ZillyGurke – Minecraft Anarchy How to Shot Web: Web and mobile hacking in 2015

Welcome back to another advertisement episode for laser cutland it’s reachable under lga.silicon.com and it’s a anarchy vanilla server and yeah if you’re interested about more details what the server is and so on just watch any other video on this channel i usually take quite some time explaining what the server is and

And and stuff but i don’t feel like right now so just watch any other video and i’m going to play back a talk um from the deathcon conference now um it’s a youtube video from 2015. it’s uploaded on the general defcon conference and it has the title defcon

23 jason headaches oh that name sounds unfamiliar maybe i know the talk already oh it’s been lying in my watch later playlist since forever and i feel like familiar with it already i don’t know um jason headache’s uh how to shot web web and mobile hacking in 2015.

I i didn’t know that there was like weapon mobile already in 2015. well yeah sure uh i mean the web was there for sure and mobile is when did mobile start when when did it became like a mainstream thing was it like 2015 i think it was already prior to 2010 right

I mean yeah i don’t know um it like for me smartphones uh still so like such a new thing um boy i’m getting old um i don’t know um yeah so if you’re interested in the talk um make sure to check out the original and if you’re interested in this minecraft

Server where you can play anarchy in vanilla the latest version then uh check out lgl.edum.com there are not many players but that’s um yeah that could also be seen as an advantage so nobody will bother you okay cool let’s get started and we’re going to watch the talk

Better web hacking and mobile hacking in 2015 i know you’re talking right now so i really appreciate everyone being here he’s way smarter than me so uh this is me i work for bug crowd i’m the director of technical operations uh i manage a team of hackers who

Validates the bugs behind the scenes of bug brownie large scale bug bounty program in 2014 i participated as only a researcher i didn’t work for them yet and this talk is about my methodology that i used there to do web hacking as well as a little bit of mobile stuff

As well as stuff i learned from other researchers while doing this work so what is this really about it’s just how to hack stuff better and practically um and i put a lot of memes and some of them are not funny apparently my wife says so it’s okay um

So more specifically what i did is i started off with my methodology which was the normal pen tester methodology when i started doing this work you know basic web application assessment and um so i then went out and manually parsed out all of the public researchers of all the

Bad ass club bounty hunters i knew so there’s about 150 people that i knew just around the twitter twitter scene that’s interesting sorry twitter scene as well as people i just knew who were good at it right and so i went through every single article they had ever written from um

From the beginning of the uh crowdsourced bug bounty scene um and also all of the google and facebook programs that i could find like you know enterprise based bhagani stuff and i created a presentation around what i distilled around that knowledge so this is uh kind of the stuff that i’m going to

Bring in this presentation philosophy shifts from doing bug bounty testing to you know from web app testing you know traditional web app testing uh discovery techniques mapping methodology parameters often attacked useful fuzz strings bypass or filter of asian techniques and um some tooling that i think is cooler than other tooling

Cool so the first section is philosophy so the difference is between kind of bug bounty hunting and being a web pen tester you know i’m not really to argue this debate there’s a lot of people who feel strongly about both sides when they’re both right honestly

Um but but when you get down to the practical work you introduce a lot of stuff here you introduce uh time on to a security tester right they’re they’re not used to competition when they’re doing this kind of stuff unless you’re playing in a ctf which you know you’re used to that i

Played in some ctf so i was kind of used to it um you know you’re only you’re only incentivizing in one side for what you what you find and not the hours you put in so i mean this is a basic overview of how they differ but that talks more

About the technical stuff but um but yeah you you basically tailor your methodology based around finding stuff in the 20 as opposed to the 80 across application assessment so we’ll go into how that 80 20 rule kind of fits in the rest of the slides so if you’re doing regular web app

Assessment you’re following these two bibles right the oauth testers guide or the web application hackers handbook this is usually what you’re trained from and what your internal methodologies are built off of that almost any of the good consultancies and the authors are you know super great testers right but

These take you from a to z um and you know even though they find good bugs they take a long time to complete in their full scale so bug bounties are different um so if you want to do web hacking you want to get started these are what you go for

Um but my my talk is a little bit different so let’s talk about discovery in uh web application assessment for a bounty so what you want to do in a bug bounty is basically find the road less traveled and this is if you’re aiming to get paid i think um

So you can attack the flagship application that the company has right but really that’s not where the vulnerabilities are going to be most of the time that application has been tested by a pentest team it’s probably had a bug bounty on it for a long time what you really want to find

Is the parts of the applications that are like sub domains or maybe obscure web servers on different ports you want to find acquisitions that maybe the company has had recently that came in from a different development team and they might have a whole slew of problems that came from a whole different group

You want to look at functionality changes and redesign redesigns on sites mobile’s websites because they’re you’re set to render differently on your phone and also new mobile app versions when you’re testing so we’re going to go into some tools and stuff i use to find a new surface area for you to attack

So recon injury recon ng is this tool that basically allows you to do a whole bunch of automated hosts and stuff and one part of it is it has all these modules to do subdomain through forcing and subdomain discovery now uh subdomain discovery is a big part of finding

You know applications that have been left out there i mean marketing spins up a site you know dev spins up a test site like you have like integration stuff left up so um finding those and hacking those and getting rce or code execution through those sites is kind of where um

You can get big payouts so this script what it does is it iteratively scrapes google for all sub domains on a given uh a given web property so let’s say acme.com this will find um this is great google for everything that is in acme www.acme.com and then iteratively remove

Those results until you’re down to this long list of subdomains it also scrapes being baidu netcraft and brute force’s subdomains like your common fierce tool would so this is on github it’s a simple shelf wrapper around recon ng so you need to have refining g installed if you use kali linux

You can just pop the script in and go yeah so this is the output of something like that against a company like this you can see there’s a lot of output probably a lot of domains here that have gone under assessed as far as you go so

This is that idea of iterating through google to find subdomains so here you have site and then minus dub dub dub sites and then i found on the first hit was sandbox so i removed that on the next run through and this is that scraping that’s happening that the tool is doing

And then you get more entries floating to the top so you get credit apply or business or shopping or advertising and you just keep on removing these until you have all of them and then you group force and then you end up with a huge list of sites to assess and then

You want to go through and on your you know on your entity that you’re attacking um you want to find any you know mergers or acquisitions that maybe aren’t the domain that you’re given right but they’ve just purchased a company right so oculus um you know purchased by facebook had some bugs and

They got popped as soon as they were acquired and they were not under the facebook um place six month rule or i don’t know if today’s six month or i can’t remember how long but uh yeah they got popped immediately right and that was a whole different depth team but

Owned by facebook and worthy for an rce bug they got hit with sql injection and a custom header that was great well not great but it was good for the battery so uh yeah so wikipedia for facebook and google does this really well people update these things all the time when there’s

An acquisition for like stock reasons right so keep an eye on these um if your company has you know purchased something else and they have some new domain and it might not be in the bug bounty brief yet you can go after this if you’re doing those types of families

There’s also a repository of links of every kind of phone that’s come out on facebook and paypal and google people like to share this information this one is hosted on facebook i have no idea why um the link’s in there and the slides have everything hyperlinks you can go

Check it out but these are all the blog articles that reference bugs here now why is this important if somebody else has already found these bugs because bugs get represented across the domain in different places so you can tell a lot about an organization once you read these articles and find

The same bug in other locations like those subdomains you found maybe rogue web servers and things like that it also kind of tells you what they’re going to do to fix them like how they filtered out input you get a lot of intel around the application so you know really doing a

Lot of research on your target um can’t help but it’s not the fast stuff so uh support scanning i mentioned before scanning so 14 is not just for netpen um so yeah i mean how i hacked facebook there was an article by ryan dewhurst who was like i started up core scanning

And found some weird server which was a jenkins script console with no auth and that was it he got in like simple as that right like uh 8 000 buck or something like that right like uh or even more i don’t remember um so is.net the microsoft domain that you know

Evangelizes.net had rdp open to the world with ms 12020 on it uh vulnerable and so that was a thing so yeah just go ahead and you know use a simple nmap syntax to start you know support scanning all of your sites and make sure you check all those services this syntax will

Support uh port scan for all ports uh on a domain as well as pull out any http servers titles and display those in the output um it also it’s a syn scan and os fingerprint so mapping so map so you you found all of these new servers

Right like uh maybe sub domains or maybe you found an acquisition or something like that now you want to move into um you want to move into mapping an individual application so and taking notes is really important when you’re doing this whether you’re doing it inside of like a

Uh like a notepad or you know just using pen and paper or like evernote i use evernote all my all my bugs are templatized so when i find them i can just copy and paste into the disclosure email or whatever like that so um so these are some mapping tips that i

Use right away so google is actually your friend right you can get a lot of parameter information from just googling a domain and figure out like what happens there i know there’s some like parameter parsing scripts i couldn’t find a really good one for this presentation um but you know just will parse

Parameters out of the google uh like you know cache stuff but really the next the next big thing is directory forcing right finding unlinked content content that’s not supposed to be there um so a lot of people use like door buster or content discovery and burp for this kind of thing

And that’s good they’re good lists but those lists were created by going out and spidering the internet and finding you know every path after the top level domain and then prioritizing them there’s some other lists that are better for this type of work so the raft lists are these lists that came

Out of a talk maybe four or five years ago a wrath was a application proxy it was a decent one but it’s since been discontinued but it’s some lists have uh for directory brute forcing have lived on they are um they are a spider of the internet’s robot docs text files so

Everything that everybody doesn’t want you to see is in this directory through forcing list so it’s super sick i can’t tell you how many bugs i found just using this list like big files badly configured to get you know stuff it’s just all over the place sven digger is another list like

This they went out and spied at all the svn projects so if your project of your site or your target is an open source place you can use the you can take all the paths that have been converted for you to directory reports to get better application coverage or find config files

Uh git digger is the same thing for again so um so after you do some unlinked content discovery or directory reporting whatever you want to call it you move on to trying to identify your platform um so there’s just some really simple wins here rockwapolizer and built with are

Chrome extensions that you can just click and they will give you pretty much the whole stack by looking at the uh the headers the comments and the pages the way they render like analytics things that have been integrated and they’ll just give you like the whole server stack and they’ll

Even give you version numbers if they can identify them so webalizer and built with are super sick um retired.js is one of my new favorites uh it will profile all of the server side javascript libraries and tell you if they’re out of date as well as give you all the vulnerabilities

Before that um that patch or you know your voter reversion pass so you’ll get a list of prioritized cross-site scripting or whatever is in jquery at the time right and then once you identify all of these servers uh version numbers you just go check for cves and you know

Server-side stuff so that’s pretty standard that’s web stuff um but these are some good tools now if you happen to come across a cms which is like the pen testers training because those things suck and the plugins suck you want to use these two tools wp scan

For wordpress a lot of people use this already it will identify all plugins and users for wordpress install as well as look up any volumes that are associated with those plugins that have been disclosed and then cms map for uh for drupal and um what is the other cms

There you go thank you awesome so so those are the two that uh have really yielded any value for me across um so here you see a screenshot of a screenshot of wp scan and it’s you know found a version of a plugin or a theme that already has like

Cross-site script or a file upload vulnerability in it sometimes there’s false positives but honestly for what this script does it provides so much value that’s great um so the directory group forcing we talked about a little bit earlier i mean the workflow for this a lot of

People do but i just put the slide in here because i see a lot of people do it a little bit weird i think this will brute force like off the top level path a lot and then just stop right and so they’ll get some errors and

They don’t know what to do with it um so they’ll they’ll go to acme.com and get a 200. and then they’ll go to a backlog and they’ll get a 404 and they’ll get more 404s and more 404s and you know you know there’s nothing there but then they’ll hit like control panel

And see a 401 and then they’ll be like well i can’t do anything i’m not authorized right so they don’t brute force after control panel there’s so many like messed up access control on web server bugs that you can exploit if you just brute force after that

You’ll probably find something so i just see this a lot where people stop after the topical domain directory you know enumeration so that’s kind of the workflow you’re doing there um some other things that you can do is mapping and volume discovery using open source intelligence so

These are one two three four five five sites six six methods that you can use to find already published bugs or almost already public bugs i mean i guess i’m pretty sure i’ve seen the talk already i mean or like someone like describing the same tools

And using the same memes which is also possible um but yeah they’re considered like end day or whatever um but uh xss.com reddit xss punk spider is actually a burp engine that just scans the internet so if you’re if your target is a high profile site information might already be in here for

Your test and you can pull it out and use it to your advantage even if those drugs have already been disclosed and i found bugs that were on here but not disclosed to the customer to the bounty so that’s actually worked before it was like a

Super easy win um they helped you get a feeling for what the company has faced before as far as issues like prevalent cross-site scripting crosstalk request forgery file upload and then you can do regression testing on all the domains that you found earlier in the presentation

So um yeah go out and use these resources to try to find bugs in the platform as quickly as possible because they’re free and they’re already out there and the customers should know about them anyway it’s the responsible thing to do okay so this is my intern ben he’s uh

Never spoken before at that point neither have i actually been speaking but uh he did an awesome project and he’s gonna talk about it for a couple seconds so uh hello everyone my name is ben um like jason mentioned i’m an internet bug crowd on jason’s team

For the past couple of months we actually gathered a bunch of json files that includes all uh the metadata for each block binding program that’s out there so there’s 200 250 plus boundary programs that are included in this project and they all include information like how much the minimum boundary is how

Much the maximum is what uh mobile apps are included while web apps are included what’s not included in the scope of the program as well and we actually use all this data and fed it into different scripts like uh on the screen we put it into noc

And it just went through all every single one of those uh programs and brute force that were supplemented and this also is available on a github account and everyone could go and use it if they want to so the json files look similar to this this is yahoo’s program a couple months ago

We don’t know but what we have is a dns record that shows that’s the yahoo.com itself and all sub domains of it in flickr and all supplements of flickr are included in the scope as well as other mobile apps that are included in the scope as well

And as you can see in the bottom there’s two of them have two domains which is yahoo.net and there’s some stuff domains and yahood itself not being included in the scope of the program so what we ended up doing with this using ruby we wrote a script

We fed every single one of the json files json files and we crawled and using web we for example for this one we have redirect and you can see there was a you couldn’t disclose the domain but there’s a bunch of sites that are out there that have the redirect out there

That you can easily record and take them out and record the vendor taking it further we same idea we use all the json files and we fit that into entry which intrigues our api framework that is for intelligence gathering and it does a bunch of tasks that you can see on the right

Left side of the screen it includes doing supplement brute force web slider and map and you name it we can do it with intrigue so also the tweet is available on github as well it’s open source go ahead and work and commit to it if you need to

What we ended up doing four entries is we parsed every single json file with of ruby and you can see at the line when it says r we are taking the task which is called dns separate dns sub which is a supplement brute forcer and where they give it entity and

Options that are all included in the manual and we are running that for a json file which at the bottom shows it’s being assigned an id that you can just go on your local host and check it out and see what intrigue has found so for example we did intrigue io

And you can see all those top domains that have been out there uh that intrigue found with their ip addresses as well and make sure you guys check it out it’s like i said it’s online and you can do whatever you can think of out there awesome yeah that’s that’s a sick tool

And a sick framework both mapping and recon entry like uh i mean if you’ve used foca and multigo and everything like that it’s like an open source version of those license tools i love both those tools by the way just saying like um using both if you can but uh but

Intriguing is gonna be sick you guys should check it out um okay so on to where we are off in session i’m gonna have to blow through some of this because this presentation is long and like there’s a ton of stuff so off-related bugs the one thing i want

To say about these right these are low shallow bugs that everybody hates people who reported bug bounties the problem is if people start not paying attention to them you can’t chain them to do bigger things right so we’ve had multiple bugs or i’ve had multiple bugs where

Um where we’ve had a couple small issues like with password resets or like you know something like that and then we’ve chained them to make like a critical critical account takeover bug so these are really important but these are the kind of bugs that a

Lot of people uh see in like the hashtag like bag bounty instead of bug bounty you know people really don’t like them don’t discount them just note them and if you don’t wanna if they’re out of scope don’t do anything with them but you might be able to use them later that’s

All i really have to say about about some of these so um so session the science the kind of same things right so failure to invalidate old cookies like new cookies on login or no new cookies on log in and time out never under cookie laying but these are

All things you’re going to be able to use later when you need chain bobs but a lot of times they’re out of state either you’re out of scope or unappreciated or duped or something but uh but yeah you should you should keep them in mind when you continue

Testing because they can’t be chained into bigger issues so the big part of this one is actually tactical buzzing um so so i go through a couple different injection types or um you know vulnerability types here and so we’re gonna talk about cross-site scripting and some research that some really cool

People have done um so the core idea of cross-site scripting right does the page functionality display uh something to the users like you know that’s kind of the question i ask myself you know can i get reflections somehow with javascript um and so you can do manual testing

Which is great right and you enter in your your meta characters and see if you know if they return but um really when i’m trying to work fast in about bounty i have three or four like magic strings that i use so um you probably use them before the the

Technical definition for them is polyglot payloads uh these are web of polyglot halos and so the first one you’ll probably recognize this one is our snakes they used to call it the arsenic battering ram or that’s what i when i work you need a lot of characters for that

You probably use this before you put it into the search bar or comment field and then you pray that you get cross-site scripting right so this is the first one this is actually a multi-context filter bypass based polyglot web payload it’s a mouthful i know but basically it’s designed to evade filters

Uh it’s about to execute in different web contexts and it’s really cool so i have three of these strings that i cite here that if you’re just doing bug bounty hunting you can use and just kind of move along on your on your critical functions on this site

So this one is from a researcher named sharjaved he does cross-site scripting research i think he did his phd in crosstalk scripting which blows my mind so this is a multi-context filter bypass based polyglot as well so um you can see here that he’s trying to

To mark up in a whole bunch of different contexts he’s got like an either like an at sign here to like trick uh trick email like filters or you know maybe a form only takes emails or something like that so uh he actually ran this along like the

Alexa top 100 and like 80 of them were vulnerable to just their search parameters with this strength so um you know more ammo for you guys doing dog batteries this one is one by uh mathias mathias carlson and is he here right now is mathias here hey there he is he’s awesome

Um so he did a whole presentation on this idea of multi our polygon payloads and websites so this is his multi-context holy dot payload and so this is one that i use now so thank you other xss observations when i started parsing bug bounty work as well as getting bugs myself so

Finding input vectors is important so finding customizable three themes or profiles that use css but then you can trick them into using javascript to execute prospect scripting a lot of names of like events or meetings in any application that deals with those types of things

Uh ura uri based xss is still a big thing when people pull things from the uri and render it for some reason um importing from a third party so things like facebook integration where they’re maybe filtering characters but your site actually displays facebook data inline so you can

Set your name on facebook to script alert and it will alert on this site um jsonpost values that didn’t that didn’t return the correct content type so a lot of people discount web services right away because they think that uh the content time will that won’t execute cross-site scripting

Or when it won’t execute javascript so um you have to really check and make sure they’re returning the content type otherwise you can get reflected xss and a lot of web services like that file upload names when you’re uploading i’ll just try to change it to script

Alert or whatever like that it’s going to echo that file name back usually a lot of places uploaded files themselves this is a huge one actually that’s all over the place so a compiled swift file or an html file that’s designed to execute its own javascript and you uh basically attack a file

Upload so a lot of you know file uploads there’s a whole section here about file we’ll talk about it more in a little bit customer pages where they’re echoing out what you can’t find but xss strings in there fake parameters where the page might parse some big parameter data and put it into

Uh into your response and then log in and forgot password problems also this is a swift parameter access this is a huge thing as well i don’t think i’ve ever found a swift file that i’ve decompiled that hasn’t been vulnerable to either cross-site script anymore um for uh remote file include and

Actually dennis here is like the guy i ask questions about all the time so um yeah so those things are like jplayer and like all of these like caught software that are swift files that do like media or whatever like um so there’s a whole oas page on um

On the common params that these players use and then also the injection strings but these you have to kind of do more manual analysis so to do that manual analysis i use this tool called flashbang which i think is super awesome it’s by cure53 you drop it a

Swift file on the other end comes out all of the parameters that might be vulnerable to cross-site stripping it decompiles it for you and it displays them um along with if they’re going to execute out of the context of the swift file i highly suggest this tool if you’re

Going to do some split packing it’s way better than like a lot of the old ones cool so sql injection um the core idea does the page look like it might need to call on some stored data obviously this is matias’s sqli polyglot um where it will execute

Single quote double quote and straight into query context um so i’ve seen a lot of cross-site scripting polyglots and and remember these are things that actually scanners are starting to do right they don’t want to send a million buzzing payloads to a parameter because you have like eight million parameters

On the page so it just takes her to scan things right so matthias in his presentation like has this string and i imagine a lot of buzzers web buzzers and scanners will start to pick up on this type of thing if they haven’t already um the idea of these multi-context

Injection strings so this is awesome as well so for sql injection to kind of go through and fuzz things i also use this project called the sexless sec list project and um it’s got a whole bunch of tits and settings and it was the fork of

The fuzz db and then we added to it with like username and password list and all this crazy stuff daniel miesler here actually helped me um curate it and we designed it together um and it’s uh it’s invaluable right it’s got like buy uh by type of injection so if you

Want to just do like a login bypass in my sql it’s got all those curated all those strings curated that would you you would usually use to do sql injection there i highly suggest using this and i just load these in the burp into intruder when i want to attack a former

Or something like that some parameter i think is vulnerable so other observations um so blind is the predominant sql injection you hardly ever get error-based signal injection anymore um and so like in those cases you use like benchmark strings and stuff to make the page take a long time to load

And that’s how you identify whether you take it the whole exploit way is uh you know it’s up to you right we have a lot of researchers i know who just want to identify and move on right i like to to run sql maps eventually because it’s still king i mean

There’s no other tool that does it as good as sql map um and that’s actually something i learned doing the research with everybody through sql map at some point um so yeah some tips for for sql map uh basically when you’re doing this you can actually

Park and parse a whole burp log file so like enable verb to do logging and then parse the whole log file and actually buzz the whole log file with sql map it takes forever it’s not like the greatest way to do things but it’s also offering a lot of coverage if you’re up

Against some kind of like blacklist or something like that it has a sql map has tamper scripts that you can use which basically encode all of your attacks so that you can try to evade blacklist there’s a really good guide on there it’s somewhere on the bug crowd forum on

Dbms specific syntax for sql map tamper strings so if you’re going up against ms sql or mysql or something like that there’s a simple string you can pass into sql map and start buzzing those parameters and get past blacklists and then a really fast way to instrument um

Sql map is sqli pi which is a verb extension basically allows you to right click in any window at birth and send that request to sql maps api running on your local box so like you can just be inside a verb right click and start buzzing the parameter

So some common parameters and injection points like any id value currency values item number values uh sorting parameters i’m not going to go through all these they’re all on the slide like and eventually this is all going to be on github anyway so you guys can just

Grab it and use it in your methodologies if you think it’s useful but um these are the kind of places where we saw where i saw the most injection and where i you know my research person and other places showed me this is sqli pi so right click on a request

Send it to sql pi scan and now that renders uh scanner results in the target tab but it doesn’t look like this anymore but you get the idea so this is my cheat sheet of sql injection resources when i do sql injection broken down by my skill type and these

Are cheat sheets that let you know uh manual syntax um based on mysql a lot of these people are like pentest monkeys list they’re old they’re still the best like you you have to use these and you have to have them handy when you’re doing injections so

Um there’s some really edge case ones at the bottom like access which god who uses accents that sucks ingress db2 and formix xo light 3 and active record for ruby on rails so i keep those handy in my evernote when i’m doing sql injection testing and when i see

Errors or long load times or something like that i just i start you know getting in that mode um so file uploads and file inclusion is the next area so local file inclusion the core idea is does it or can it interact with the server file system um lithius is my cool

Favorite tool for doing this obviously you can do it manually so i have all of my lfi um scripting stuff up on set list under fuzzing and lfi so you can see here like i’ve you know i’ve tried a bunch of blacklist bypass or encoding to try to get common

You know system files this is on this decklist project um common parameters or injection points for this type of stuff is like you would think of this but it’s good to have it in the list so like file location locale path display load or retrieve these are the most common parameters that you’ll

Find those in malicious file uploads this is an important and common attack vector when doing this type of testing not only just to upload like a swift file and get xss off of it but um you can also do pretty cool attacks so one of the ones i like a lot and it’s

A it’s a dos basically an image that specifies itself to be super large but isn’t so it you can upload it and the server will write all this or will allocate all of this space for it on disk but it’s actually not that big of a file

And you can dos the application server using images crafted like that there was a whole blog on it um and then uh you can you can actually one of the things i think is interesting i’m not going to go into it too much but there’s a slide about it is bypassing like security

Zones and storing malware on client servers so there’s as well as polyglot web payloads there’s also polyglot files which can execute code in different contexts like if you think of a parser reading a file they can you know it basically will look until it finds what it wants and then

Execute that so you can create like a jar that is actually an executable so if i make an executable that is malware but i upload it to your server because you allow me to roll out a jar well is that a volume like i don’t know like you are

Technically storing malware on your server for me right and i can send the black ads to go retrieve it but um can you do anything about that right are you going to implement a parser to look through the binary data and cut stuff out i don’t think so that’s kind

Of hard to do so interesting question there it’s kind of a another road um dan crowley did a presentation on it um here at that pond and it was fun please you should check that out technical errors that that came at the perfect time actually [Applause]

Oh wow okay that’s what we’re doing yeah we’re doing shots okay so uh he’s a first-time speaker and actually a little story about what you can go about right i guess he mentioned that uh like 16. defcon 16 he met someone i met julia my wife here yeah so you know [Applause]

All right cheers are these guys doing all right should i take them off the stage or do you want to keep let’s do them i can go keep listening all right i guess i guess you can stay okay can you give me a second till my throat starts burning

Sweet okay so file upload attack or a thing um i’ve never seen any better presentation to guide you along the road at file upload attacks than this guy’s traditionally presentation and if i put your name i love all these guys just like me so um about file upload vulnerabilities and this includes

Doing new and novel attacks as well as old attacks um to get files past blacklist or you know upload you know bypassing extension triggering or something like that so i’m trying to give you guys resources as well like the ones i would use i mean

A lot of this actually got i think got parsed into the new oauth app testing guide most of it at least so i would i would check that out too uh that’s an intro to malicious file uploads and getting shelves and like web shelves so

Oh this is what i talked about uh dan crowley and um i don’t know that guy’s real name but um yeah these are the types of binary files that can execute in different ways so you can see they have like a pdf that’s a zip that’s a mvr or so like

Um you know interesting research here coming out there i would like to see you know interesting bugs so remote file includes and redirects common parameters there destination continue redirect url uri window next common blacklist bypasses um these are all kinds of escaping tricks that you use

Normally in web stuff but these are the most common ones i found these are also in set lists in the lfi and a heart by buzz list that i use often so for rfi these are the common parameters uh file folder path style templates

Yes yes yes um so these are where i saw the most bugs or you know other researchers you know published data around their rfis so these are kind of the type of parameters you can do and i think eventually right the thing you do here is um is you write

A book extension i haven’t yet right but that just like automates any time you see these it sends it to like blogger or something like that so you can just go test them later i haven’t done it because i just do it with eyeballs but

Uh it’s probably the better way to do it is write an extension to do this work okay so crosstalk request forgery how much time do i have 10 minutes okay i think i can do it okay so caesar if everybody knows about sea surf right like how do you execute ceases

You find some function in the website that does something right and you it’s a security related function password or whatever right like the list of the functions and then you right click and burp and create group of concepts that’s like papers nowadays um so what you really have supposed to

Focus on in bug bounties is c-serve bypasses customers who have c-serve protections but haven’t implemented them enough so common c cert bypasses uh in my research yielded removing the token from the request removing the to the parameter value from the request adding control characters to the parameter value using a second identical

C-serve parameter or changing the request method um so check this out this tool has gotten no love i don’t know why i think it’s been out for two years already it’s called burpee have any of you used this tool before oh good give you something to take away um

So what burpee does uh you enable logging and burp and you crawl a site completely that has cross-site requests forgery protection right like a c-series token and then you create this template and tell it what the token was what a good result is for getting a page

What an error page looks like and this template is actually really easy to edit this is the sample one this has been out for i think two years already i don’t understand why people use this super sweet right so then you write this template it’s a python script

And then you run this timeline to put burpee on your worklog file and they re-request all of those across the whole domain every request that you’ve ever made in birth we request with those first three attacks from cesar bypass then it produces an html report telling you uh which one

Gave different error messages uh which ones came out the same and prioritize this user uh so you made a lot of money doing this to facebook and twitter because it wasn’t a direct verb extension it didn’t get a lot of notice i randomly kind of get up

So this is a part of the html output here’s the base request here’s the crafted the first crafted request and then the response and then you get a report back hanging back so um another way to do it is just to check for every request across the whole first block file that

Didn’t have the token in it it’s the actual parameter um so this is another script that does that it’s another python um so privilege you know off and logic kind of gets word a lot but my testing thing is just you know if you have an administrative user you need a

Couple accounts to do this and then you have a low crippled user and then you know the low that user just tries to directly call functions that are yeah right pretty simple but to automate that across multiple functions um you might need some tooling this is what i use for that it’s called

Motorized this one is available on the web store and basically uh you spider’s like completely you work through it all of your post requests as an admin user and then you go through as a before user and you get that information authorized run the tool and it tells you

Which one the lower user will be able to access that the admin user is also able to access and you can go through those so common functions reviews that i checked for a privileged escalation or anything like that needs to be actually combined with the last three sections

How the users can use their start projects um change account info view customer analytics so like there’s a page that tells everything about whatever that site does and what’s right of that view payment processing view like routine or any view with an api on it this is what that looks like

Authorized browser using a height log in with the a and spammed everybody of the ic group of that company and finally someone accepted it and i tell them i’m not like an i’m not exploring you i just want to tell you this exists because i was buying a train already and um

Headphones and i have so increment decrement negative values of temperature form sensitive uh functions substituting user ids things like the user um these are common functions to use their files that deal with either so uh everything from the c search table anything that says uid password are user hashes emails

Images like that are supposed to be private um so you can you can go through the slides and all this is going to be up if you have questions or whatever so this is a simple eye door i don’t know why i put a simple hydra right here

You need to enable http everywhere there’s an awesome script that will uh basically take up your log file again re-request every request in your site tree over http and put it in https uh um uh logic logic laws are usually pretty manual um uh the one i see a lot is

Substituting half parameters where there’s like spices or something like that and they attach it it’s irreversible or uh they put something to it step manipulation this is like the bread and butter example of what you get for logic clause steps like order or put things in the card order

Check out pay uh ship skip everything you like to put everything in your cart my account um application level docs this one’s kind of interesting right it’s not actual golf right i’m not advocating buck bounty like you know or anything like that but i’ve seen sites that just can’t handle

Uh just like uh parsing a parameter with like you know 40 000 or something or me putting in like a mass function and that’s the parameter value and the server is like i don’t know what to do let me try to process this somehow so those are interesting and the timing is

Mobile really running in so data storage is really important to check these files for data storage as well as logging this is the best tool to quickly get spun up uh on ios it’s called itb it’s by daniel mayer basically jailbreak your phone and solve this tool

It gives you a full really list of handler of all of the files all of the encryption values if it’s using exploit communication et cetera et cetera et cetera it’s the most functional tool uh i think it’s partly based off a talk i gave

A long time ago and he made it in ruby and super sake this is the best way to get into iowa happening we gotta go uh there’s others there’s other bones i repeat them again right they don’t describe them like content spoofing for liquid security headers half disclosure keep

Them in your pocket later to escalate it um this is one idea of like uh you know if i have five or thirty minutes or something like that what can i do so i try to tie myself with a methodology using the stuff in here

So in 15 to 30 minutes i can do most of this using urban the automation maybe an hour like depends on how motivated i am right so these are like the steps i go through i register i i hit the password reset i go to all the forms that do security functions

I’ve checked the cookie um i do like uh all right and perform enumeration on any like uids i see in the url uh i directory reports using one of the short lists in the background i’d upload files and had uploads and within 30 minutes you know an hour i can usually find

Some pretty good thing to take with you crowd source is different um it’s the same but different um you find like twenty percent of the edge case stuff instead of eighty percent and it’s a lot of stuff real quick data analysis is cool you probably do a 15 to 30 minute web

Test and done right you can get something from home set list polyglots are cool and follow all of the bug dining people on this bookmany list i put them all into a twitter list for you and you can watch them it’s also there’s a lot of stuff that

Didn’t get put in here uh there was a lot of data but i didn’t get the parts so 50 of the data is still unparsed so i’m going to put it up on github as a git book i think or maybe smart down and you guys can contribute to it if you

Care enough if you just want to take it and use it on time uh stuff to go in there more tooling than i found uh xmt that’s actually meant to say ssr app a whole bunch of cool ssrf techniques uh capture bypass more detail on logic flaws and to add android mobile tools

That i use often 13 memes is that okay are you good all right attribution and thanks these are bug hunters who did researcher that are these are blockers who did things in this presentation all of them are super awesome i respect every single one of them

Um or who made tools and also my team at bug crowd john uh koch ben ben grant potty patrick katie kim abby casey chris and sam and everybody in the community i love you guys i love doing this for a day job no questions i see um well then that’s

It for this advertisement episode and see you in the next one make sure to join laser going oh i just realized um i did not set up my um obs overlay yet i i built this thing yeah maybe i should do that for the next episode um yeah let’s see

Okay so um make sure to join lgi.edu let me manually write it since i don’t have it overly overlaid um it’s also in the description and if there’s a change of the ip address make sure to check out if the server is done make sure to check out the current website which is

Cityhound.com laser coconut and if that is also down make sure to search the interwebs for laserworkland and maybe the address changed and you will find something um yeah more up to date on maybe like a newer video uploaded on this channel or um yes well you most likely will find a updated url

Or it’s just a temporary downtime because i don’t know the data center exploded and i haven’t yet recovered um yes so that’s about it make sure to join the server and see you in game or if if you’re still not convinced yet see you in the next advertisement episode bye