OWASP Top 10 Like I'm Five: From A Bug Bounty Hunter's Perspective

okay so this is a wasp top 10 like i'm 5 so let's just start so who am i i am probably very nervous right now reading this because this is my first talk ever so yeah you know i expected to be nervous but wasn't it wasn't on this level but it probably will get better so i am also making a youtube video about my experience of doing this my first ever talk so uh i tried to do some kind of a video afterwards about going from zero to doing an actual talk so yeah that's uh gonna be interesting also it's super hard to walk around with like a big camera like that it's super super

difficult so yeah also i'm a bug bounty hunter web developer and high school student also i'm a 2018 buck crowd mvp so that's why i'm showing off my t-shirt which no one can actually see but it's um yeah i never wear that before so and i'm also a co-host of the podcast name insecure space with a space han so you should check that out i'm just starting a timer here because i'm gonna mess it up later so here we go yeah so for questions i'm trying to do a different approach so there is like a thing called slido which is a web app where you can ask questions so you can just open it in your browser so

if you go to slide.do and enter the event code the event code here is obos i'm pretty lucky to have that name because i mean but if you enter the code owasp you can ask questions and we will see that later and you can vote on other people's questions so it's probably way better than just trying at the end of the talk so we will look at slider later so ask your questions there so what is over top 10 so os stands for open web application security project and os top 10 is the list of the top 10 most critical web security risks today so it's made to help developers and pen testers understand and defend against

these vulnerabilities and it's also a bit dense and could be hard to understand at first so my goal with this talk is to make it a bit more easily understandable hopefully so here is the list the top 10 list we are going to go through each of them uh one by one and he the talk structure will be like that for every bug or like list item there will be three uh slides not five because i plan to do five but then i realize that there's no way it's going to fit in 40 minutes so i had to delete all of that so we are only going to do what is it what's the impact and real world

examples so let's just start with a10 insufficient logging and monitoring now this is uh not as exciting yeah it's kind of boring but let's just go for it so it's about having nowhere improper logs it crashes that don't generate useful logs logs are not monitored and basically having no bad or not enough logs that you know and not monitoring them so severity on this one is kind of low so um because you know the impact of this is uh that you can see if someone is trying to attack the app so if you don't have login you don't see people attacking and if attackers get in you won't notice them so this can lead to

further exploitation so you know for these examples uh there are no real bug bounty examples there was a yahoo breach which you know got discovered in 2016 and they hacked yahoo at 2013 so it took three years and because they didn't have like proper logging setup so uh there was some marriott international uh the hotel uh site they also got breached and in 2014 and they discovered it in 2018 so that's also kind of a big leap there uh that was logging so a9 using components with known variabilities uh because it's still not still you know it's nothing really technical it's just about using software which you know with known bugs so not updating software with known

vulnerabilities and the severity of this you know it depends on the type of bug we are talking about so it can be pretty low or pretty high so the impact you know is that if an attacker scans your website it can find you know like version numbers and if it finds vulnerable versions if there are you can use pre-written exploits or depending on the wearability it can also compromise like other systems maybe so real world examples here this equifax breach for example which was because of an apache strats vulnerability and also there are some you know iot botnets which use also a lot of pre already known bugs but you know they don't patch it because it's iot so um for example

mirai botnet was like this that uh it uses a lot of well-known exploits also brute forcing but uh a lot of exploits to target and updated ios iot iot devices so yeah these were pretty boring so let's just uh try uh the a8 which is insecure the serial this serialization uh this one is a bit more technical so first of all what is serialization it's turning an object that you have in a programming language or like an object to text which you can transfer uh so and after that using that serialized object in cookies or like hidden forms on the site so here basically sending the object by the browser and the severity is pretty high on this one because the

server dc realizes it upon receiving and this can go quite wrong so here's an example i'm gonna use my fancy pointer thing can you see pretty cool so we have a php object here and if we serialize it that's what we get a php serialized object and that's a string and php can convert it back to an object but if there is an example attack scenario here it's that if we for example in the if this is a cookie for example and if the attacker changes the cookie notice that there is user in the cookie okay what if i change it to admin um when the php uh parses the cookie and converts it back to an object it's going

to convert the admin back and now the attacker is going to have admin permissions so you have to be very careful with sending uh objects which are you know uh serialized so there are two kinds of attacks on this one the data tampering attacks which i just showed an example of and uh you know it can be access control like changing it to user admin or a lot of other bugs if there are no validation you know it can be injection or anything that we will talk about later also there are object related attacks which is like crafting a payload that uses available classes which can perform actions with when de-serialized and with this way you

can get rim with called execution rce which is a pretty critical one of the most critical things you can get and this is super complicated i personally have no i mean i try to research it but it's really hard so fortunately there are tools which are pre-made to do this like jso serial and java serial killer these tools generate you an object a serialized object that you can send and it's gonna just execute the command if you are lucky and so real world examples there was a remote code execution on a paypal server there was a blog post by michael stephan king so this is about it so there was a post parameter named old form data that was a

serialized java object and using the tool name jso serial michael created the proof of proof of concert object proof of concept object and which one deserialized by the server it sent the content of etsy password file on linux to michael so here we can see the attack so there was is a fancy pointer again uh there is he noticed the old formulator is a serialized java object so uh then he generated a uh rce java object which performed which executed the command when dc realized and then he got back a request from the server because he made the request in the comments so as you can see he executed code and paypal server and he

got back a response to his server and even he could also leak the etsy password file so he could basically just get remote code execution on paypal which is pretty nice so the next one a7 is cross-site scripting uh this one is running malicious javascript in the weak teams browser in the name of the site so it's mostly caused by user input not being escaped and echoed back into html um the severity medium depends i don't know you can argue about it but uh there are pretty high impact service as well so here's a basic reflected xss so there we have a php app here which just says hello and the uses the get parameter get name parameter and you

know echoes it back to you so if we say hello and we put the name david then it says hello david so but if we put hello if you put name script alert one uh closing script text or html script tag then it's gonna echo it back to us so it's gonna say hello script alert one script and the browser thinks oh that's javascript so it's going to execute the script in there it's going to show us a pop-up so we can execute script on the website in the name of the website so there are three types of xss uh reflected stored and dom reflected is non-persistent it's reflected from something like a url for example what i just showed it

affects only the user clicking on the malicious link uh and the stored xss is a bit more uh it's persistent like a malicious comment and uh it affects every user who loads the page so for example you make an xss on a forum in a comment and everyone who looks at the comment is going to have the script running dome xss is something when a payload is not reflected into html directly but executed by javascript on the page it's a bit more difficult to define and test for so what's the impact here the attacker can perform actions on the site in the name of the user still a user session cookies redirect users modify the page for the

user anything that you can do with javascript and you know for example let's just give an example here that you can make a pushing pop-up asking for the victim's password or if it's a new site the stored xss you can maybe modify news articles or something so anything that you can do with javascript so one example here is a steam chat client xss which leads to an rce i'm including these report and the id paths you can go on these pages by using https.com and the url here so these are hacker one urls and it's paid seven thousand five hundred dollars and it's an amazing write-up so you can you should check it out if you're interested

it worked like that in steam you can use this bb code thing where you for example specify a url and you put some text with it and if you for example put url google.com click me you and then it's gonna make it click me a url to google like a redirect google but he he put javascript alert one into url and this is called the javascript uri so you can if you redirect to this javascript url or uri or you click on it it's going to execute so you know steam chat client generated a link to javascript alert one and if the other person clicked on the link alert won't execute it so access on the

other person's steam website or client and he also converted it to rce with like a fancy exploit of the steam protocol which i'm not gonna go too detailed into but the xss port was relevant to the talk here okay so a6 the next one security mix configuration uh this can be basically anything which is misconfigured for example you know improperly configuring avs bucket permissions crash extract trace exposes secrets and password is not changed from the default you know anything like that and the separation depends on what kind of issue we are talking about but uh what is the impact here because you know we don't know we can it can be a wide range of bugs basically it can range

anything from you know low severity stuff to remote code execution there is one really interesting but it is a snapchat jenkins rce so it paid uh 15 000 dollars which is quite a lot uh and uh it is basically about the jenkins server which jenkins is like a server which companies use to run and build software and like do continuous integration stuff but you know you could usually log in there with like a google account but the google account uh has to be from a steam team from snapchat account so you have to you know only snapchat people can log in but with this one everyone could log in it doesn't matter if snapchat person

or not so any google account could log in and in the jenkins there is a thing called the script console which is basically like an icon i don't know it's a it's like a terminal so you can execute commands there so he got rc around with good execution that way okay a5 broken access control uh yeah i think this is my favorite type of bugs because i found most of my bugs uh most of time bugs i've found are bacs or broken access control uh when an attacker you know it's about when another can perform view edit stuff which he or she shouldn't so for example basic user can perform admin only actions or like an attacker can

access other user stuff you'll see an example here severity again depends you know you can't really tell so here's a simple eye door example either stands for insecure direct object reference so here we see a normal request attacker has an id of 2143 and he makes a request to the api asking for the user details 2143 so this is normal right and he gets back the attacker his info like credit card number address everything but what happens if an attacker tries to request some other id maybe if the app is not well protected the other user's data is going to go get back so he's gonna get back the details of the other person so the

credit card number and address so you know depending on the situation this can be pretty pretty severe but uh you know either can happen on a lot of places so what is the impact you know depends again so you can access modify the date of other users perform sensitive actions without having permission access paid features without paying for it that's that's one that uh usually companies or i in my experience a lot of companies don't pay attention so they put like a pay paywall and then you know you have to pay otherwise the ui on the buttons are grayed out on the ui you can't press them but if you repeat a request which turns on a paid

feature usually they don't check if you actually have a paid account or not so that's something to keep in mind and also basically anything that you can uh do even though you shouldn't able to so that broken access control there is one example really cool really cool it's the same steam cd key idor it got it paid twenty thousand dollars which is especially it's a lot of money uh um so it was about an idol on a partner in a there's a steam uh website where people can publish games uh you know where they manage their games so there was an end point which generated cd keys and you know you put you pass the id of your game and it

gives you back a cd key as usual but there was an issue that you could pass in any kind of game and it's going it gave you an uh steam key for that game so you could just get the steam key for every game on steam and still sell it if the attacker wanted to do that so that's that has a high impact as well uh okay a4 now we are getting into higher priority ones uh this is xml external entities xxe this is pretty interesting in my opinion so uh here if an app uses xml to send data accepts xml file you know uploads it or processes xml it uses an xml parser to process the xml so

if the xml parser has external entities enabled the up might be probably be verbal severity is really high because this have a big impact we will see here in an example so i hope you can read the code by the way i try to make it really big but not sure so here is the example we have a basic app this is from a blog post by accounttix.com uh it was really great i just kind of used their examples so that's why i'm crediting them so here this web app does is you send an xml with a foo parameter and it just gives you back what the full parameter is pretty easy so you send hello world

it says hello world now in the second one we set up entities so we set up entities like a variable in a programming language so for example you set a bar variable to word and then you say hello and the bar variable what does it translate to hello world so you get that back it's pretty nothing nothing dangerous here what happens if you specify an external entity so you specify like xxc entity xc variable and you name it a system variable which is an external variable and you give it the path file etsy password and you and you put it in the foo parameter so the server says like okay uh i need to echo back the the

variable the variable is etsy password file so i just read my etsy password file and echo it back so and now you can read any file on the server so what's the impact here attacker can read files on the server uh perform ssrf server-sided request forgery attacks it's just about sending requests from the server it's uh when you you know you make the server send request to where you want it so you can um scan local networks with this as well so for example you can send uh requests like this um to like a local ip like 10.0.0.1 and if it takes a long time or xml pause or crash is maybe there is no such

host on the local network but if it gives you back some kind of html or some response maybe there is one device so you can just like scan your local network as well and like pivot which you shouldn't really do in a bug bounty situation but that is also possible uh and you can also perform denial of service dos attacks here for example by lead reading linux defined dev random which is an endless file so if you try to read it xml parser try to try to read it it's just gonna read read read read and it's gonna fill up and it's gonna crash so that's denial of service and uh in even rare cases it can lead to rce

remote code execution so that's why the severity is pretty high on this one so real world examples here um we have a twitter xxe which uh paid ten thousand eighty dollars not sure why the 80 and it was an xxc on the xmp processor on on twitter on a twitter web server so here's what the attacker sent as you can see he declared the entity external entity here so you put file and it's it's a file on the system that's the password and uh what he did is at the operator id parameter he referenced the file so uh that's the request what he sent it was a basic post xml request and what he got back from the server was

an error that oh i'm unable to convert and the whole etsy password file to an integer for operator id because operator id needed an integer so he the error message exposed the whole file and with this you can read any file on the twitter server which is bad so there was another one pornhub upload server xxc which paid ten thousand dollars i included this because this is a this is not just an xxc this was a bit more complicated than that but you know think about it uh read any file on the pornhub upload server you can decide the uh the impact of that one so yeah [Music] a3 uh sensitive data exposure okay um so

this again includes a wide range of bugs so it's not like an xxe where you have one technical bug it's a lot of bugs so these bugs are all about exposing data for example by not encrypting the communication maybe not using ssl certificates or like using old weak crypto or like storing sensitive data like passwords in clear text which you should never do and accidentally exposing secrets and keys which you know happens more often than you would expect so uh and you know everything else that can expose sensitive data so the severity is high on this one so what's the impact here uh if these security practices are not in place an attacker could for example there are no

ssl certificate then you can perform a man in the middle attack and capture data while it's going through for example a public wifi network or you can for example steal all unencrypted passwords if they are not hashed correctly so if the someone gets access to the database if it's not hashed you can see everyone's password which is terrible and also you can access internal systems for example by finding unintentionally exposed secrets which we will see a real world example of so here's snapchat token leak on github now um it paid fifteen thousand dollars which is again intense like yeah so it was that snapchat used they had a public github repository uh where they pushed you know their code their open

source code but someone accidentally pushed an api key to github which gave them access to their private other private server so as you can see the github they leaked the token for github scorp.net that was their own server and yeah there is no image for that one but basically what they did is just accidentally you know committed that code with the token in it and you can just reuse that token and then get access to the server so and this happened quite often you know yeah there are even tools to detect this there is a tool called git robe i had to remove the slide because it took too much time but there's a tool called git

rob which uh is uh made for just this purpose so it just scans the github repo of one company and stands for commits where they use like secrets and tokens so they're like already tools be it for this one okay so there is also broken authentication this is a2 uh now what is it uh it's again not uh not really a technical bug but a collec collection of bugs using which an attacker can bypass the authentication so a group of bugs include you know just first of all let's note that authentication is not equals authorization so the eidor and the authentication is a completely different thing authentication has to do with logging in and stuff

so this type of but the group of bugs include like having no rate limiting um which for example can make brute force attacks possible also it can be like allowing weak passwords like admin admin or you know does not properly invalidating session ids so like you know if you log out the session id is still wallet which it shouldn't be or if you don't use the session id for like an hour so the session id should expire so you have to log in again so um giving different responses for example if the user doesn't exist this is called user enumeration which is can also happen if for example if you log into an application and gives you an error like

oh this user does not exist that's bad it should give you an error like this user or password combination is not correct because if it gives you an error like this user does not exist then this essentially means that you can just put a bunch of user like a bunch of list of email addresses in there and see what users are they're just registered in the app because if they exist you get the error that this user doesn't exist that this password is incorrect but if they don't exist then then you get another error so you should give one type of error for example like in a login situation or everywhere so you shouldn't expose stuff

by giving two verbal error messages what is the impact here uh like the attacker can get access to accounts so it again the severity of this depends on like what kind of accounts um you know admin or basic user or like what actions can the user perform or what sensitive data is accessible so the impact is basically bypassing the authentication so it can be anything above that these are really it was super hard to find basic back bounty examples for this because you know people are not reporting stuff like there are security questions like security questions are unsafe but you don't report them to back bounty program backbone is a bit different more of a

technical thing so they usually like these reports better and what i found the watch was kinda considered broken authentication was a report by mungo which paid ten thousand dollars which allowed uh him to change the password of any uber user uh just by uh using their phone number which is a pretty pretty big problem here so let's just see so what that was the data he sent there when you you open the application the ios app uh it sent a request to this passwordless sign up thing where you know you just enter your phone number and then it registers you or something it was along the lines of this but there was an issue that if you enter a

phone number of someone else and then you enter the new password then it's gonna say okay succeeded a new password has been created please log in with the new password but you just change the password of someone else and you can just brute force a lot of phone numbers or i don't know but this is still a really severe bug because just by the phone number you can take over anyone's uber account so and for the last one something a bit more exciting which is injection so injection is uh usually happens when the user input is not standardized or validated so for example user input is using an sql query or a command which is executed on the

system or for example in a templating engine so that injections can happen basically anywhere so for example a mush's user input can break out of the sql injection as if they ask you a query and then execute something malicious the severity of this is really high this is the first one on the list so that's why it's a1 so it's pretty severe so let's see an example here okay sql injection here uh we have a very basic php app which gets the post id by looking at the id in the get parameter so this has an id of 53 and then it generates a query by putting select from post where post id and it

appends the post id this seems pretty fair right you you put 53 in there and then it makes a query like select from post where post id is 53 this is okay this is not a big deal but what happens if you put id equals 53 drop table users the server is going to add the drop table users to the query because it doesn't care about it and then the query which is going to run on the sql server is going to be select from post where post id is 53 and also by the way drop table users and you don't you don't want that probably so what is the impact here uh this is and give you full access to

databases or like remote code execution if you have a codex command injection or not sure what else deletes you know because these are pretty much say it all it's really high uh impact uh about a bit of a remote code execution here for example if you have a command injection then you can just put like the end character or the pipe corrector so to exit the current command and execute something else so it can happen not even only on sql but also in other like commands or like other types of injections you know everything can basically happen here so here's the real world example uh there was a steam sql injection it paid twenty five thousand dollars and

guess what this was the same guy who found the steam cd key bug which i told you earlier so he kind of made like 25 000 plus 20 000 which is not bad uh it was about an unvalidated parameter as you can see on reportxml.php page which could you know like uh be used to read certain sql data from a single packing database yeah i just read that so it was basically like an sql injection okay thing is that i was probably a bit too fast with this but i don't think it's a problem because it's we're already a bit late but uh if i was fast enough we should check the slide though if we have any questions it would

be pretty lame if i don't have any questions so i hope some of you at least have the question we will see let's just check okay so oh oh that's the mo okay so at least i got one question right uh what was the most interesting bug you have found oh i think it was it is still which i have a bug which i found which is still not it's triaged and it's still not confirmed and i'm waiting on it and it's the really really great bug which i'm trying to release but i can't talk about it because it's it's uh yeah but on other bugs i usually find i usually find bugs which include like

you know what i said broken access control so uh

oh hello how can i oh i can scroll okay so um i usually find broken access control stuff so you can you know you repeat requests uh from one user and on the other user you so with one test account you capture all the requests and the second one you you repeat it and if you you know if you can access stuff from the test account one then that's pretty bad so that's one bug already so i usually test these kind of bugs uh they consider doing bug bound to the full-time job no because i'm a high school student but you know that's a tricky question bug bounty as a full-time job is really really stressful that's that could be

for another talk because bug bounty can be really hard if you are really really dependent on it so you know it for example in my case you have to wait like for example months until your bugs get uh you know resolved so if you really depend on doing back bound as a full-time job you may have like a really bad experience you know you're just stressing out that oh my god these reports are still not getting paid you know it's so what i think is the best thing to do if you're just starting out or like you know not like the best bug bounty hunter ever is to have like a real job and then do bug bounty so like

try to balance it because doing it full time can be real hard or real stressful but there are some people who doing it so they can make a lot of money so it's certainly possible are you using uh scanner or automated tools or is it just a waste of time uh you know if the tool is like a pretty basic or like something which everyone else uses then it's mostly a waste of time i'm sorry but if you run like uh you know these basic web app scans on a bug bounty program you you're just not gonna find anything probably because everyone can run that so what you should you should be focusing on maybe is try to build your own tools

and try to build like something which is uh you know something unique to you and then no one else uses so okay i'm getting anonymous questions again uh so yeah and automated tools can be pretty good if they are applied in a good way so it's not just you're using some basic scanner which is not gonna give you any results uh canyon does this i'm not sure i'm not running this slido looks like a big company um so wait what how did we get oh you're up voting stuff and the order is changing up so great first talk you're also a gamer uh gamer uh i can't send exercise to this screen uh i don't know uh

so uh what there was a gamer question i'm not really a gamer i used to play games but i'm not really i kind of tried to do some bit more productive or like you know but you know you can usually play pubg for a few minutes hours uh so oh chicken let's see i'm talking okay let's do this oh someone is de-dusting okay alert hi that's not gonna work you forgot the script egg uh chicken chicken uh besides the drugs yeah i agree have you used beef on exercise once no but that's a really great example if i can talk a bit about um that's blind xss so blind xss is getting an xss without actually you seeing it so it can

be pretty interesting so for example there was a bug i think maybe it doesn't go that day or something uh where at the support form you know you can make a support ticket and the guy put a blind excess play load payload in the support ticket and like i don't know a few days later he got an xss response back because on some other web application his ticket got into you know like a lot of systems there and some application didn't escape his script tags or like his payload and then it executed on like an internal someone system and you can so you can also make like a blind you can also make like blind uh exorcist

attacks which is by you know exploiting something which can maybe take time it's really hard to explain without examples if you're interested bind exercise is something really cool and you can use beef to do that oh okay that's cool uh yes oh i accept thank you um what's your biggest success in buck hunting um uh i mean i don't know um it's really ooh uh one thing i can tell you that is when i was uh you know i was doing bug bounty for uh i started doing it i thought there is no way i can you know just do this there is no way i can find a bug and i try to do

it a lot and uh in like few months no first i started on a point only program because that's where you don't get money you only get points and it's way easier because not a lot of people are talking it and then i thought okay i'm just gonna go for the paid ones why not and i went to the pay once and i thought no way i'm gonna get the paid bug and i did it for like one week straight i thought you know what can i lose and i got a bug and then i was just like laying that at like 11 p.m i was ready to go to sleep or something and i i got like emails like four emails

or free emails because if you get a bug which pays then you get like a lot of emails because they confirm it they pay the slot so i just like look at my phone it was buzzing like and i got the bounty my first bounty ever and it was a crazy feeling so it's certainly possible you just have to put in the work and try to do it it looks really impossible to to uh do that uh sql not such a big of a program how many how much time do i have or if we if we could the two questions that are there now if they could be the last please if you could answer those

questions let's just back hunting from last summer so i just finished that question um yeah slido i hope it was going to work out so esker that's a bit of a problem yeah frameworks usually use some kind of uh to map the sql database to an object so you're not actually writing queries you are doing uh you're communicating with an object so that's why they handle all of the queries for you in the background so you just don't have to you don't have to write the query and escape and everything so modern frameworks yes they can definitely prevent bugs nowadays any issues with law as a result of bug reporting these systems yeah in hungary the

situation is pretty rough in my opinion uh i don't recommend you to report stuff to programs or not you shouldn't test or report or do anything for companies if they don't have a bug bounty program just just try to skip it you know it it looks like just such a good thing to you know report a bug on a big something system but if they don't have a bug bounty program just just don't test and you're gonna you're gonna be way better uh later because you you don't want to get into legal stuff so just try to stay in bug bounties uh time is up hi bk yeah so time is up thank you anonymous uh i think

that was it so i'm just going to do the final talk thank you love it thank you very much