BugBounty for a Newbie. Where to Start?

[Man]

Part 1

Salute to all, dear friends!

Information technologies are rapidly developing, a huge number of services and applications are appearing, including those in the critical infrastructure; the complexity of both their development and maintenance is growing. At the same time, various risks are increasing, in particular the risks of vulnerabilities appearing and being exploited by intruders.

Companies can test their products, services, or infrastructure for the reality of hacking in different ways: pentesting, redteaming (Red Team, testing a company's capabilities to detect and prevent intrusion), and bug bounty (a set of conditions under which white hat hackers receive a reward from organizations for vulnerabilities found in their IT networks, systems, and applications). Software holes can result in losses for companies and compromised personal data (and sometimes financial losses) for users.

In this and the next article, we will go into detail about bug bounty and tell you in detail how to level up in bug hunting.

The first (this) article will be especially interesting for beginning bughunters. But even those who have already earned money on this will be able to find something new for themselves.

First, let's define the terms:​

• A bug hunter is a security researcher who legally searches for vulnerabilities in software. There are now a lot of educational materials, video tutorials, and training grounds available to anyone to help them become a bug hunter. This article will be a good addition to that list.
• Bug hunting is an ethical (legal and responsible) search by bug hunters for vulnerabilities for which the vendor can pay a cash reward, issue a memorable gift and mention in the hall of fame.
• Vendor is a developer of products or services.
• Bug bounty is a program in which bug hunters receive rewards from companies for vulnerabilities found in their IT networks, systems and applications.
• Scope — a permitted area of action, boundaries set by the bug bounty program within which bug hunting is permitted. It may include IP addresses, CIDR ranges, domains, subdomains, desktop and mobile applications.

Bug bounty platforms​

Bug bounty programs are usually announced by owners and developers of websites, services, and software to encourage security researchers to report vulnerabilities, especially critical ones like RCE. They can do this on their own resources, promoting them on their own. But if a company wants to immediately attract a large number of independent security researchers, it places its programs on a bug bounty platform.

The bug bounty platform is an aggregator that brings together programs from a wide variety of companies on its platform and allows security researchers to choose their project. When posting on the platform, companies publish a list of resources for which they are willing to pay for a report on security flaws. And white hat hackers interested in solving interesting problems, public recognition, and receiving a reward ensure the objectivity and reliability of the research.

Among the most famous platforms are: Bugcrowd, HackerOne, Vulnerability Lab, BountyFactory and Synack. There are also platforms in the CIS: standoff365, bugbounty.ru (Russia), bugbounty.kz (Kazakhstan), bugbounty.by (Belarus), etc.

At the beginning of this year, many foreign bug bounty platforms, including the world's largest, HackerOne, refused to cooperate with Russian white hat hackers and excluded Russian companies from their list of clients.

In this article, we present data on the cost of individual types of vulnerabilities using the HackerOne platform as an example, since it currently has the most extensive statistics. Among other things, this ban can be circumvented, but this is a topic for a separate article.

Gradation of knowledge and experience​

As everywhere, in the field of information security there is a conditional gradation of knowledge and experience:

• A novice bug hunter gets acquainted with the theoretical and practical foundations of web applications, learns what information security is and what types of attacks and vulnerabilities there are. At the same time, he begins to participate in bug bounty programs to earn a rating (bug hunters with a high rating are invited to private programs with a limited number of participants), receive a monetary reward and invaluable experience.
• An experienced bug hunter constantly strives to deepen his skills and experience, actively participates in public and private bug bounty programs, attends thematic conferences, and can be a team member in competitions for hacking systems with pre-installed vulnerabilities - Capture the Flag (CTF).
• A bug hunter with many years of experience also participates in various bug bounty programs, searches for vulnerabilities and new techniques for exploiting them in the world's largest products, speaks at conferences and shares his experience.

I will give a couple of bright achievements of bug hunters. There are examples when bug hunters with many years of experience, acting in the interests of, among others, global IT giants, found critical vulnerabilities or identified new attack methods using non-standard exploitation techniques, with the help of which it was possible to seize company servers.

For example, bughunter alexbirsan discovered a supply chain dependency confusion problem that led to the hacking of Apple, Microsoft, and dozens of other companies. The bughunter reported the results of his research to the companies. Each organization that was attacked gave him permission to test their security, either through a public reward program or privately.

Another notable example is bughunter albinowax, who discovered the HTTP Request Smuggling technique. It allowed sending an ambiguous request that was processed differently by the frontend and backend servers of an application, which could give a cybercriminal the opportunity to access user data.

As for the monetary reward in bug bounty, there are also some striking examples:

• The first person to earn $1 million on the American platform HackerOne was bughunter Santiago Lopez
• Bughunter inhibitor181 was the first to earn $2 million on this same platform.

Where does bag hunting begin?​

To start looking for vulnerabilities for a reward, you need to have at least basic theoretical and practical knowledge. And in order for the rewards (both monetary and reputational) to become greater, it is necessary to constantly deepen and accumulate this knowledge and update the experience gained. Hard work, concentration, the desire to learn new things and improve yourself will bring benefits in the form of monetary reward and recognition in the bughunter community.

Technical topics that we recommend that a future bug hunter study without fail:

• OS — works with Linux/Windows, Bash/PowerShell command line, TCP/IP — Model, HTTP/S — Protocol, Port/Socket;
• WEB - you must know all its basics;
• auxiliary software - BurpSuite, Metasploit, Docker, netcat, sqlmap, nmap, ffuf, dirbuster.

Examples of the most common vulnerabilities​

Based on reports devoted to the analysis of vulnerabilities and threats of web applications, I will highlight frequently encountered vulnerabilities and attacks on the user in web applications that are fairly easy to exploit:

• Code injection. One of the types of this class of vulnerabilities is SQL injection. An attacker can interfere with the formation of an application's SQL query to the database. As a rule, this allows the attacker to obtain information without authorization. The information obtained can be both system (DBMS version, name and structure of tables, columns) and user (name, phone numbers, email addresses, passwords, personal messages).

There are several types of SQL Injection: in-band, inferential, out-of-band.

• Incorrect neutralization of input data when generating web pages (cross-site scripting). One of the attacks on the user is Cross-Site Scripting (XSS). The result of the attack is the execution of malicious JavaScript code in the victim's browser. The attacker can steal the user's cookies, redirect to a phishing page, render any content on the current page, count the keys pressed by the user, and much more.

There are several types of XSS: reflected, stored, dom.

• Cross-Site Request Forgery (CSRF). An attack that allows an attacker to execute various requests on behalf of the victim to a server in a vulnerable system, including critical actions. The result may be an unauthorized change of personal data - mail, phone, password, as well as the execution of other actions - sending private messages, publishing posts, transferring funds.

Useful tools​

Using additional software can speed up and simplify the work of a bug hunter. The first thing I would like to mention is BurpSuite from PortSwigger. This software is one of the best in its class for vulnerability scanning, penetration testing and web application security. There is a free version of BurpSuite CommunityEdition, a paid version of BurpSuite Professional and a corporate version of BurpSuite Enterprise Edition, which includes several tools. Let's consider some of them:

• Proxy is an intercepting web proxy that acts as an intermediary between the browser and the web application. With its help, a bug hunter can intercept, modify and check traffic going in both directions during their research.
• Intruder is a tool that can be used by a researcher to conduct automated and customized attacks.
• Repeater is a tool for manually processing and re-sending requests, as well as analyzing responses from the application.
• Decoder is a tool for performing manual or intelligent encoding and decoding of application data.
• Extender is a tool that allows a researcher to load his own and third-party Burp extensions.

Another tool, called the Swiss Army knife of a white hat hacker, pen tester and bug hunter, is Metasploit from Rapid7. It is modular, extensible and initially contains a large number of modules of various directions: exploits, payloads, encoders, etc.

To automate the detection and exploitation of SQL Injection vulnerabilities and the capture of database servers, you can use an open source tool — sqlmap. It contains a large number of functions. Here are the most important of them (the rest of the functionality can be found on the official website):

• full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, Drizzle, Apache Ignite, Cubrid, InterSystems Cache, IRIS, eXtremeDB, FrontBase, Raima Database Manager, YugabyteDB and Virtuoso database management systems;
• full support for six SQL Injection methods : boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band queries;
• Automatic recognition of password hash formats and checking their crackability using a dictionary attack.

For scanning large networks, their research and security audit, you can use open source software - nmap. There is also a graphical wrapper for it - zenmap.

For fast fuzzing of a web application (detecting directories, files, and parameters), it is worth looking at the open source ffuf tool. Its use should be done with an explicit indication of a small number of threads. This is necessary in order not to subject the target under study to high loads. Otherwise, this may lead to slowdowns in the execution of requests from other clients and to denial of service.

But still, the most important thing is work, diligence and understanding of how technology works. A Bughunter needs to improve his skills, replenish his experience with valuable knowledge, track and study new attack techniques and vulnerabilities.

Part 2

This is the long-awaited continuation of the first part of our material. If you missed the first part, I strongly recommend that you read it, and only then move on to studying the second.

Well, we continue!

"Quick Start" with Real Examples​

So, after studying the theoretical basis (the most popular vulnerabilities, the most frequently used attack scenarios, the basic list of tools), it's time to consolidate the acquired knowledge using examples of old versions of real open source systems in which vulnerabilities have already been discovered.

Let me repeat once again that the examples discussed below are examined exclusively on old versions of software and we are talking about vulnerabilities that have been closed or eliminated.

Let's pay attention to code injection, namely SQL Injection.​

Let's consider this vulnerability using MantisBT version 2.24.3 as an example. The exploit for this vulnerability CVE-2020-28413 is published in a specialized section on the MantisBT website. Therefore, anyone can reproduce the attack using BurpSuite to intercept the request and repeat it, as well as sqlmap for more automated retrieval of information from the database.

• There is a user account observer:SEk7AnRiF5 with the access role "Observer":

It is necessary to set up a proxy between the browser and BurpSuite, and then intercept the POST request to the script /api/soap/mantisconnect.php with the specified data for authorization of the observer user.

• According to the exploit, the vulnerable parameter of SQL Injection will be the value of the access tag. A legitimate HTTP request that does not violate anything is sent:

• In response, the server returns status 200 and the requested information:

• However, if you replace the value 1 with a single quote (') in the access tag, then in this case, according to the exploit, the server should return the 500 status with an error about the incorrectness of the SQL query generated by the application and executed by the database. Sending a query with a single quote:

• Indeed, the server responds with a 500 status, and the response body contains confirmation of the presence of a SQL Injection vulnerability:

Now it makes sense to use the previously mentioned tool - sqlmap, with which you can automatically obtain information from the database, exploiting the discovered SQL Injection vulnerability.

First, you need to download sqlmap and place the last executed query with a single quote (') in a text file named, for example, request, in its root folder. Instead of a single quote, you should put an asterisk (*) so that sqlmap knows which parameter in the query should be used.

• By default, MantisBT names the database as bugtracker. Knowing this, we can query the list of tables that are in it:

The result will be an unauthorized listing of all tables in the bugtracker database, which can also be accessed and their contents retrieved.

• On HackerOne, SQL Injection vulnerabilities are rated as:

Quite impressive, isn't it?

It's time to talk about attacks on the user.​

In our example, we will consider the attack on the user "Cross-site scripting" (XSS) and "Cross-site request forgery" (CSRF).

First, let's consider the attack on the user "Cross-site scripting" (XSS) using the example of the open source system GitBucket. For version 4.37.1, there is a public exploit that allows an authorized attacker to inject malicious JavaScript code into certain pages, when viewing which it will be executed. Executing JavaScript code in the victim's browser can lead to the theft of cookies, redirection to another page, the introduction of a keylogger (malware for tracking pressed keys), rendering of the authorization form with subsequent theft of the login and password. In the system under consideration, when attacking the administrator, it is possible to completely compromise the server.

• Let's show a method for injecting malicious JavaScript code. First, an authorized attacker must create his repository:

• After creating a repository, it is necessary to create an “issue” in it, in the title of which the attacker places a malicious payload:"><img src=1 onerror=alert()>

• Next, when visiting the main page or the attacker's page (Public activity tab), the embedded JavaScript code will be executed in the user's browser:

• You can see how dangerous XSS attacks can be and how high the reward for finding them can be on HackerOne:

Let's look at another attack on a user - "Cross-Site Request Forgery" (CSRF) - using the example of the open source system GitLab.

Cross-site request forgery means that an attacker places an HTML form on a controlled site that will be sent to a vulnerable system on behalf of an authorized user who the attacker has lured to their site. The consequences of this attack may be a change in personal data (name, phone, email, password), the execution of any actions, such as transferring funds to the attacker's account in a vulnerable banking system, or publishing comments on behalf of the attacked user.

• There is a CSRF vulnerability in GitLab for versions below 14.0.2:

In this case, the vulnerability allows snippets (/dashboard/snippets) to be created on behalf of the attacked user.

• Before demonstrating, let's make sure that the current user doesn't have his snippets:

• Using the publicly available exploit at the links above, the attacker creates a page on the controlled site with an HTML form with the following content:

After a user logged into the GitLab system goes to the attacker's site with the form posted there, a request will be made to the GitLab system on behalf of this user and a snippet will be created. After the form is submitted, the server will return a response indicating that the snippet was successfully created and the Cross-Site Request Forgery attack on the user was carried out.

• The attacked user now has a snippet with content that was controlled by the attacker:

• And this is how CSRF attacks are assessed on HackerOne:

Friends! Train, improve your skills, gain valuable knowledge, track and study new attack techniques and vulnerabilities. If you do everything right, the result (in its monetary equivalent) will not take long to come. Good luck!