Hackers are Shifting Left, Too

uh thank you for making it very concise giving us something to learn and start learning from so let me say a few words about a next speaker he is popularly known as space raccoon who hacks for good he was one of the five selectors from one million white hat hackers for hacker one Elite Hall of Fame his research works are featured in conferences like black hat and Defcon it's a great pleasure for me to introduce a speaker for the closing note today about Trends in vulnerability research please help me welcome to the stage Eugene Lim thank you hi everyone we're almost at the end uh today I'm just going to give you the closing note for b-sides

Ahmedabad so give yourself a Round of Applause Just for making it so far we're almost there and also thank you so much for coming I know it's some of you guys have made Journeys 22 hours uh I don't know like I've heard more you know like several days but I really appreciate all of you guys coming out today um and I was invited here to give you the closing note so let's see if that's up okay okay let's see yeah oh take that away there we go all right cool um yeah so today I'm going to be talking about hackers shifting left too so you might have heard about this term uh shifting left because nowadays developers

organizations they're aware of people trying to hack them they're aware of how their vulnerabilities in their code and they have this new term called shifting left and one of the things one of the ironies I think in cyber security is that the more people improve their systems the more defenses they build the more creative hackers get and some of the things that come out are just incredible so I just want to talk a bit more about that but before that uh giving you a quick introduction to myself my name is Eugene and I come from Singapore my hacker handles space raccoon so that's my blog I have a Twitter LinkedIn as well but uh yeah

feel free to reach out if you have any questions after this talk as well so yeah I just wanted to just celebrate a lot of the great talks today I tried to attend all of them but I can't be in two places at once we had really good talks at the Drone hacking Village we had good talks at the panels and of course from our main and Bounty tracks as well those were I think they brought to mind kind of interesting thoughts I had about this closing note and the biggest thought I had was Community right because my journey in infosec really began with Community I got into inverse Tech in 2019 at the start of 2019 about almost three years

ago now and what came up with that was because uh the Singapore government had a bug Bounty program and they invited all the cyber security community members to to join and back then I didn't know anything about cyber security I was just going to these trying to learn about cyber security you know a talk like this you know and they just invited us to join and that's where I got my uh I found my first bug but it was a duplicate right so that was super frustrating and I went back to the board I went to the hacker 101 CT EF website as well as a community which is a Discord Channel and back then they only

had like a couple hundred members and you know on any given day I think there was less than 100 active members and the last time I checked there were actually more than 10 000 members in the hacker 101 Discord today um so it's just amazing how much the community in both bug Bounty and infosec has grown internationally as well as in diversity and this is a picture of me with some of the guys you might know some of them uh I think Stoke is in there yeah stokus he spoke in two years ago at the first edition of b-sides Ahmedabad and this was the disturbance team and um really I think this was kind of how I felt very welcome into the

infosec community and I hope that we can all give that back as well at these conferences and as I mentioned I started in infosec I don't have much experience I've only worked for about three and a half years so far and in 2019 I really started with the basics right Idol cross-site scripting um you know business logic and I got my first Bounty several months in after my duplicate you know um and that's what really I think motivated me to keep going because we all like getting rewards we're all like you know having that Rush of finding a real bug and uh in November 2019 I was able to attend the life hacking event uh h1213 which

was the life hacking event on the U.S Air Force UK Ministry of Defense as well as Yahoo and I was able to win the most valuable hacker award and in March 2020 about a year later I entered the global top 100. but that was back then that was almost you know more than three years ago now and these days I've kind of started going into more different kinds of vulnerabilities I'm interested in Native client vulnerabilities Windows exploits code review and more of these things are kind of what I do in terms of when I look at a bug Bounty program today these days I'm in a global top 40 but you know if you've been in a bug

warranty scene for a while you notice that a lot of people they spend maybe two or three years being super active on bug Bounty and then they get a job they start a business they have a family and and they get a bit less active so for me I kind of like you know I don't really like to chase the reputation on the leaderboard anymore but it's something that I'm still trying to work on in terms of developing my skills instead and I think in the same way while the bug Bounty community and you know Mommy me personally have changed in terms of my Approach I think a lot of the developers and the rest of the hackers

that you see nowadays have changed their approach right there are a lot of I think in infosec I think there's a lot of trendy topics right there a lot of trendy topics like supply chain SAS that's CI CD and the same thing happens with the hackers as well when the hackers you see that they're losing a lot more automation they're doing stuff like dependency confusion they're adding more fuzzing people are going to zero day hunting we see a lot of movement in the above Bounty Community towards higher value exploits more impactful bugs as well as more scale because now they're scanning the internet I think 24 7. and so that brings me to today's my main

topic for uh today's closing note which is Shifting left right and shifting left is kind of an idea that companies have a lot of developers have in devsec Ops in all kinds of paradigms that they need to shift earlier in this in the software development Chain Cycle so you know when you think of an application when it goes out into the world it's pushed to the product production you know people hack it right and uh it's not a sustainable way of doing security so what people are doing these days in terms of organizations in terms of developers is that they're adding a lot of these checks earlier on in your supply chain so before you even submit a code to

production or whenever you commit some code to your repository it's going to be automatically scanned for vulnerabilities I think we saw some great products today uh being demonstrated about static code scans it's going to be fast it's also going to be some Dynamic analysis and of course further down you're also going to have stuff like protection in your secrets they're going to be adding some kind of verifications and these are all things that are happening further in the product cycle so in the ideal case that should stop a lot of vulnerabilities before they come out into the wild so I'm just gonna just pause for a second and think about a quote uh from well it's not really an

info stack book it's more like a fictional book uh but you know what is a history teacher someone who teaches past mistakes and I think the interesting thing is that whenever you get a newfango technology uh whether it's uh web3 or you know devsecop CI CD stuff like that we kind of see the same things happening over and over again so when you think of CI CD a lot of people use stuff like GitHub actions or gitlab pipelines in order to preserve uh to run these tests right so whenever you commit a code to your repository it's going to run all of these checks and what we see here is that you know even simple stuff like command injections are

very common in CI CD we see exploits happening across even big big companies and organizations like Google Apache and other open source projects um so this is Hackers hacking shift left technology right this is not even hacking other parts of the stack as well and meanwhile hackers are using the same tools to automate their workflows so in the static side of things we've seen a great work with Cloud SEC and uh you know with with some of the tools have been used for code scanning um they're basically running a lot of these static code analysis tools across the entire open source web or they're obtaining some of these code either through decompiling applications or through the JavaScript code or websites

and then they're also running their scanners on these tools on the other hand with the dynamic analysis we've seen again with nuclei with Bob scanner as well as other tools that you know hackers are also automating their tools so even as you're building these things for Developers for organizations to secure their own stack hackers are also using these tools and that's becoming more of an issue with these things and one significant development in the recent years with regards to scanners is fuzzy scanners and I think um I think the cloud set guys mentioned uh smart fuzzing right um I think maybe this is kind of a variation of that which is fuzzy scanners um and Port circle is really one of the

one of the big organizations that really went big into this uh where they developed the backslash powered scanner and what this is is basically instead of just doing a simple signature based scan where you may be like a nuclei template you send past vulnerability and you try to catch past vulnerability what you're doing instead is that you're fuzzing a little bit you're sending strange input you're sending maybe backslashes or you're sending new lines uh you're not just looking for a specific vulnerability you're looking for what appears to be a vulnerability and one interesting thing about this is that it's really difficult um to do this kind of fuzzy scanning because firstly it's going to take a lot

of memory um so I'm not sure if you run backslash power scanner in your website have any of you guys use backslash power scanner before yeah I see a few hands yeah yeah um you know it takes these several gigs of memory I think and it only gets worse the more you you export an application another challenge with this is that it only looks for injection based Mount abilities so it's going to inject into parameters it's going to try to maybe cause a crash or cause some interesting Behavior but it doesn't look for more um well sometimes it does but it doesn't look for a whole host of other bucks it might be misconfigurations you might

look for uh like for example business logic authorization authentication that takes a little more uh fuzzing in order to get to it requires state-based fuzzing which is a whole other different challenge that I'm not going to go into today but what we've seen basically is that hackers are being more aware of the need to both fuzz as well as to scan at scale and this has led to the rise of fuzzy scanners and one of my observation here is that I think in the long run uh from what we have seen today as well as all over in infosight conferences on Twitter the sharings that we have is that we're going to see a movement

towards both a combination I think of of both the static and dynamic side of scanning right people are going to do instrumentation they're going to do a lot lot more even even smarter fuzzing and scanning at scale and this is something that we have to look out for especially as we move towards more open source projects and web3 so when we think about secure by default we think about shifting left one of the biggest solutions that they have is secure by default Frameworks right so instead of just building your own express application over and over again why not you use a popular application framework like next.js you can even use rails and the advantages of these Frameworks is that

you don't have to reinvent the wheel again right developers can rely on the fact that they can maybe declare an API they can just you know they can look at how they want to define the API and it's just going to be pushed to the web and it's going to be pretty much it's not going to be doing a lot of the actual handling of the request data it's just going to do exactly what you do we also see that with for example Lambda so you're going to see that with a lot of these Cloud serverless applications what they do is basically they encapsulate your business logic in very small lines of code so you reduce the amount of

attack surface that you actually can cause problems with but you know hackers love hacking Frameworks as well uh you might have seen this a really good post by Sam Curry about exploiting web 3's hidden attack surface Universal xss in the one of the next.js libraries so I think one thing you know I've observed when I was working on say mobile applications or uh you know I've seen the rise of react native for example and and a lot of these Frameworks that remove simple vulnerabilities such as xss because you're going to find it really hard to find an xss in react these days so instead I think hackers have been very clever they've been very smart

they're starting to upgrade they're going to up their game and they're moving towards the Frameworks they're attacking the Frameworks directly I think we might have seen something earlier with uh earlier this week with the Akamai web um but the next.js library vulnerabilities I think an excellent example of how by simply targeting the Pyramid of the supply chain attackers can then exploit you know a whole hundreds millions of websites all at once and this shows that hackers are shifting left in their hacking they're starting to think not just at the application Level application code level they're moving up into the framework level they're starting to exploit even higher up this chain so this is something that you need to think about

as well because as companies are securing their code through secure by default Frameworks um and and all kinds of devsec Optics tools you're not going to find a typical vulnerabilities anymore and you're going to have to move up this chain uh I think shops is an excellent example as well as one of these hackers uh I think Yasin mentioned him as a zero day Hunter one of the biggest Trends I've observed in the bug Bounty space is more Hunters going into the zero day space and I think there's a whole discussion to be had about the ethics of using zero days for bounties but you know it's not for today if we can argue about it on

Twitter and I'm not going to argue if you're on Twitter the second thing is how secure are your controlled Supply chains so one another Trend in shift lab security is that they're going to use stuff like s-bombs which is basically a supply uh sorry a software bill of materials where companies run software that immediately catalogs all their dependencies all the software the commercial software they're using so that you can easily check if there are known vulnerabilities for that you might have encountered this when you ran npm install on your application and once you installed it they said oh your application has zero known vulnerabilities audit vulnerabilities and this is an example of Shifting left because instead of waiting for you to

push your application with the vulnerability dependency to the to the production to the web what's going to happen is that the software is going to tell you hey wait before you deploy it's actually vulnerable right there's a cve for that you have seen that maybe in GitHub when you have a project and the penderbot tells you hey your dependency is vulnerable and this is all part of Shifting lab security and I think that has done a lot of good in securing a lot of applications that we have out there but we've got to think about okay how are hackers exploiting this so yeah I mean you guys know about dependency confusion probably but uh Alex has done again excellent work in

supply chain uh dependency confusion right how they're exploiting the use of all these package managers a lot of these tools that supposedly secure your pipeline because they're going to make sure that you're the most updated version of your code and that's exactly how supply chain dependency confusion works right because it pushes what's supposedly the next highest version and because your software wants to be the most updated the most secure is going to automatically update you sometimes or when you install is automatically going to select the latest version and that's how hackers have also shifted left so you might be thinking that you're on the latest version but hackers are the latest version and that's one way that

we are moving left as well and now we think about how secure our sandbox programming languages so one of the Apex of secure coding by default of shift lab security is that once you start from say the CI CD static code analysis you move up to secure Frameworks you build your own secure Frameworks and you move up to what's supposedly the Holy Grail you have a secure programming languages right so we see that a lot with say rust we see that a lot with even like sandbox programming languages and I have to say that you know there's no target that hackers won't hack right so um I I I think you know I'm not an

expert on this but I've seen stuff like you know a lot of sharings on stuff where people are hacking programming languages themselves finding say memory corruption bugs or they're looking at the standard libraries of these epic uh programming languages um so if you look at the source code of go and you should you'll notice that some of it just looks a little funky because they want support for all kinds of things recently I wrote a capture the flag challenge that looked into the extended standard library of golang which is a web dev library and thought about how you could exploit that if it's used blindly and this is something that you need to think about as well because when you

look at an application you think okay maybe I just want to hack the application but what if I not just hack the application I move up further to chain and I've seen some amazing work so for example in fuzzing Java uh so breaking out of the sandbox doing memory corruption uh with solidity you can also do some memory corruption as it compiles the code and it translates that but important thing to think of here is how hackers are also moving up this chain and with these three examples I think it's safe to conclude that hackers don't just shift left right they take the path of least resistance and you know um companies are getting really really

good at securing the code at the software level the application Level they have lots of code reviews they have static analysis tools they have secure Frameworks but when you make that more secure hackers are just going to go somewhere else and where's that somewhere else I think in this current moment a lot of hackers are looking at third-party libraries third-party libraries or the Frameworks that people are using so cms's are very popular they're also looking at stuff like the Frameworks as we've seen with next.js libraries and this is where hackers are at I think a big number of hackers are as well they're also looking at supply chain so they are basically pointing the supply

chain through dependency confusion or they're also looking at maybe dangling uh packages but basically what I've seen as well is that we've seen a trend of bug Bounty people uh Community not just looking at software anymore but they're also looking at the rest of the supply chain so this is kind of a trend that we all have to be aware of because as a hacker you're going to be competing with people who are further up the chain right you might be finding day-to-day application logic vulnerabilities you might be finding you know misconfigurations but in the long run companies are trying to solve these problems fundamentally and if you've hacked at some of the I think

the more advanced programs uh for example from Big Tech you will also notice that they learn from their mistakes they never make the same mistake twice which is really frustrating as a bug Bounty Hunter but it's also very impressive from a technical standpoint um so I think whenever we see stuff coming out with a write-up with every new write-up with every new exploit we saw today for example some discussion about how AWS has shifted from imdbs V1 to V2 there's an example of big Tech solving problems at the fundamental level and we're no longer going to be able to exploit the same chain as hackers we're going to have to move up the chain or we're going to have to find

something else so yeah this brings the question as a hacker how do I shift left and I kind of left this a little more open-ended but I can talk to my experiences and we can also I think do some questions as well but for me personally I have two strategies my first strategy as a hacker is that I try to learn other domains right so maybe web is getting hard everyone's using react I can't find an xss maybe right or maybe uh mobile applications apks are being hardened because all of these companies they run Android manifest scans before they deploy to the cloud so you'll never see for example an unauthenticated Firebase anymore right you're not going to find those

very often but maybe the cloud side guys might beg to differ they might have found a lot of them I haven't scanned one minute applications so that'll be cool but what I do in that situation is that you as a hacker when you find yourself plateauing when you find yourself thinking oh I'm just doing the same thing over and over again I'm not really improving um I am not finding these awesome um awesome killer bugs right that we have talked about today one way I've done is by shifting to other domains so when I first started out in bug Bounty I started out in web but then I shifted to mobile and now I'm shifting to Native and I don't know

where I'll shift to next but I'll keep shifting right so for you as a as a hacker you got to keep looking at other domains don't just stick to web stick to you know explore other platforms other Frameworks as well as other ways of hacking right so that's a way to move laterally within hacking the second strategy that I use is just don't play the hacking game right learn non-hacking skills and what do I mean by that um so for example I think one of the kind of curses of bug Bounty is that when you first start learning bug Bounty you're really motivated because you want your first bug right you want to start making money you want to do well in the

background community so you learn a lot and then once you start getting bounties once you've reached a certain level where you're able to consistently get bugs it's very hard to stop you're being like Oh okay I could oh man I should really learn this web 3 thing or I should really learn this dependency confusion thing or I could look at this new challenge that's starting tonight at 12 a.m and I could hack for the rest of the week and try to find bucks and that's a consistent problem I faced as a hacker where my time is extremely limited but I don't have the time to learn more I just think oh maybe I should hack right but that's a great way

to stay at the same place to Plateau at your level of skill and keep you you know just finding the same bugs over and over again and sometimes you really have to put the hard stop to yourself and say all right I'm not going to hack I'm going to do something else and you might be surprised at how effective this makes you as a hacker so for me personally at some point I think after after getting the global top 100 I told myself okay that's kind of the Milestone that I've reached and it's time for me to learn something else and that's when I went for example into machine learning I went into reverse engineering malware

reverse engineering uh different areas they're not hacking per se maybe it might be secure cyber security related they might be Tech related but they're not hacking and when I came back to web hacking I actually realized I could do so much more right because instead of just looking at a web application to burp I could now maybe if see if they have any open source code or even if they have like a native library from the Android application and I could reverse engineer that and I could see what I could do with that so I think when it comes to hacking I think a lot of bug Monty Hunters as well as researchers are hyper focused on

finding about and sometimes you know taking a walk or going out might solve the problem but sometimes you might need a completely different domain of knowledge altogether one of the most consistent patterns I've seen at life hacking events is that you have a complete newcomer come in and absolutely destroy the competition right everyone's like oh I've done this for like for one two years I've been at this is my like 20th life hacking event and you have a complete newbie come in well not a newbie because they're going to find the most crazy bugs and the main point of this is because they come from a completely different skill sets different perspectives and able to see

in a way that you don't because hacking is all about finding that missing piece of the puzzle that's missing and that only you know right so I've seen people uh you might have seen some of these interviews as well come in with a marketing experience or maybe they're even doctors right um some I think risk is a famous one of the famous guys who's fireman I think right um and they're able to immediately do very well in the bug Bounty Community because they have all these different perspectives that they bring into their work another way that you can do this is that you I think it's been hammered over and over again is that you can

collaborate with other people but at the end of the day I think um it's really important that when you hit a plateau when you feel like you've hit a certain ceiling in terms of your skills it's time to do something else right um you could maybe do more coding so for example I picked up golang and rust and you know did a bunch of cryptography challenges and that made me better at finding cryptography bugs as well but all these things um are just part of this this Central challenge right how do you do hacking differently so these are the two strategies that I've discussed um today and and you know kind of The Learning Journey I had over the past two years as

I mentioned I'm really new to cyber security but this is how I started right I started with web and maybe I was pretty good at code review because I came from a web development background and I was able to maybe understand Dom xss better I think xss is one of those tricky little subjects that we think is really easy to teach but it's actually really difficult for a beginner to learn uh I I've done courses where it's like oh intro to hacking and I try to teach xss but then you realize that in order to learn exercise you got to learn HTML you've got to learn JavaScript you gotta understand what that JavaScript does with your apis whereas it might be much

easier to teach info disclosure for example but because I came from a web development background I was able to pick this up a lot easier and after web I went into Mobile so I explored maybe iOS doing simple you know uh simple pooling of iOS files and and looking for secrets and looking for low hanging fruit but I didn't get very very far because when it comes to iOS you're going to hit reverse engineering at some point you're going to look at this huge compile binary and it's going to be very scary and you don't know what to do with it right you can run strings on it yeah okay and then what's next so I hit a

play two of that and afterwards I went into development so I looked at for example machine learning I did a IBM Quantum Computing in summer school I did rust golang programming and that helped me be a little better with my scripting but it also helped me understand where developers are building the code and how they're making their mistakes and then next I went to reverse engineering and this is a whole other Rabbit Hole I think that's more bug bounty hunters should learn reverse engineering uh it's another skill set that's really difficult to teach mainly because there are very few use very few good reverse engineering uh offensive reverse engineering courses out there and so my recommendation to you is that

instead of trying to learn reverse offensive reverse engineering you know how do you like reverse engineer and application and find vulnerabilities in it I recommend you pick up uh you know an adjacent skill which is malware reverse engineering and the cool thing about malware reverse engineering is that malware developers they try to hide from you they try to obfuscate their code they make the decompile code really difficult um to interpret and so when you kind of do remote well reverse engineering you kind of kind of jump several levels in this journey because you're going to learn how to de-obfuscate code you're going to maybe learn how to deal with assembly code I hope you don't have to

but most times you do one of the things I did as well was that I did the Flareon challenge so Flareon just started but if you're not aware of what Flareon is Flareon is basically a malware reverse engineering uh kind of like a competition of sorts but basically you're given 10 levels they give you a binary to reverse engineer and you get the flag and you get maybe a coin at the end of it so I recommend that maybe if you want to start maybe you can start on Flareon today it just I think it's going to launch really soon or it has launched already um as well as I got comfortable with assembly because I was working on binary

exploitation and that moved to the next level where I was moving on to Native exploits working in the windows user land memory corruption vulnerabilities where I finally got to know what you know return oriented programming is right so this is all to say is that maybe if I had only stuck to the web I would have been doing okay right I'll be finding the same box it'll be fairly consistent but I don't think that makes uh that would have made me a better hacker I think what makes us a better hacker today is really shifting left learning to deal with all these changes in about Mount evil I think one of the questions that came up to me when I was

talking to you guys was um you know how do you keep up in infosec because there's always something new right um well if there's always something new then learn something new right you there's never going to be a piece of code that's going to be secure forever or insecure forever because companies are going to look at that be like there's no reason why we should keep repeating the same mistake and they're going to build tools to secure that at scale and so you as a hacker should learn how to exploit things at scale right move up the chain and shift left in your hacking and I think one of the most important things here is um how important it is to

share and I think I was really inspired by all the talks today uh really fantastic talks because of how much uh hackers were willing to go into their bugs in detail and share right we're saying I think you shared some really amazing bugs your talk on steroids yeah and and that was just the kind of things that makes you think oh I should have done that um so for you whether you're starting out whether you've been here for several years whether you've been a veteran I think one of the most important thing for me as a beginner because it's still new to me uh having been in the industry only for three years was how important

it was to learn from all these articles even if they're very short maybe kind of crappy like you know medium articles that say oh you know I got this awesome Bounty and this is how I did that um never understood estimate how important that is for beginners and how much that will feed back into you I think a lot of what we've seen in the background Community is the development of new strategies new tools that emerge really from sharing so when uh the desync attacks came down HTTP smuggling we saw for example new bug bounty hunters rise up just on the basis of finding HTTP smuggling bugs and this is a trend that you're going to see you're going to see

people entering just because you shared something right and I think it's important to just keep sharing keep caring and also be kind right I think one of the benefits or at least one of the good cultural aspects of the infosec community is that people really try to be kind online so let's keep being kind let's keep sharing and let's keep it let's keep this Spirit going in the infosec community all of you play a part thank you [Applause] so that kind of brings me back to the original point of my closing note today right I was asked to give a closing note not a technical talk and I was kind of intimidated by that because most of the

time I give very technical talks but that brings me to the first point I made today which is that I started from community and all of you are part of this community and one of the most important thing about Community is the Builders of community so I really want to give a huge thanks to the organizing committee Nix and the rest of the besides Ahmedabad team let's give them a round of applause for making this happen like I said when I first how I started in background D was that the government in Singapore had a bug Monty program but how they were able to get to me was that they shared this invite they told the

local community leaders hey who is interested in hacking share this invite with them right and if I was not part of this community if this community was not created by our Builders Our Community Builders our community makers it would never have happened I would never have entered info security and that's what I love about this industry you know I mean Twitter can get a little toxic at times but we try right um and and we try to keep ourselves open we understand that anyone could come from anywhere and just absolutely destroy a hacking program right you might see people who might learn the bad way of doing things and we try to keep them on

a good path but that's all what we are here for today is that we're here to learn from each other we're here to build with each other and in the end we're going to break things with each other so keep hacking keep breaking and build a community thank you