Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
όάόϯςΟ ೖͯ͠Έͨ no1zy
Slide 2
Slide 2 text
ࣗݾհ • twitter: @no1zy_sec • ใܥઐֶੜ • όάϋϯλʔྺ 8ϲ݄ • ڈͷ֫ಘใۚ૯ֹ 612ສԁ
Slide 3
Slide 3 text
2018αΠϘζใ੍ۚϥϯΩϯάఆ1Ґ
Slide 4
Slide 4 text
όάόϯςΟͱ • اۀ͕੬ऑੑʹରͯ͠όϯςΟΛ͔͚ɺൃ ݟ͞Εͨ੬ऑੑͷॏཁʹԠͯ͡ใۚΛࢧ ͏੍ • HackerOne, Bugcrowd, BugBounty.jpͳͲͷ ϓϥοτϑΥʔϜ͕͋Δ
Slide 5
Slide 5 text
ͳͥόάϋϯτΛ࢝Ίͨͷ͔ʁ • ϦΞϧϫʔϧυͷ੬ऑੑΛݟ͚ͭͯΈ͔ͨͬ ͨ • Ͳ͏ͤ୳͢ͳΒใ͕ۚग़Δํ͕͓ಘ͔ͳͬ ͯࢥͬͨ
Slide 6
Slide 6 text
όάϋϯτͷखॱ 1.Recon and Content Discovery 2.Find Bug 3.Report
Slide 7
Slide 7 text
1.Recon and Content Discovery
Slide 8
Slide 8 text
ͳͥͦΕ͕ॏཁ͔ʁ • ݟ͚ͭʹ͍͘ϦιʔεΛ୳͢͜ͱͰ੬ऑੑΛ ൃݟͰ͖ΔՄೳੑ্͕͕Δ • αϒυϝΠϯྻڍ • APIΤϯυϙΠϯτͷൃݟ • etc…
Slide 9
Slide 9 text
͍είʔϓͷϓϩάϥϜ͕Φεεϝ • *.example.com ←͜͏ͳ͍ͬͯΔͷ • ڱ͍είʔϓͩͱطʹ۷Γਚ͘͞Ε͍ͯΔՄ ೳੑ͕͋Δ • αϒυϝΠϯ͕ͨ͘͞Μ͋Δ΄ͲՄೳੑ ͕Δ
Slide 10
Slide 10 text
Sublist3r
Slide 11
Slide 11 text
dirsearch
Slide 12
Slide 12 text
relative-url-extractor
Slide 13
Slide 13 text
LinkFinder
Slide 14
Slide 14 text
JSParser
Slide 15
Slide 15 text
Google Dorks • GoogleݕࡧʹݕࡧԋࢉࢠΛ༻͢Δ͜ͱ͕ Ͱ͖Δ • υϝΠϯɺϑΝΠϧλΠϓɺURLʹؚ·ΕΔจ ࣈྻͷࢦఆͳͲʹཱͭ
Slide 16
Slide 16 text
Google Dorks • site - ࢦఆ͞ΕͨυϝΠϯͷwebαΠτΛݕࡧ site:www.example.com • inurl - ࢦఆ͞Εͨจࣈྻ͕URLʹؚ·ΕΔ WebαΠτΛݕࡧ inurl:callback
Slide 17
Slide 17 text
Open RedirectΛ୳͢ • ϦμΠϨΫτઌʹϢʔβʔೖྗΛ༻͢Δ ߹ʹى͖͍͢ • ϦμΠϨΫτ࣌ʹΑ͘ΘΕΔύϥϝʔλ໊ ΛGoogle DorksΛͬͯݕࡧ͢Δ
Slide 18
Slide 18 text
Α͘༻͞ΕΔύϥϝʔλ໊ • url • uri • returnUrl • returnUri • next • nextPage • redirect • continue
Slide 19
Slide 19 text
ݕࡧྫ site:example.com inurl:url
Slide 20
Slide 20 text
2.Find bug
Slide 21
Slide 21 text
Open Redirectͷྫ ਖ਼͍͠ϦμΠϨΫτઌ͕ҎԼͱ͢Δ https://www.example.com/foo/bar
Slide 22
Slide 22 text
Filter bypass Part1 ?redirect=https://
[email protected]
Slide 23
Slide 23 text
Filter bypass Part2 ?redirect=///evil.com
Slide 24
Slide 24 text
Filter bypass Part3 ?redirect=\/\/evil.com
Slide 25
Slide 25 text
DOM Based XSSͷྫ JSϑΝΠϧͷSink͔ΒSourceΛḷ͍ͬͯ͘
Slide 26
Slide 26 text
ॏతʹݟΔॴ Source: • location.href • location.pathname • location.hash • location.search Sink: • innerHTML() • eval() • document.write() • location.replace()
Slide 27
Slide 27 text
SSRFͷྫ ϝʔϧαʔόʔઃఆػೳʹҙͷURLΛࢦఆ Ͱ͖Δͱ͢Δ
Slide 28
Slide 28 text
SSRFͷྫ αʔόʔઃఆػೳҙͷαʔόʔΛࢦఆͰ ͖ΔΑ͏ʹઃܭ͞Ε͍ͯΔ͜ͱ͕ଟ͍ͷͰ SSRF͕ى͜Γ͍͢ɻ
Slide 29
Slide 29 text
Request host=127.0.0.1:22
Slide 30
Slide 30 text
Response IOException: Unexpected response: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
Slide 31
Slide 31 text
Request host=127.0.0.1:9999
Slide 32
Slide 32 text
Response AuthenticationFailedException: Read timed out
Slide 33
Slide 33 text
SSRFͷྫ Τϥʔϝοηʔδʹදࣔ͞ΕΔจࣈྻͷࠩҟʹΑͬ ͯ443'ʹΑΔϙʔτεΩϟϯ 941" ͕ޭͯ͠ ͍Δ͔அ͢Δ͜ͱ͕Ͱ͖Δ߹͕͋Δ
Slide 34
Slide 34 text
3.Report
Slide 35
Slide 35 text
Golden Rule • ͕ࣗ͞Ε͍ͨଶͰ͢Δ • ใࠂͨ͠Ϩϙʔτ͕ͲͷΑ͏ʹײ͡ΒΕΔ͔ ߟ͑Δ • ϦεϖΫτ͕େ • ։ൃऀʹ͚ͯॻ͘ɻಡΜͰ͍Δਓ͕ηΩϡ ϦςΟٕज़ऀͱݶΒͳ͍
Slide 36
Slide 36 text
ͳͥͦΕ͕ॏཁͳͷ͔ʁ ྑ͍ใࠂॻ͕ॻ͔Ε͍ͯΔͱ • ೝఆ·Ͱͷ͕࣌ؒૣ͍ • ϓϩάϥϜͷΦʔφʔใࠂऀͷ͜ͱΛ֮͑ ͍ͯΔ • ࠶ݱੑͷͰ࣌ؒΛແବʹ͠ͳͯ͘ࡁΉ
Slide 37
Slide 37 text
Ϩϙʔτͷ࡞͘͠ͳ͍ • ӳޠGoogle༁ͰͳΜͱ͔ͳΔ • ͍͍ͩͨͷϓϥοτϑΥʔϜMarkdown͕ ͑Δ
Slide 38
Slide 38 text
ใࠂॻͷߏͷྫ 1.Description - ੬ऑੑͷઆ໌ • ͲΜͳػೳ? • Ͳ͏͍ͬͨ੬ऑੑ? 2.Step to Reproduce - ࠶ݱखॱ • Ұૢ࡞Ұखॱ͕Θ͔Γ͘͢ॻ͘ίπ 3.Impact - ڴҖ • ͜ͷ੬ऑੑʹΑͬͯԿ͕৵͞ΕΔͷ͔Λઆ໌͢Δ
Slide 39
Slide 39 text
PoCΛඞͣఴ͢Δ • ࠶ݱ͢ΔPayload͖ͷURL • εΫϦʔϯγϣοτ͔ಈըຖճఴ͓ͯ͠ ͘ͱೝఆ·Ͱͷ͕࣌ؒૣ͍ • ࠶ݱڥهࡌ͓ͯ͘͠ͱGood
Slide 40
Slide 40 text
όάΛൃݟ͢Δٕज़ͷֶͼํ
Slide 41
Slide 41 text
ใऩू͕େ • Twitterͷϋογϡλάͷࢹ • όάϋϯλʔͷϒϩάSNSΞΧϯτ • HackerOneͷϨϙʔτ • όάϋϯλʔҭϓϩδΣΫτͷ׆༻
Slide 42
Slide 42 text
Twttierϋογϡλά • #bugbounty • #bugbountytips OR #bugbountytip
Slide 43
Slide 43 text
HackerOneͷϨϙʔτΛಡΉ • HackerOneใࠂ͞Εͨ੬ऑੑ͕ެ։͞Εͯ ͍Δ͜ͱ͕͋Δ • ެ։͞Ε͍ͯΔใࠂΛಡΉ͜ͱͰ੬ऑੑΛൃ ݟ͢ΔςΫχοΫ͔Βใࠂͷॻ͖ํ·ͰֶͿ ͜ͱ͕Ͱ͖Δ
Slide 44
Slide 44 text
HackerOneͷϨϙʔτΛಡΉ
Slide 45
Slide 45 text
όάϋϯλʔͷϒϩάSNSΞΧϯτ • όάϋϯλʔͷதʹൃݟͨ͠੬ऑੑςΫ χοΫΛެ։͍ͯ͠Δਓ͕͍Δ • ͦ͏͍ͬͨਓୡͷϒϩάεϥΠυΛಡΉ͜ ͱͰࣝؾ͖ͮΛಘΔ
Slide 46
Slide 46 text
όάϋϯλʔͷϒϩάSNSΞΧϯτ • Frans Rosén - detectify labs • bl4de - @_bl4de • Emad Shanab - @Alra3ees • EdOverflow - edoverflow.com • INFOSEC WRITE-UPS
Slide 47
Slide 47 text
όάϋϯλʔҭϓϩδΣΫτͷ׆༻ • Bugcrowd University • Hacker101
Slide 48
Slide 48 text
Bugcrowd University • όάϋϯλʔΛҭ͢ΔΦʔϓ ϯιʔεϓϩδΣΫτ • ͞·͟·ͳ੬ऑੑΛൃݟ͢Δς ΫχοΫ͔Βྑ͍ใࠂͷఏग़ํ ๏·ͰֶͿ͜ͱ͕Ͱ͖Δ
Slide 49
Slide 49 text
Hacker101 • CTFͱಈըͰֶͿ͜ͱ͕Ͱ͖ Δ • CTFͰҰఆϙΠϯτΛ͑Δ ͱHackerOneͷϓϥΠϕʔτ ϓϩάϥϜʹটͯ͠Β͑ Δ
Slide 50
Slide 50 text
Happy Hunting!