Bug Bounty Reports - How Do They Work? Adam Bacchus, Chief Bounty Officer - HackerOne Nullcon - March 2017
Mar 19, 2017
Bug Bounty Reports - How Do They Work?Adam Bacchus, Chief Bounty Officer - HackerOneNullcon - March 2017
2
AGENDA 1. Intro
2. Know your audience
3. The Report
4. Security Team 101
5. The Good, The Bad, The Ugly
6. Resources
7. Next Steps
8. Q & A
Intro
3
Let’s get it started
Work● Pentester (~4 yrs)● Google (~4 years)● Snapchat (~1 year)● HackerOne (~1 year)
Play● Gaming● Playing with fire
Adam Bacchus
4
● Bug bounty platform where you can find organizations to hack on
● Uber, Twitter, Snapchat, Starbucks… tons more
● 100,000+ hackers to learn from, like our buddy geekboy :)
● $14 mill USD (₹ 934m) in bounties paid to hackers!
HackerOne
5
Why does this matter?
6
Why does this matter?
...better bug reports...
7
Why does this matter?
...better bug reports...
...better relationships...
8
Why does this matter?
...better bug reports...
...better relationships...
...better bounties!
9
Some Quick Terminology
10
Vulnerability
11
weakness of software, hardware, or online service that can be exploited
Report
12
an awesome write-up of the bug you’ve found
Vulnerability Disclosure
13
the process by which an organization receives and disseminates information about vulnerabilities in their products or online services
Bug Bounty Program
14
vulnerability disclosure, but with monetary incentives
Security Team
15
the people reading and responding to your bug reports, handling vulnerability management, paying out bounties, etc.
Know Your Audience
16
17
“I don't believe in elitism. I don't think the audience is this dumb person lower than
me.I am the audience.”
Quentin Tarantino
Scope
18
What is it?
Scope
19
●In scope: List of websites, apps, IoT, etc. that are okay to hack
Scope
20
●Out of scope: Stay away!
Scope
21
●Why are things out of scope?○Infrastructure can’t handle scans○Security team already knows it needs work
○Security team is starting small and working their way up
○Hosted by a third party; security team doesn’t control it
Scope
22
What if I find a new scope?
Scope
23
Don’t be afraid to ask!
But keep expectations low - they might not be ready for the new
scope yet.
SLA - Service Level Agreement
24
“an official commitment that prevails between a service provider and the
customer. Particular aspects of the service – quality, availability, responsibilities – are agreed between the service provider and
the service user.”
A Service For Hackers
25
That’s right - a vulnerability disclosure/bug bounty program is a service, to you, the hacker.
What should a security team provide?
26
How much time for...
What should a security team provide?
27
How much time for…
...first response
What should a security team provide?
28
How much time for…
...first response
...bounty decision
What should a security team provide?
29
How much time for…
...first response
...bounty decision
...remediation
What if the security team doesn’t have SLAs?
30
(didn’t we see this slide already?)
31
Don’t be afraid to ask!
“What’s your normal turnaround time on X?”
What are typical SLAs?
32
First Response = 3 business days
What are typical SLAs?
33
First Response = 3 business daysBounty Decision = 1 - 3 weeks after
triage
What are typical SLAs?
34
First Response = 3 business daysBounty Decision = 1 - 3 weeks after triage
Remediation depends on severityCritical = 1-2 daysHigh = 1-2 weeks
Medium = 4-8 weeksLow = 3 months
What NOT to do
35
1.Send report2.Five minutes later... update plz!
3.Ten minutes later… bounty plz!
The Report
36
Reproduction Steps
37
Specific, detailed, step by step instructions on how to reproduce the vulnerability.
Reproduction Steps - The Wrong Way
38
1. You got an XSS on the name… BOOM!!!2. Where’s my bounty?
Reproduction Steps - The Right Way
39
1.While logged in, navigate to your profile at <url>
2.Click the “Edit” button in the upper right
3.Change your first name to “><img src=x onerror=prompt(document.cookie)>
4.Click “Save”5.Navigate to your profile at <url>, the XSS should fire
Exploitability
40
How would a real attack work? Think like an attacker!
Exploitability
41
If an attack isn’t exploitable, how much does a security team care about it?
Exploitability - The Wrong Way - Clickjacking
42
1.Navigate to <URL>2.X-Frame-Options header is missing
3.???4.Profit?
Exploitability - The Right Way - Clickjacking
43
1.Navigate to <URL>2.X-Frame-Options header is missing
3.You can use clickjacking to trick a user into deleting their account. See attached HTML file for a PoC.
Exploitability - The Wrong Way - Server Info
44
1.Your server at <IP>
is showing banner information and is out of date.
2.???3.Profit?
Exploitability - The Right Way - Server Info
45
1.Your server at <IP> is running an outdated version of <software>.
2.I’ve verified it’s vulnerable to a known XSS which can be used to steal <cookie ID> and hijack users’ sessions. Here are the repro steps.
Impact
46
We know how to repro…We know exploitability / attack vector…
So now what?
Impact
47
What happens if this vulnerability gets exploited?
What does the security team care about most?
48
Put yourself in the organization’s shoesIndustry Compliance What they care about
Healthcare Health Insurance Portability and Accountability Act (HIPAA)
PII (Personally Identifiable Information), e.g. patient data
eCommerce / Retail Payment Card Industry Data Security Standard (PCI-DSS)
User data, especially credit card info
Government (U.S.)The Federal Information
Security Management Act (FISMA)
Employee info, classified info
Finance Gramm-Leach-Bliley Act (GLBA), PCI-DSS
Consumer and investor financial data
Education Family Educational Rights and Privacy Act (FERPA) Student records
Technology It depends! It depends!
49
Put yourself in the organization’s shoes
User information disclosure of first and last name. Where is the impact bigger?
or...
50
Put yourself in the organization’s shoes
User information disclosure of first and last name. Where is the impact bigger?
or...
Impact - The Wrong Way
51
1.You have an XSS 2.<repro steps>3.<exploitability info>4.…5.Profit?
Impact - The Right Way
52
1. Here’s a PoC to steal session info via XSS
2. Exploiting this against a regular user would allow access to view and modify their name, address, birthdate, as well as transfer all money out of their account.
Impact
53
What is CIA?
Confidentiality - Integrity - Availability
Confidentiality
54
“...information is not made available or disclosed to unauthorized individuals,
entities, or processes.”
Integrity
55
“Ensuring data cannot be modified in an unauthorized or undetected manner.”
Availability
56
“Information must be available when it is needed.”
Impact - CIA
57
Think about how your vulnerability impacts the Confidentiality, Integrity,
and Availability of the organization’s assets.
“The Bar”
58
What is it?
“The Bar”
60
The minimum severity vulnerability that qualifies for a program.
“The Bar”
61
Every organization cares about different things.
It’s all about context.
“The Bar”
62
Ask yourself:
“If I were the security team, is this important enough that I’d want to bother a
developer to fix it?”
“The Bar”
63
So you’ve found clickjacking on a page with only static content?
“The Bar” - Open Redirects
64
Is Open Redirect technically a vulnerability?
Yes.Does company XYZ care?
Probably not.Why not?
“The Bar” - Logout XSRF
65
Is Logout XSRF technically a vulnerability?Yes.
Does company XYZ care?Probably not.
Why not?
“The Bar”
66
Vulns can be 100% accurate, but so what?
(this slide AGAIN!?)
67
Don’t be afraid to ask!
“Do you care about vulnerabilities like X?”
Public Disclosure
68
What is it?
After the bug is fixed, the security team and hacker agree to disclose the report as an example for the bug bounty community.
The Good, The Bad, The Ugly
69
Bug Bounty Reports IRL
Reports IRL - The Good, The Bad, The Ugly
70
Let’s take a look at some real life examples...
The Good - hackerone.com/reports/143717
71
Report: Changing any Uber user’s passwordBounty: $10,000 USD
Let’s check it out!
The Bad - hackerone.com/reports/156098
72
Report: XSS At "pages.et.uber.com"Bounty: um...
The Bad - hackerone.com/reports/156098
73
The Bad - hackerone.com/reports/156098
74
The Bad - hackerone.com/reports/156098
75
The Ugly - hackerone.com/reports/137723
76
Report: “vulnerabilitie”Bounty: we get to laugh at the report?
Let’s check it out!
Resources
77
Resources
78
●Web Application Hacker’s Handbook●Web Hacking 101●Google Bughunter University●Google Gruyere●Burp Suite●Bug Bounty Reports - How Do They Wor
k?
Recap
80
Quick Recap
81
Know your audience!Think from the security team’s perspective
“I am the audience”
Repro + Exploitability + ImpactAsk questions, get clarity
Any questions?
82
Thank You
83
Adam Bacchus [email protected] @sushihack linkedin.com/in/adambacchus/ facebook.com/sushihack
84