Bug Bounty Show

uh uses the bobsled to perform fantasies and how many people use bobsu to perform painters no one all right and what if I say that you know hacker can hack uh you if you are using a bobsled so while I was doing a research what I have found that you know uh I am able to you know intercept all the SSL traffic in in a plain text by you know performing The Man in the middle attack so my title is like attacking hackers by intercepting uh SSL traffic in a clear text so who am I uh armaan So currently I'm working in a circus as a senior security engineer I am a bounty hunter on the hacker one

synag and background as well and almost it's been like almost uh six years that I'm into bug mountains I'm also a core researcher on a Cobalt and as you can see like I love to do travel and I want I love to you know explore the world so the agenda would be like uh what is bobsled uh intercepting https traffic uh in a plain text uh by using burp suit what is Upstream proxy uh vulnerability in Upstream proxy and then I'll be showing a demo that how I was able to exploit it so let's talk about work suit so bobsled these are like a integrated platform and uh graphic uh graphical tool which is used to perform a pen test of various

web application and mobile applications as well now Bob soot contains multiple tools such as a proxy scanners which are like active scanner passive scanners uh Intruder repeater uh decoder and Upstream proxy so each uh tool has a different different uh uses of that uh uses so now in order to use work suit you have to set up a installer CA certificate into your browser so you can directly you know set up a proxy and download the certificate and directly can install the ca certificate uh into uh into your browser and once you uh install the certificate into a browser you will be able to uh see all the https traffic uh in a plain text into your website tool

right now uh anyone has used Upstream proxy yeah almost all back route uses the offstream proxy right all right so Upstream proxy is like a proxy uh so what it does so let's say we have if we have intersected uh traffic into a bob so so uh the Bob suit will send a request to the proxy and now that that proxy will send that particular request to the server and uh and uh server will respond uh the the response on the proxy and it will get forwarded to our machine so it's like that you know uh application is getting requests from the proxy so upswing proxy settings allows you to uh use the proxy and active acting is

like uh between bobsled and your connection to the application and internet so setting up uh Upstream proxy so uh there is an option in which you can go to the upscene proxy and uh just add a proxy you have to add your proxy IP proxy server IP open port and if you are using credentials then just use the credentials and there you go now if you you know browse your data uh sorry browse uh the application uh it will proxy uh send a request to the proxy and then after it will go to the application and this is how Upstream proxy works so as you as you can see uh in the screenshot my original Ip starts with a

2.51.8 but uh and I am you know exploring the any website and I have used uh the Upstream proxy and I'm using uh and my server IPs uh 30 34.257 I'm not I cannot read but yeah something like that and I am sending requests uh uh I am using a API which you know shows the IP address that from which IP the request is coming so I have just explored uh like my my website and passing all the traffic uh uh by using bobsled to the uh sorry HTTP intercepted uh to the option proxy and as you can see that you know my website is showing that you know traffic is coming from uh the proxy uh

proxied IP now you know uh so once you uh get a traffic into the uh Interceptor it will send the uh all the traffic forward the traffic do the upswing proxy and uh what I have figured out that that you know there is no SSL validation or SSL certificate is implemented uh uh in between so it is sent uh so it is sending all the traffic into uh into a clear text because what it thinks that okay SSL certificate is installed in a uh in the browser and uh the request is a legend legitimate and uh it will directly send to the Upstream proxy yeah so vulnerability where it comes so there is no SSL validation between proxy

to uh Upstream proxy so as I have mentioned that you know there is no validation so it will send all the traffic traffic into a clear text now what happened that you know I am an attacker and I'm sitting on a on a network and you know appendices or maybe a tester is using the bobsled so whenever I am you know not doing a man in the middle attack what Bob thinks that you know uh uh you but uh proxy is sending traffic to the Upstream proxy but actually it is sending traffic to the uh to the my IP in which I am uh using any like Wireshark or devoki or some tool to perform the men in the middle attack

so let's go with the demo no there are both of that yeah so uh I'm using um as a man in the uh a tool to perform the man in the middle attack so what it does uh it stands that you know in particular Gateway how many you know IPS are connected to the uh to the router and some uh some stuff like that so from this you know I uh I can get all the IPS uh of the machines uh which are connected to the device so let's say I'm uh I'm I want to attack on this particular IP which is 172.20.10.4 so I have added uh as a Target uh and I have like I want to you know decrypt

all the uh SSL traffic what uh for the targets and okay

so yes so there is a no relation between so this is the virtual box so there is no relation between my main uh machine and a virtual IP it's just that you know it's a bridge Network so that both the IPS are different IPS and I'm currently you know scanning that particular device so let's say uh victim is trying to login into uh his Facebook account

and here you go

here I can get the passwords and the email address of the user it's just you know I can intercept any of the traffic it can be a bank bank account and the funny part you know let's say if you uh if you have found uh xss or something like that uh in a banking side so you will not be able to steal uh the whole cookie but let's say if I am performing this attack I'll be able to steal the whole cookie I can directly replace the cookie and I I'll get direct access so it has a bit critical account and trust me I was able to you know still lots of users Facebook accounts and Twitter accounts

yeah so that's it any questions it's uh 1.7 so after then they they have update I have reported to them and after that they are they have updated the version in which they started validate validating validating the traffic between proxy to the uh option proxy all right thank you very much [Applause] thank you so much Sharma and for the wonderful session it's insightful it was insightful