David Sopas – Web Security Researcher

Tips and Tricks

12/10/15 Bug Bounty , Tips and Tricks # , ,

Free online tools to help your #bugbounty

Free online tools to help your #bugbounty

I’m getting a few emails asking some tips on how to get some bounties. Because I like to help others and I’m a share knowledge believer 🙂 I wrote this small article about using the right online tools and earn some bucks on bounty programs.

Most experience bug hunters already know most of this tools but this is mostly for starters.

SSL validation
URL: https://www.ssllabs.com/ssltest/

Qualys provides a free online tool that runs a complete test on a target SSL. Heartbleed, OpenSSL CCS vuln, BEAST, POODLE, etc all of these are covered in this online test.

Missing SPF? Let’s test it…
URL: http://www.kitterman.com/spf/validate.html

These tools are meant to help you check SPF records on your target. For many bug bounties participants this is one of the first things to try. Usually get’s the minimum payout if in-scope. On HackerOne, Shopify already paid $500 on this missing email security header – https://hackerone.com/reports/54779

Test X-FRAME-Options
URL: http://savanttools.com/test-frame

This tool is useful for detecting sites that use the X-FRAME-OPTIONS header to block framing, or use frame-breaking / frame-busting Javascript. Clickjacking attacks can be achieved with the help of this tool.

Find subdomains of a domain
URL: https://pentest-tools.com/information-gathering/find-subdomains-of-domain

pentest-tools.com offers 40 credits every day to a user for free and using this information gathering information on the subdomains will take you 20 credits so you can use it twice a day. This is very usefull to find other domain targets.

Online fuzzer
URL: https://pentest-tools.com/website-vulnerability-scanning/discover-hidden-directories-and-files

With only 10 credits [you have 40 credits every day] this online URL Fuzzer can be used to find hidden files and directories on a web server.
This is a discovery activity which allows you to discover resources that were not meant to be publicly accessible (ex. /backups, /index.php.old, /archive.tgz, /source_code.zip, etc).
With a file/direcotry fuzzer you can always find interesting stuff. I already found a couple of phpinfo.php files on major companies and got few bounties with them.

Using Drupal?
URL: https://hackertarget.com/drupal-security-scan/

With this online you get a overview of the Drupal version used, template name, if directory indexing is enabled, etc. Some of this information you could use to run further tests and determine if you can get someting vulnerable from the Drupal instalation.

Using WordPress?
URL: https://hackertarget.com/wordpress-security-scan/

I’m a big fan of wp-scan but if you need a free online tool HackerTarget will do a good job for you.
This tool will check the version of WordPress, check directory indexing, list plugins [and if new updates are available], user enumeration, etc. With this information you can check for vulnerable plugins and provide a good report about that.

Using Joomla?
URL: https://hackertarget.com/joomla-security-scan/

Like the previous tools this one also checks for Joomla instalattions information. Take a look into the plugins/components. Usually there are something to look for. Compare versions and Google for changelogs about vulnerabilities. Very often in the changelog the vulnerability is not public but if it says CSRF on options-windows.php. Just try to download that version and audit it yourself. I’ll do that 🙂

Target store using Magento?
URL: https://www.magereport.com/

Scan your targets Magento shop for known security vulnerabilities. This is a very useful tool that can get a few vulnerabilities in your bounty quest.

I would like to add that there are better tools that could be installed on your operating system but that could be on another article 🙂

Tip 1: Always read carefully the bounty program details to check what’s in-scope. Always respect the rules.
Tip 2: Don’t forget also to read my article. Don’t copy paste your online results on the report and voila!

3 responses
08/10/15 Bug Bounty , Tips and Tricks # , , , ,

A tip for bug hunters – Sell your service

A tip for bug hunters – Sell your service

As a bug hunter at Cobalt, HackerOne and BugCrowd I always try do my best to give programs the best information needed to understand the security report.
Sometimes I notice that some public disclosures on HackerOne have just two or three paragraphs like:

You guys don’t have SPF header on your mail server.
Check it online here: …

If I was the program manager I would categorize this like “WTF” bug or something. Not for the vulnerability itself but because the lack of information and effort by the bug hunter. You need to sell your service. You need to show the program that you care and you know what you are talking about. Treat the program like your client.
Sometimes this make the difference between earning kudos and earning money.

Elaborate the security vulnerability as much as possible and describe possible attack scenarios. Screenshots and videos are always a bonus.
Also show the “client” clear solutions for their problem.

Hey this is just a small tip… Hope it makes difference on your future reports!

one response
25/09/15 Interesting Readings , Tips and Tricks # , , , , ,

Yahoo! and other sites vulnerable to Open Redirect

Yahoo! and other sites vulnerable to Open Redirect

A couple of portuguese security researchers published a article about a vulnerability on Linkedin and Yahoo! that allows a malicious user to redirect victims to other sites. The problem is/was located on a vulnerable version of Express – Node.js web application framework.

So with a simple modification in the URL you get a Open Redirect attack:

https://touch.www.linkedin.com////www.google.com/%2e%2e

http://developer.yahoo.com////www.google.com/%2e%2e

http://publish.yahoo.com//www.google.com/%2e%2e

Both Yahoo! attacks are still open to attack and working in Firefox and Opera browsers.

I found out that many other sites are vulnerable to this attack including MySpace. Just searching on the official ExpressJS site you can get a list of big companies and start-ups vulnerable to this attack – http://expressjs.com/resources/applications.html

This is a easy fix – just update your Express Framework and you’re done!

one response
04/08/15 Tips and Tricks # ,

No parenteses allowed? location.hash is here

No parenteses allowed? location.hash is here

I come across a web application in a bounty private program that reflected my var – xss – with the following code:

var _s_tab = xss;
var _s_params = "";
var _s_autoScroll = true;
setTimeout("try { s_callAjax('search', ''); }
catch(ex) { setTimeout(\"s_callAjax('search', '');\", 2000);}", 50);

So what I tried next was to put a XSS vector in place:

</pre>
<pre>vuln-site/?t=xss;alert(1);//</pre>
<pre>

Which reflected:

var _s_tab = xss;alert1;//;

So it removed the () chars… I thought to myself – A Challenge!

My next step was to try something that I already used in a previous research.
Use location.hash and then execute my attack.

vuln-site/?t=1;document.body.innerHTML=location.hash#<img src=x onerror=prompt(1)>

The other good thing about this type of attack is that the payload is in part of the url hash and is therefore never sent to the server. (no servers logs of actual attack payload)

no responses
04/08/15 Tips and Tricks # ,

Tiny XSS vector

I needed a small XSS vector that could fit in a 10 char limit variable in a limit 10 char on a private client to show him that limiting chars on a variable is not secure…

central.push({ 'var1': 'INJECT_HERE' });

So after some attempts I was unable to find one so I called for help 🙂

@soaj1664ashar 10 char fun: ‘-open()-‘

Making a valid Javascript:

central.push({ 'var1': ''-open()-'' });

This XSS vector only opens a new tab/window but in my clients case it was stored in a cookie so it was a pain in the ass to close a window each time he navigated in his web application.

Nice catch!

no responses