Entomology 101: Finding, Studying, and Exploiting Bugs

was a great talk I mean I've said it I said it multiple times and I'd love to oh my god next speaker is is Louie I don't think Louie needs an introduction but he's he's by always so short for this anyway he's a security engineer based in Melbourne and he is the founder of pentester labs a learning platform for web penetration testing I think a lot of people know about pen test labs he's also the creator of the Silvio stickers and and and even worse a couple of weeks ago he decided to make Silvio allured my house already thank you my lord

can you hear me okay I think okay perfect so let's get started so today I'm going to talk about entomology 101 so basically an introduction to studying collecting and finding bugs you get to the right window so basically my job when test a lab is to find collecting study bugs to help people learn what is important when you testing web application and how you can find fix and exploit these bugs and this talk is about how I do that so first if you're like me so basically if you're not Silvio you're unlikely to find like new vulnerability classes you most likely gonna find like a bug class but someone already found and in a new project or

found a little derive derivation from an existing bugs on an existing but class and that's why it's so important to learn existing patterns to be able to know like okay I got these patterns that looks like something but is a vulnerability and buds gonna hollow to fight a lot of bugs so first to do this entomology what entomology what you need is to start collecting bugs so a good way to collecting bugs it look at what people are doing so first you can look at for example mailing list security people are still using emails too but I realized is Apache announced at Apache that all because it's going to give you like all the new versions of

Apache projects and with new version you got venerability is fixed and so you can dive dive dive deeper to see like okay what was the bug what happened Ruby on Rails as well I'm a big Ruby guys so and it's a project that is mature enough so when there are new bugs in race you can be sure that we're not trivial they're not something very simple so it's interesting to look there you don't want to follow or look at project but are really immature because otherwise it's gonna be like hundred and hundred of silly bugs and that's not where you're going to be learning another way to find new bugs or new patterns you don't know

about its to look at bug bounty disclosure either by following Twitter or like this closed h1 bugcrowd as well as a disclosure same for hacker one with activity and a lot of bug bounty write-ups for from bug bounty hunters so again what's gonna give you a lot of details the probably good I have with that is that you have two things you only have the information from the researcher who is doing like closed box testing so it's very limited and you only have the information in the way the researcher presented it so sometime you are missing a lot of information through that but it's always good to look at because some research or do writers that

are freaking amazing then like if you look at collecting bugs you can find like you can get in your mailbox things like that so that was an email from Apache saying okay this is very Swiss bug in Kylene and then it's an SQL injection so you get that and you say like okay let's dig deeper if you got time and another way to collecting values to look at Twitter a lot of people to follow that are publishing bugs every day I don't want to list people and forget someone try to find people who share information on bugs like people are gonna be like okay I find this bug and no information shirts but doesn't have a real value

people like CVO for example like zone extraordinaire at sharing information about the bugs they've found so you can learn from them if you just have like oh I get twenty thousand by finding these birds and you don't know anything about it there is nothing to learn about it so try to find people with like a high signal versus noise ratio someone who talks about bugs who talks well the bad bugs explain them well and don't spend their time on Twitter talking about other stuff you don't care about over obvious sources so project zero trackers conference and local meetups your fan if you have people like talking about things they've found so that's really interesting blog RSS reap Google Reader

I guess and ready net suck he's pretty good or CDF as well it's a good way to learn about new things because people writing CTF challenges are not here to keep other people busy they're here because they want to share that know their knowledge and they want to share information about something tricky weird behavior or something interesting for other people so CDF's are a really good way to learn about new bird classes or bugs you may not have heard about so check them out and play and unsee got always collecting you need to start studying bugs so a good way to do that is to check the source code so you find the venerable version and the fixed

version and you do a deef on twitter it's literally like a few clicks on the guitar sorry it's literally like a few clicks so really easy to see what was a change from that just by doing these few clicks like barely nothing right you got from selfies or is a version but is renewables aren't version but it's not the network so free clicks what you gonna learn a lot you know what the vunerable could looks like you know what's it but precisely is like okay we talked about SQL injection but what kind of history injection what is really happening you have an idea of expert ability of the issue because there are really hard to exploit bugs and really

easy to exploit back so by doing a simple deep when you have access to the source code you get this information as well and you know how to fix that bug as well hopefully it's done properly so let's give you like when you're doing for example report as a pen tester you're gonna say like okay this is the same bugs as these bugs already looked at because I'm doing all these etymology and entomology and so I know exactly what recommendation people should apply and hopefully they fix it well and as well it's a good way to get an introduction to a code base by looking at security issues in that code base you're going to know like okay this is a

function but is important when we were dealing with SQL data this is a function that matters when we're doing cross-site scripting escaping so you're gonna learn the code base without having to spend too much time on it and you're going to be able to see a lot of different code bases so for example for the bug I was talking about Enzo made from Apache you can see but okay this really looks like a trivial SQL injection and we can see by by that to fix it we're just gonna do bigger just gonna use prepared statement so very simple change like she learns to read and you got like a lot of information of our scale injection words

what happened with when it's wrong what is the right way to do it so you're learning a lot by just reading like five ten years ten lines of code so a good way to learn owns you learn a bit more about this bug what is your interesting is to build a test environment because it allows you first to learn how to deploy software it's not always easy to deploy software even if it's a lot easier now with docker sometime is just one comment thanks to docker like a lot of open-source project now of docker file so you can just like run docker grilled and docker run it's gonna help you study someone else exploit if

you can't write your own exploit yet and then once you study is someone else you can read your or you can just video and not look at what other people are doing you can exploit the issue and then once you got this test environment up and ready why not keep testing right so that's a good way to keep testing you select ok they add this but maybe there is something similar that the person finding the initial bug didn't look at so it's really good to about ready to further and look at when once you start studying a bug what is interesting is to extrapolate are there any other identical pattern in the same project because often developer will fix one

instance of the bird and forget other instances and can you find the same pattern in other projects like really really easy thing so like okay which is like a string Co condition in a SQL query can we find that in another project for SQL injection is probably easy because everyone knows about it but when you think about header injection in the host header - like on a password reset maybe not as many people at look at I've looked at it and try to see what these patterns translates in other languages and framework okay this is an SQL injection in Java what does it looks like in Berlin what does it looks like in Ruby what

does it looks like in PHP like it's a really good way to find new bugs because people don't necessarily do that work of like looking in other languages of framework and then once you done with the studying you probably want to document findings keep notes on the bug and the source code and the fix keeps expert and the tools to run it and maybe service in a blogspot or to a writer blogspot do a talk at work your school your local meetup tweet about something people may not know about bad bad like often you can see like a lot of people tweeting or retweeting about one bird but no one is adding information to Twitter people are

just like repeating the same thing again and again or adding a job to it if you can add value to say like oh actually this is only exploitable because of that or actually you can exploit it in a better way using that it's gonna give like if you're looking for a job that's a good way to like get people interested in your profile then hunting for bugs so once you got your nice collection of bugs ready you'll learn about all these things and you know all these new bars what you can do is start hunting so first we can do like bug bounty programs as a promise that you're gonna have limited access to source code so it's

not always ideal if you want to do that at scale if you want looking for targets get of training is pretty good I like the jitter ocean marketplace I like or some eggs like awesome girl or some Ruby on github people put together like a list of really cool project in their preferred language I use that a lot too like fine words hacker news as well someone is going to put like oh this is my new open source project that's a good target to look at and to get started like so you just build your test environment we've enhanced the bragging if possible you can get familiar with the source code if available doesn't take long to like just great for things

that is interesting and say like okay where is the password reset function and where is a login function our password hash what happens and pick a few of the weird patterns for the language framework used based on what you learn from collecting bugs let's say for example University Nubian well in Ruby you have in regular expression end of string and end of lines are different but it's a good pattern to look in every single ruby project you find when you spend hours in front of a computer probably not the funniest thing but make sure you like finding bugs you don't like the idea of finding bugs those things are really different you need to really enjoy like

looking for bugs to get good at it I guess and ya learn but actually searching for bugs like a lot of people are like oh I want to get better at finding birds I want to get better at code review I want to get better hacking just spend some time doing it just don't read books or read books but don't only read books spend time doing it and remember as well but your god is not necessarily at the beginning when you're starting to find bugs try to just learn how to find bugs learn how to read source code learn to find weaknesses so this weakness this may not be exploitable but at least you're learning

new things and if you pile up weaknesses and weaknesses and weaknesses one day you're gonna find bugs and one of the weaknesses will turn into like a really good exploitable products so yeah one thing I find really interesting when you're looking when you're talking to people and when you're looking for bugs is how this going deeper really matter is that let's say you have a signature mechanism you have a few people who are just not gonna say like look for anything because there is a signature sign it's secure right then they're gonna look at you know it's yeah so when you're gonna people were going to select okay should we look at what the data

looks like actually it's encrypted it looks like a blob then people are going to give up there and just like say okay nothing to see there then we're gonna select ok you're gonna keep going and say like oh it's actually based if one could say your lies data but it is signed and people are gonna select right sign I'm giving up again when people are looking different so like all the signatures using RSA and people are just gonna like if I give up because ever say should be pretty ok nowhere else like not many ways to mess it up unless you're going really wrong but people are gonna keep going is a key strong people are going to say like ok

the key is strong so I'm gonna keep going I'm gonna keep going or I'm gonna just drop and select ok there's nobody and then another person is like oh is the key stored in a secure place yes it is no it's not and people are again are going to give up where other people are going to keep going and when someone is going to work out but the key is share between all instances of the applications and what happened missed recently so yeah like and this person at the bottom like bottom right will spend all that time looking for bugs that paid off for this person where everyone gave up before that and let's say like I politically

you give like at 30% drop right so everyone 5 is that 30% of the people drops which is probably really optimistic so after the first one 30% drop second one years you have 49 percent of people left 34 third 24 16 percent 11 percent so but just with 30 percent people dropping and not going further than anyone else before and when if you'll move to 50 percent drop right which is probably still pretty low you see but only 1.5 percent of people will test for the last test case because we will of give up before that so that's why you really need to like keep going keep going keep going like bang your head against the wall to just go to but

to just be in that 1.5 percent of people who are looking for bugs in a really deep way and find actual box and yeah because you can also with that learn from your correction if you're reviewing this kind of code you say like okay every everyone got that step right but step right and I'm gonna jump to see our the key issue between multiple applications because I know what the key strong and the key is stored in secure place most people got it right so I'm not gonna spend too much time on but I'm going to jump to last step and I'm gonna be much more successful finding bugs and that has also an impact on working as a team or

automation if you can automate stepped one two three you're gonna have more time to do step four five six right so you're gonna find more bugs and teams as well like when people work as a team you can see that people keep pushing each other like when someone start finding bugs everyone wants to find bugs and people are going deeper to find their own birth because everyone else in the team is finding but so what's quite so important to like to work as a team as you can especially really early in your career so yeah like yeah just keep going to find more bugs don't give up once you and for bars pretty regularly what is

really good is to start to scale what you're doing so an easy way to do it is just like run grep in all the repo you know but grep is pretty basic but still worth it and it's very simple you can look at more complex tools like some grep is pretty good because it's really easy to write rules for it so you can select okay I find this bug and maybe I can write to some grapefruit for it to like find this bug at scale code ql is very similar but writing rules is a bit more complex coccynelle yes if you about how you spell it because it's French for ladybird can be used as well for C code

and Silvia uses it a lot and what's really important like if you look at what code review tools are trying to sell you aside from the one here is we got this really smart software will find bugs and you got human validating them but not things should work you should have really smart human finding but and when scaling their research to a lot of repository to find all these bugs and that's why I like twist locks and weapon code few L so much but you need to be careful with unknown unknowns when you're searching at scale and when you're searching for bird is what why it's so important to not only great for bugs or only great for bugs you don't

know you need to read source code even if you don't think various bugs in it because you don't know what you don't know and that's what you need to like keep reading software and find new birds because you're reading so square but no one would like looked at because there is no like dangerous function or there is not like a well-known function but is potentially dangerous in that part of the application but people are still doing silly things that can create vulnerabilities and that allow you to learn new methods new function new classes but can potentially create new vulnerabilities and vulnerabilities that no one had looked at before I think that was an azimuth was looking for to hire

some intern and we were explaining our fair ways of finding birds was more around understanding the software really really really really well as in better than anyone else and find find bugs not just like grating for like these dangerous function and finding bugs so if you want to do what I guess some of the best are doing you should probably read software even if there is no like dangerous function here fair sorry so what makes a bug great in my opinion first you want something that is a bit weird like you don't want like oh we're not escaping value so you have a process fitting it's like something a bit weird something like maybe you know we're

frame weird weird language complexity of sexploitation also matters because sometime the bug is trivial but exploiting it is worth of funnies and that's why you need to look at both because you're gonna learn a lot about defense-in-depth like okay this bird is exploitable because you got this initial entry point but you got all these other things that are around it but could have been patched but are not patched and that's why you can't you can exploit it no one found it before it's already a good way to tell that oh it's a good bug or at least no one disclosed it before because when you find bugs you never know here's the first one you

may be the first one publishing it but you never know if you is the first one finding it somehow new pattern is interesting as well and as well a high-visibility like when the bug impacts a lot of people it's always fun and you get more reach wait for it and as well I should add better like a quality bugs is about well so exploit fits into one twit otherwise I'm just not hacking now I'm trolling so what do you do we view about so I'm a big believer believer of your bug your roll people who complain about people disclosing bug it's the wrong way are often people who don't find bugs so what you can do is responsible or coordinated

because responsible is pretty loaded as a term disclosure it feels good it can be long and tedious he can be a good way to gain exposure when you're looking for a job it's not always the most fun thing to do but it's pretty good most of the time what you can do as well is also other ways setting it reporting it - we V our bug bounty programs like you find one birds in Ruby on Rails and you attack also bounty programs using Ruby on Rails before like sending zapatti to rails you can just send a patch to like the project you find the bug in or you can just hold it and wait for someone

else to find it and you can even like tweet like a shot - of the exploit so like five years later you can say like I had this book for five years I tweeted about it and yeah you look pretty snazzy when you do that but yeah so I thought I'd cover like some of my favorite bugs I unfortunately didn't find them the insects looks pretty good though so the first one is a bug in Ruby on Rails I was however the first one to publish an exploit with Luke for this bug so it's a racy supposed to so it's an SQL injection in Ruby on Rails and rails is supposed to prevent a screen injection

by design because we got this all active record mapper which is very solid and at the time there were no public exploit available and I did like an exercise and a free course on it if you want to learn on Pentastar comm so rice the thing is that it was an explorer explained injection but the problem is that the injection was when the application was trying to retrieve information from the table and it was cashing bad information so each query each injection had to be unique and the exploitation was completely blind so it's really interesting bug to exploit because of the way you have to like understand that okay why is it working this way why my

payload works once but if I send the same payload I don't get the same result because of the caching of your seat but when you don't know that it's really interesting yeah just a little puzzle to fee to solve I guess yeah I really love that bad another one is CV 2012 six zero eight one so it was used to hack Python and Debian Zwicky in 2012 as exploitation is just brilliant and again like free eyes over and course on how to exploit it on pentester lab so it's a directory traversal Linzer upload so it's really simple right you have a directory traverse or when you are profile and if you just look at the

views or it's something I brought you like a boring blood Sindbad before doesn't I'm not going to look at that but then you realize like a Python in dead a big project they're using that wiki it's very rough looking a bit deeper and when you realize that the injection why where the directory traversal is is in the file name extension so what happens from there is that the payload can only contain one dot at the beginning so ants you after the extension needs game over so what you're going to do and as well as the fine is upload and he starred so it's going to add a limit of max 100 bytes to avoid like when you go to

target is under 100 bytes it's gonna be like it's a fine but if it's over 100 bytes it's going to add like long link inside the tar file so you don't want that right and then so payload need to be a valid one more plug-in so you need to write Python in less one than one little bite starting with drawing because what's the name of the file but when it's renamed and when you can inject everything in your extension but you can you can't have a dot in the injection and you end up with this weird Python but I didn't even know you could use that syntax right like drawing the Z if-else like that like I

did too much Python in my life and I didn't know about bad syntax and that's what the expert looks like like you need to have an executive function with the request and so what you do is you print the value that you execute back in the return and that's how you exploit fried by but it's like brilliant to be able to like find this exploit I didn't find it someone else did and then a really well-known one go-to fail so it was a bug in as iOS an iPhone stack the Thiele stack so basically TLS verification bypass when some specific algorithm we're used the interesting part is first that so algorithm where the one use for forward

secrecy so basically people who care a lot about security and we're doing the right thing by using forward secrecy where the one impacted by this but the other thing is that actually everyone was impacted because you could write a manager server but if the client was accepting bad bird amongst that cipher amongst a lot of of a cipher it will use bad cipher over the other one because you could write as a server but you just an the only cipher I talk is this one before to proceed but the really interesting part as well was that this bug was bypassing public key pinning because what you had to do is create a malicious server with the real

certificate and the real certificate is activated legitimate certificate chain but you could use any private key since public key pinning relies on the certificates or the key depending on the plantation that was going through TLS pinning without generating any issue so the most secured application relying on forward secrecy relying on the feel Manila ECD ihe relying on public key pinning where owned by the fist part and yeah so and really interesting to exploit so let's get started so my advice to you is just try to pick one blood per month and study it do it cut deep do a test lab write an exploit really simple like literally it's gonna take you like two or three hours I'm

convinced you will learn a tremendous amount about software security and that's the kind of thing it's not deliberate practice is reading an advisory or reading someone tweeting about like the latest f5 bugs or the letter C Twix bar or like all these but is I'm gonna teach you much but doing that like deliberated practice like struggling to get things working struggling to understand source code really will get you to the next level of hinge and when you can go talk at your local besides or any conference like any small local conference and you're gonna get exposure if you're looking for a job just do that like but yeah that's the best way to find a

job if you can talk about bugs sure but you're really passionate you're willing to like put get your hands dirty looking at source code it's gonna be a lot easier to find a job in security and that's it for me you can follow me on twitter with sniff or panda salah and yeah that's it thanks for your time thanks if you well thanks very much Aloha that's a great talk it's very relatable for many of those for many of the things that you said in that in that talk actually there were questions on slack but Sylvia kept answering them for you he was like I love this took this is my thing but there was one question that I

took from Eleanor who talked about and he may be answered at the end a little bit but she said um so if you're if you've got developer experience and you sort of know a little bit about security some exposure just as sort of a general practitioner of sort of IT now should you get into the bug hunting world you know like I said back to what you talked about at the end deliberate practice and stuff like that I think so yeah and I think depending on what's your strategy like you can either deep dive on a few bugs like if I were a software developers I will look at something really hard to build like one example is

o of - really hard to build really hard to get right so if I were if I were a software developer I kind of am I guess what I will do is I will look at example of bugs for that technology look at some ol look at off to look at GWT that's that's kind of what I'm doing already and then since you're developer you can write code you can read code so you should be able to like say okay this is our things world look at exploits written by other people look at what we're doing and when you keep testing button bug bounty programs or like source code and see like okay this is

how it works but what I would do is like really spend time and narrow down what I'm going to look at and pick something that offers like security professional will have trouble getting into because it's actually hard to build to build it and that's where you're gonna have like a an edge on everyone else because your software developer and that's where I would get started I like that I think that's really good actually I know you for life even for fuzzing and stuff like that getting harnesses and stuff like that is like I mean you know if you're an if you're a pen tester you might not have dev experience and you've got a real edge as an engineer like that goes

into it that's really insightful actually that he just said it was there was another question there from Pam on on slack you mentioned you know find a pattern and then look for it in other other languages and other sources she asks are there any favorite sources for regex Cox Neilson grep example etcetera for bug patterns sewing the sim grep as like a lot of we got a project for like a python named Bentall where they provide like a lot of examples and I think we got like an open source library with like a lot of patterns to use to check for bugs and yeah Krewella as well the github security team is doing an amazing job sharing is a bug

reform and Alva found them we've got QL and I always quell their work using code QL so like all these people are providing patterns of like interesting but you should look at and github lab I like it have security also provide bug bounties that they for Coke ul queries that find bugs and stuff it's pretty yes yeah yeah so I like QL because I think it's a lot more powerful one side great same grep but if I were to start I would probably look at some great first because it's it's just writing llamo so it's a barrier to entry is a lot lower the only thing I don't like about koalas you have to build the the

package to actually use it so like coccinea and stuff like that you can just scan like doesn't even have to be working see code oh you mean coccynelle oh sorry yes I heard someone's correctly once and I said I've worked with the author of it and so like I've been pronouncing it coccynelle is that correct so every researcher to follow for well presented by the writers something someone asked me about recently and for write-ups I will probably look at get up security labs they like writing doing right herbs bass doing a really good burritos CEO is doing pretty good writer but I think they're not always beginner-friendly [Music] Wells project zero are doing really really good write-ups some in the bug

bounty hunting scene I think def para he's doing really really good write-ups of what he founds [Music] like a lot of like a lot of people I'm gonna forget like a lot of people but Elton has a really good blog we've like some good write-ups of things they do so many people like yeah yeah yeah great great so thank you very much have you got any more questions before we sort of close out no I think but if you go into the slack afterwards and let people ask directly that would that would be great and thank you yeah thank you very much for your talk is a fantastic talk [Applause] you just say that to use your sound

it was very relatable sure sure and I think we did well because last month by this time Sylvia was sitting next to me sharing my