BUG BOUNTY AUTOMATION. Sergey

Size: px

Start display at page:

Download "BUG BOUNTY AUTOMATION. Sergey"

Lily Gibson
5 years ago
Views:

1 BUG BOUNTY AUTOMATION Sergey

2 Why? Bug Bounty programs with sites in scope: HackerOne 150+ Bugcrowd 100+ Other 100+ In each from 1 to several thousand sites My database contains sites

3 Why?

4 Automation Program Policy Magic Vulnerabilities

5 Automation whitelist.example.com Tasks Queue Initial Checks Controversial Situations Search and Analysis Program Policy Domains List Module #1 Module #2 Passive Checks Database Vulnerabilities *.example.com Subdomains Dumper Module #N Notifications Check for changes

6 Automation whitelist.example.com Tasks Queue Initial Checks Controversial Situations Search and Analysis Program Policy Domains List Module #1 Module #2 Passive Checks Database Vulnerabilities *.example.com Subdomains Dumper Module #N Notifications Check for changes

7 Subdomains Dumper Bug Bounty Program Policy Parsing There may be different conditions: Full prohibition of automatic scanning Adding a custom header Proxy access

8 Subdomains Dumper Daily for *.example.com crt.sh/?q=%.example.com DNS bruteforce Shodan API Virustotal API SubjectAltName in certificates Links in HTTP responses

9 Subdomains Dumper

10 Export updates to Bitbucket, Telegram Subdomains Dumper

11 Automation whitelist.example.com Tasks Queue Initial Checks Controversial Situations Search and Analysis Program Policy Domains List Module #1 Module #2 Passive Checks Database Vulnerabilities *.example.com Subdomains Dumper Module #N Notifications Check for changes

12 Initial Checks Collect information for new sites Screenshot Nmap Dig HTTP/HTTPS response Directory Bruteforce

13 Automation whitelist.example.com Tasks Queue Initial Checks Controversial Situations Search and Analysis Program Policy Domains List Module #1 Module #2 Passive Checks Database Vulnerabilities *.example.com Subdomains Dumper Module #N Notifications Check for changes

14 Check for changes Recheck site in case of change CNAME HTTP status code Site of the HTTP response by 20-30% HTTP / HTTPS availability As a result, ~200 sites out of 36k are rechecked every day.

15 Automation whitelist.example.com Tasks Queue Initial Checks Controversial Situations Search and Analysis Program Policy Domains List Module #1 Module #2 Passive Checks Database Vulnerabilities *.example.com Subdomains Dumper Module #N Notifications Check for changes

16 Modules Basic principles The most simple vulnerabilities It's pointless to compete with other scanners in classic vulnerabilities /* XSS via GET parameter */

17 Module example #1 CRLF Injection HTTP/ Moved Permanently Server: awselb/2.0 Location:

18 Module example #1 CRLF Injection Regexp /%0DXTest%3Acrlftest /%0AXTest%3Acrlftest /?%0DXTest%3Acrlftest=test /%3F%0AXTest%3Acrlftest=test /%0AXTest%3Acrlftest/.. [\r\n]xtest

19 Module example #1 Nginx misconfiguration $uri, $document_uri normalized variables /foo%20bar/baz/%2e%2e/ => /foo bar/ return => CRLF Injection

20 Module example #1 Nginx misconfiguration location ~ /v1/((?<action>[^.]*)\.json)?$ { add_header X-Action $action; => CRLF Injection GET /v1/%0d%0axtest:test.json HTTP/1.0

21 Module example #1 CRLF Injection Regexp /%0DXTest%3Acrlftest /%0AXTest%3Acrlftest /?%0DXTest%3Acrlftest=test /%3F%0DXTest%3Acrlftest=test (works more often than others on Apache) /%0AXTest%3Acrlftest/.. [\r\n]xtest

22 Module example #1 Result: Apache httpd mod_alias < CRLF Injection (CVE-???) RedirectMatch "/xxx/(.*)" "/yyy/$1" /xxx/x%0dx?x%0dx /xxx/x%3f%0dxtest:test /xxx/x%23%0dxtest:test => /yyy/x%0dx?x%0dx => CRLF Injection => CRLF Injection

23 Module example #1 Bonus: Apache httpd mod_userdir CRLF Injection (CVE ) UserDir " /~user/file /~user/%0d%0axtest:test => => CRLF Injection

24 Module example #2 Open Redirect Redirect from /folder to /folder/ HTTP/ Found Server: nginx... Location: /$user_input$/ //example.com/ Protocol-relative URL

25 Module example #2 Open Redirect Regexp //redirect //redirect/%2f.. ///redirect /%5Credirect //redirect/..;/css Location:\s*(?: [\\\\\/\x09]{2,} https?:\/\/)redirect

26 Module example #2 Open Redirect //redirect //redirect/%2f.. (works more often than others on Node.js) ///redirect /%5Credirect //redirect/..;/css (works more often than others on Tomcat)

Module example #2 Result: Node.js serve-static < 1.7.

27 Module example #2 Result: Node.js serve-static < Open Redirect (CVE ) GET //google.com/%2f.. HTTP/1.1 Location: //google.com/%2f../

28 Module example #2 Result: Apache Tomcat < Open Redirect (CVE ) By Default: mappercontextrootredirectenabled=true mapperdirectoryredirectenabled=false false = Open Redirect

29 Module example #2 Apache Tomcat < Open Redirect (CVE ) //example.com/..;/%existing_folder% //example.com/..;/docs/config //example.com/..;/examples/jsp Location: //example.com/..;/docs/config/

30 Module example #2 Apache Tomcat < Open Redirect (CVE ) userelativeredirects=false //example.com/..;/css Location:

31 Module example #3 Nginx alias path traversal (off-by-slash) root /var/www/public/; location /img { alias /var/www/images/; } /var/www/images/../.env

32 Module example #3 Nginx alias path traversal (off-by-slash) checks GET /static GET /static. GET /static.. => 30X redirect /static/ => 30X redirect /static./ => 30X redirect /static../ GET /static... =>

33 Nginx alias path traversal (off-by-slash) Module example #3

34 Automation whitelist.example.com Tasks Queue Initial Checks Controversial Situations Search and Analysis Program Policy Domains List Module #1 Module #2 Passive Checks Database Vulnerabilities *.example.com Subdomains Dumper Module #N Notifications Check for changes

35 Passive checks Passive checks Checks that do not require sending additional requests to the attacked server Search in HTTP responses: Stacktrace, full path disclosure Debug mode Subdomain takeover fingerprint

36 Vulnerability example

37 Vulnerability example Dig returned a different result and the site was queued for rechecking

38 Vulnerability example toolbox.tesla.com CNAME toolbox.tb.tesla.services. toolbox.tb.tesla.services. A amazon s3 ip toolbox.tb.tesla.services toolbox.tesla.com -> 403 amazon s3 bucket -> 404 NoSuchBucket

39 Vulnerability example $1337

40 Unexpected vulnerabilities whitelist.example.com Tasks Queue Initial Checks Controversial Situations Search and Analysis Program Policy Domains List Module #1 Module #2 Passive Checks Database Vulnerabilities *.example.com Subdomains Dumper Module #N Notifications Check for changes

41 Unexpected vulnerabilities #1 All responses are passed through the passive checks module => 200 OK => 200 OK "Nginx alias path traversal" module checks: => 404 NoSuchBucket => 404 NoSuchBucket WTF?

42 Unexpected vulnerabilities #1 Invalid request proxying rule <Code>NoSuchBucket</Code> <Message>The specified bucket does not exist</message> <BucketName>some-bucket-static-foo-bar</BucketName>

43 Unexpected vulnerabilities #2 All responses are passed through the passive checks module => 200 OK => 200 OK "Node.js server side js disclosure" module checks => 422 Exception => 422 Exception WTF?

44 Unexpected vulnerabilities #2

45 Unexpected vulnerabilities #2 I already saw this Exception CTRL+C CTRL+V

46 Unexpected vulnerabilities #2 Timeline: Vulnerability found and sent to Yandex xx Vulnerability fixed «We are unable to reproduce vulnerability»

47 Unexpected vulnerabilities #2 whitelist.example.com Tasks Queue Initial Checks Controversial Situations Search and Analysis Program Policy Domains List Module #1 Module #2 Passive Checks Database Vulnerabilities *.example.com Subdomains Dumper Module #N Notifications Check for changes

48 Manual Bug Hunting Why manual bug hunting is better? One vulnerability == same amount of money as for 6 months of automated vulnerability scanning \_( ツ )_/

49 THANKS FOR

Web Application & Cloud Computing What are the new threats?

Web Application & Cloud Computing What are the new threats? David Calligaris OWASP Italy Day Cagliari, 19th October 2018 $: whoami Geek & Nerd Director Security Testing Automation Huawei Munich (DE) Former