॏཁ͔ʁ • ݟ͚ͭʹ͍͘ϦιʔεΛ୳͢͜ͱͰ੬ऑੑΛ ൃݟͰ͖ΔՄೳੑ্͕͕Δ • αϒυϝΠϯྻڍ • APIΤϯυϙΠϯτͷൃݟ • etc…

Slide 9

Slide 9 text

޿͍είʔϓͷϓϩάϥϜ͕Φεεϝ • *.example.com ←͜͏ͳ͍ͬͯΔ΋ͷ • ڱ͍είʔϓͩͱطʹ۷Γਚ͘͞Ε͍ͯΔՄ ೳੑ͕͋Δ • αϒυϝΠϯ͕ͨ͘͞Μ͋Δ΄ͲՄೳੑ΋޿ ͕Δ

Slide 10

Slide 10 text

Sublist3r

Slide 11

Slide 11 text

dirsearch

Slide 12

Slide 12 text

relative-url-extractor

Slide 13

Slide 13 text

LinkFinder

Slide 14

Slide 14 text

JSParser

Slide 15

Slide 15 text

Google Dorks • Googleݕࡧʹ͸ݕࡧԋࢉࢠΛ࢖༻͢Δ͜ͱ͕ Ͱ͖Δ • υϝΠϯɺϑΝΠϧλΠϓɺURLʹؚ·ΕΔจ ࣈྻͷࢦఆͳͲʹ໾ཱͭ

Slide 16

Slide 16 text

Google Dorks • site - ࢦఆ͞ΕͨυϝΠϯͷwebαΠτΛݕࡧ site:www.example.com • inurl - ࢦఆ͞Εͨจࣈྻ͕URLʹؚ·ΕΔ WebαΠτΛݕࡧ inurl:callback

Slide 17

Slide 17 text

Open RedirectΛ୳͢ • ϦμΠϨΫτઌʹϢʔβʔೖྗΛ࢖༻͢Δ৔ ߹ʹى͖΍͍͢ • ϦμΠϨΫτ࣌ʹΑ͘࢖ΘΕΔύϥϝʔλ໊ ΛGoogle DorksΛ࢖ͬͯݕࡧ͢Δ

Slide 18

Slide 18 text

Α͘࢖༻͞ΕΔύϥϝʔλ໊ • url • uri • returnUrl • returnUri • next • nextPage • redirect • continue

Slide 19

Slide 19 text

ݕࡧྫ site:example.com inurl:url

Slide 20

Slide 20 text

2.Find bug

Slide 21

Slide 21 text

Open Redirectͷྫ ਖ਼͍͠ϦμΠϨΫτઌ͕ҎԼͱ͢Δ https://www.example.com/foo/bar

Slide 22

Slide 22 text

Filter bypass Part1 ?redirect=https://[email protected]

Slide 23

Slide 23 text

Filter bypass Part2 ?redirect=///evil.com

Slide 24

Slide 24 text

Filter bypass Part3 ?redirect=\/\/evil.com

Slide 25

Slide 25 text

DOM Based XSSͷྫ JSϑΝΠϧͷSink͔ΒSourceΛḷ͍ͬͯ͘

Slide 26

Slide 26 text

ॏ఺తʹݟΔ৔ॴ Source: • location.href • location.pathname • location.hash • location.search Sink: • innerHTML() • eval() • document.write() • location.replace()

Slide 27

Slide 27 text

SSRFͷྫ ϝʔϧαʔόʔઃఆػೳʹ೚ҙͷURLΛࢦఆ Ͱ͖Δͱ͢Δ

Slide 28

Slide 28 text

SSRFͷྫ αʔόʔઃఆػೳ͸೚ҙͷαʔόʔΛࢦఆͰ ͖ΔΑ͏ʹઃܭ͞Ε͍ͯΔ͜ͱ͕ଟ͍ͷͰ SSRF͕ى͜Γ΍͍͢ɻ

Slide 29

Slide 29 text

Request host=127.0.0.1:22

Slide 30

Slide 30 text

Response IOException: Unexpected response: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

Slide 31

Slide 31 text

Request host=127.0.0.1:9999

Slide 32

Slide 32 text

Response AuthenticationFailedException: Read timed out

Slide 33

Slide 33 text

SSRFͷྫ Τϥʔϝοηʔδʹදࣔ͞ΕΔจࣈྻͷࠩҟʹΑͬ ͯ443'ʹΑΔϙʔτεΩϟϯ 941" ͕੒ޭͯ͠ ͍Δ͔൑அ͢Δ͜ͱ͕Ͱ͖Δ৔߹͕͋Δ

Slide 34

Slide 34 text

3.Report

Slide 35

Slide 35 text

Golden Rule • ࣗ෼͕઀͞Ε͍ͨଶ౓Ͱ઀͢Δ • ใࠂͨ͠Ϩϙʔτ͕ͲͷΑ͏ʹײ͡ΒΕΔ͔ ߟ͑Δ • ϦεϖΫτ͕େ੾ • ։ൃऀʹ޲͚ͯॻ͘ɻಡΜͰ͍Δਓ͕ηΩϡ ϦςΟٕज़ऀͱ͸ݶΒͳ͍

Slide 36

Slide 36 text

ͳͥͦΕ͕ॏཁͳͷ͔ʁ ྑ͍ใࠂॻ͕ॻ͔Ε͍ͯΔͱ • ೝఆ·Ͱͷ͕࣌ؒૣ͍ • ϓϩάϥϜͷΦʔφʔ͸ใࠂऀͷ͜ͱΛ֮͑ ͍ͯΔ • ࠶ݱੑͷ໰୊Ͱ࣌ؒΛແବʹ͠ͳͯ͘ࡁΉ

Slide 37

Slide 37 text

Ϩϙʔτͷ࡞੒͸೉͘͠ͳ͍ • ӳޠ͸Google຋༁ͰͳΜͱ͔ͳΔ • ͍͍ͩͨͷϓϥοτϑΥʔϜ͸Markdown͕ ࢖͑Δ

Slide 38

Slide 38 text

ใࠂॻͷߏ੒ͷྫ 1.Description - ੬ऑੑͷઆ໌ • ͲΜͳػೳ? • Ͳ͏͍ͬͨ੬ऑੑ? 2.Step to Reproduce - ࠶ݱखॱ • Ұૢ࡞Ұखॱ͕Θ͔Γ΍͘͢ॻ͘ίπ 3.Impact - ڴҖ • ͜ͷ੬ऑੑʹΑͬͯԿ͕৵֐͞ΕΔͷ͔Λઆ໌͢Δ

Slide 39

Slide 39 text

PoCΛඞͣఴ෇͢Δ • ࠶ݱ͢ΔPayload෇͖ͷURL • εΫϦʔϯγϣοτ͔ಈը͸ຖճఴ෇͓ͯ͠ ͘ͱೝఆ·Ͱͷ͕࣌ؒૣ͍ • ࠶ݱ؀ڥ΋هࡌ͓ͯ͘͠ͱGood

Slide 40

Slide 40 text

όάΛൃݟ͢Δٕज़ͷֶͼํ

Slide 41

Slide 41 text

৘ใऩू͕େ੾ • Twitterͷϋογϡλάͷ؂ࢹ • όάϋϯλʔͷϒϩά΍SNSΞΧ΢ϯτ • HackerOneͷϨϙʔτ • όάϋϯλʔҭ੒ϓϩδΣΫτͷ׆༻

Slide 42

Slide 42 text

Twttierϋογϡλά • #bugbounty • #bugbountytips OR #bugbountytip

Slide 43

Slide 43 text

HackerOneͷϨϙʔτΛಡΉ • HackerOne͸ใࠂ͞Εͨ੬ऑੑ͕ެ։͞Εͯ ͍Δ͜ͱ͕͋Δ • ެ։͞Ε͍ͯΔใࠂΛಡΉ͜ͱͰ੬ऑੑΛൃ ݟ͢ΔςΫχοΫ͔Βใࠂͷॻ͖ํ·ͰֶͿ ͜ͱ͕Ͱ͖Δ

Slide 44

Slide 44 text

HackerOneͷϨϙʔτΛಡΉ

Slide 45

Slide 45 text

όάϋϯλʔͷϒϩά΍SNSΞΧ΢ϯτ • όάϋϯλʔͷதʹ͸ൃݟͨ͠੬ऑੑ΍ςΫ χοΫΛެ։͍ͯ͠Δਓ͕͍Δ • ͦ͏͍ͬͨਓୡͷϒϩά΍εϥΠυΛಡΉ͜ ͱͰ஌ࣝ΍ؾ͖ͮΛಘΔ

Slide 46

Slide 46 text

όάϋϯλʔͷϒϩά΍SNSΞΧ΢ϯτ • Frans Rosén - detectify labs • bl4de - @_bl4de • Emad Shanab - @Alra3ees • EdOverflow - edoverflow.com • INFOSEC WRITE-UPS

Slide 47

Slide 47 text

όάϋϯλʔҭ੒ϓϩδΣΫτͷ׆༻ • Bugcrowd University • Hacker101

Slide 48

Slide 48 text

Bugcrowd University • όάϋϯλʔΛҭ੒͢ΔΦʔϓ ϯιʔεϓϩδΣΫτ • ͞·͟·ͳ੬ऑੑΛൃݟ͢Δς ΫχοΫ͔Βྑ͍ใࠂͷఏग़ํ ๏·ͰֶͿ͜ͱ͕Ͱ͖Δ

Slide 49

Slide 49 text

Hacker101 • CTFͱಈըͰֶͿ͜ͱ͕Ͱ͖ Δ • CTFͰҰఆϙΠϯτΛ௒͑Δ ͱHackerOneͷϓϥΠϕʔτ ϓϩάϥϜʹট଴ͯ͠΋Β͑ Δ

Slide 50

Slide 50 text

Happy Hunting!