Automating Application

Security Bug Hunting

Improving coverage with better automation
 @JCRAN
Information Security Professional?

Research:
@KennaSecurity
Janitor:
@intrigueio
Previously:
@bugcrowd, @rapid7
 @JGAMBLIN
Information Secuirty Rank Amature

Principal Security Engineer:

@KennaSecurity

Jerrygamblin.com
Internal.dev
Questionable.dev
(Coming Soon!)
When you think of web application automation….
There are many great extensions…

ActiveScan++
And If You Want To Dig Into More...

● https://portswigger.net/bappstore

● http://offsecbyautomation.com/Worthwhile-BurpSuite-Plugins/

● https://securityonline.info/top-8-burp-suite-extensions-burpsuite-web
-app-pentest/

● https://github.com/snoopysecurity/awesome-burp-extensions
Exploitable Legacy Systems
Shadow IT Services
Exposed Web Vulnerabilities
Leaked Secrets & Accounts
Misconfigured Services
Unauthenticated Databases
 Many
Forward DNS Xforce Exchange
Reverse DNS Alienvault
Search Engines Smbmap masscan
AbuseIPDB

Many
Certificate XRay anubis
Archive.org
Transparency Scanless bluto
RIRs (ARIN,RIPE,etc)
BGP Racoon censys-subdomain-finder
Bing
DataSploit DMitry

High Quality
Security Trails Circl.lu
Censys amass dnscan
Clearbit
Binary Edge fierce dnsenum.pl
CommonCrawl
SHODAN Aquatone dnsrecon

Sources
EDGAR
Project Sonar Sublis3r Domain analyzer
OpenCorporates
Parsing PDFs nmap DomainRecon
CRT.sh
PublicWWW Dnsrecon gobuster
Cymon

And
Passive DNS Altdns Knockpy
CiberCrimeTracker
BuiltWith Sublist3r ldns-walk
FullContact
Historical WHOIS subquest massdns
Dehashed

Tools
SpyOnWeb SubScraper nsec3walker
HIBP
VirusTotal xray recon-ng
Google
Robtex Lazyrecon subbrute
Whoisology
DNSDumpster SubFinder
WhoisXMLAPI
Bug bounties provide an important safety net!
So what’s missing?!?
Inherent Complexity.
Missing fundamentals.
Better automation can help improve coverage and visibility.
3 Keys For Better Automation **

Broad Array of Sources

An Ontology
Recursion

** Coverage-focused Automation
Tasks provide a Broad Array of Sources
Entities provide An Ontology
Machines provide Recursion
aws_ec2_gather_instances enrich/ip_address
aws_s3_brute enrich/nameserver
convert_entity enrich/net_block
create_entity enrich/network_service
create_service enrich/organization
dns_brute_srv enrich/ssl_certificate
dns_brute_sub enrich/uri
dns_brute_sub_async enumerate_nameservers
dns_brute_sub_over_http finger_extraction
dns_brute_tld ftp_enumerate
dns_lookup_mx gitrob
dns_lookup_txt import/arin_ipv4_ranges
dns_permute import/aws_ipv4_ranges
dns_recurse_spf import/data_file
dns_search_sonar import/domainlist_domains
dns_snoop_cache import/shodan_json_tmp
dns_transfer_zone import/umbrella_top_domains
email_brute_gmail_glxu import/umbrella_top_sites
email_harvest ip_geolocate
email_validate masscan_scan
enrich/aws_s3_bucket net_block_expand
enrich/dns_record network_service_fuzz
enrich/domain nmap_scan
enrich/generic phone_number_lookup
enrich/github_account saas_google_calendar_check
saas_google_groups_check
saas_jira_check
Intrigue Core Built-in Tasks
saas_trello_check
scrape_publicwww
search_bgp
search_bing
search_builtwith
search_censys
search_crt
search_edgar
search_github
search_github_code
search_have_i_been_pwned
search_opencorporates
search_phishtank
search_project_honeypot
search_robtex
search_shodan
search_sublister
search_threatcrowd vulns/apache_struts_jakarta_parser
search_towerdata vulns/cisco_smart_install_scan
search_virustotal
search_whoisology
security_trails_historical_dns
security_trails_historical_whois
security_trails_nameserver_search
security_trails_subdomain_search
snmp_walk
tcp_bind_and_collect
uri_analyze_target
uri_brute
uri_brute_common_content
uri_brute_creds
uri_brute_focused_content
uri_check_security_headers
uri_check_subdomain_hijack
uri_enumerate_js
uri_extract_metadata
uri_gather_linked_content
uri_gather_robots
uri_gather_sitemap
uri_gather_ssl_certificate
uri_screenshot
uri_spider
uri_youtube_metadata
vulns/etcd_harvester
vulns/ssrf_brute_parameter
vulns/ssrf_proxy_host_header
vulns/tomcat_put_jsp
web_account_check
whois_lookup
aws_ec2_gather_instances enrich/ip_address
aws_s3_brute enrich/nameserver
convert_entity enrich/net_block
create_entity enrich/network_service
create_service enrich/organization
dns_brute_srv enrich/ssl_certificate
dns_brute_sub enrich/uri
dns_brute_sub_async enumerate_nameservers
dns_brute_sub_over_http finger_extraction
dns_brute_tld ftp_enumerate
dns_lookup_mx gitrob
dns_lookup_txt import/arin_ipv4_ranges
dns_permute import/aws_ipv4_ranges
dns_recurse_spf import/data_file
dns_search_sonar import/domainlist_domains
dns_snoop_cache import/shodan_json_tmp
dns_transfer_zone import/umbrella_top_domains
email_brute_gmail_glxu import/umbrella_top_sites
email_harvest ip_geolocate
email_validate masscan_scan
enrich/aws_s3_bucket net_block_expand
enrich/dns_record network_service_fuzz
enrich/domain nmap_scan
enrich/generic phone_number_lookup
enrich/github_account saas_google_calendar_check
saas_google_groups_check
saas_jira_check
Intrigue Core Built-in Tasks
saas_trello_check
scrape_publicwww
search_bgp
search_bing
search_builtwith
search_censys
search_crt
search_edgar
search_github
search_github_code
search_have_i_been_pwned
search_opencorporates
search_phishtank
search_project_honeypot
search_robtex
search_shodan
search_sublister
search_threatcrowd vulns/apache_struts_jakarta_parser
search_towerdata vulns/cisco_smart_install_scan
search_virustotal
search_whoisology
security_trails_historical_dns
security_trails_historical_whois
security_trails_nameserver_search
security_trails_subdomain_search
snmp_walk
tcp_bind_and_collect
uri_analyze_target
uri_brute
uri_brute_common_content
uri_brute_creds
uri_brute_focused_content
uri_check_security_headers
uri_check_subdomain_hijack
uri_enumerate_js
uri_extract_metadata
uri_gather_linked_content
uri_gather_robots
uri_gather_sitemap
uri_gather_ssl_certificate
uri_screenshot
uri_spider
uri_youtube_metadata
vulns/etcd_harvester
vulns/ssrf_brute_parameter
vulns/ssrf_proxy_host_header
vulns/tomcat_put_jsp
web_account_check
whois_lookup
aws_ec2_gather_instances enrich/ip_address
aws_s3_brute enrich/nameserver
convert_entity enrich/net_block
create_entity enrich/network_service
create_service enrich/organization
dns_brute_srv enrich/ssl_certificate
dns_brute_sub enrich/uri
dns_brute_sub_async enumerate_nameservers
dns_brute_sub_over_http finger_extraction
dns_brute_tld ftp_enumerate
dns_lookup_mx gitrob **
dns_lookup_txt import/arin_ipv4_ranges
dns_permute import/aws_ipv4_ranges
dns_recurse_spf import/data_file
dns_search_sonar import/domainlist_domains
dns_snoop_cache import/shodan_json_tmp
dns_transfer_zone import/umbrella_top_domains
email_brute_gmail_glxu import/umbrella_top_sites
email_harvest ip_geolocate
email_validate masscan_scan
enrich/aws_s3_bucket net_block_expand
enrich/dns_record network_service_fuzz
enrich/domain nmap_scan
enrich/generic phone_number_lookup
enrich/github_account saas_google_calendar_check
saas_google_groups_check
saas_jira_check
Intrigue Core Built-in Tasks
saas_trello_check
scrape_publicwww
search_bgp
search_bing
search_builtwith
search_censys
search_crt
search_edgar
search_github
search_github_code
search_have_i_been_pwned
search_opencorporates
search_phishtank
search_project_honeypot
search_robtex
search_shodan
search_sublister
search_threatcrowd vulns/apache_struts_jakarta_parser
search_towerdata vulns/cisco_smart_install_scan
search_virustotal
search_whoisology
security_trails_historical_dns
security_trails_historical_whois
security_trails_nameserver_search
security_trails_subdomain_search
snmp_walk
tcp_bind_and_collect
uri_analyze_target
uri_brute
uri_brute_common_content
uri_brute_creds
uri_brute_focused_content
uri_check_security_headers
uri_check_subdomain_hijack
uri_enumerate_js
uri_extract_metadata
uri_gather_linked_content
uri_gather_robots
uri_gather_sitemap
uri_gather_ssl_certificate
uri_screenshot
uri_spider
uri_youtube_metadata
vulns/etcd_harvester
vulns/ssrf_brute_parameter
vulns/ssrf_proxy_host_header
vulns/tomcat_put_jsp
web_account_check
whois_lookup
aws_ec2_gather_instances enrich/ip_address
aws_s3_brute enrich/nameserver
convert_entity enrich/net_block
create_entity enrich/network_service
create_service enrich/organization
dns_brute_srv enrich/ssl_certificate
dns_brute_sub enrich/uri
dns_brute_sub_async enumerate_nameservers
dns_brute_sub_over_http finger_extraction
dns_brute_tld ftp_enumerate
dns_lookup_mx gitrob
dns_lookup_txt import/arin_ipv4_ranges
dns_permute import/aws_ipv4_ranges
dns_recurse_spf import/data_file
dns_search_sonar import/domainlist_domains
dns_snoop_cache import/shodan_json_tmp
dns_transfer_zone import/umbrella_top_domains
email_brute_gmail_glxu import/umbrella_top_sites
email_harvest ip_geolocate
email_validate masscan_scan
enrich/aws_s3_bucket net_block_expand
enrich/dns_record network_service_fuzz
enrich/domain nmap_scan
enrich/generic phone_number_lookup
enrich/github_account saas_google_calendar_check
saas_google_groups_check
saas_jira_check
Intrigue Core Built-in Tasks
saas_trello_check
scrape_publicwww
search_bgp
search_bing
search_builtwith
search_censys
search_crt
search_edgar
search_github
search_github_code
search_have_i_been_pwned
search_opencorporates
search_phishtank
search_project_honeypot
search_robtex
search_shodan
search_sublister
search_threatcrowd vulns/apache_struts_jakarta_parser
search_towerdata vulns/cisco_smart_install_scan
search_virustotal
search_whoisology
security_trails_historical_dns
security_trails_historical_whois
security_trails_nameserver_search
security_trails_subdomain_search
snmp_walk
tcp_bind_and_collect
uri_analyze_target
uri_brute
uri_brute_common_content
uri_brute_creds
uri_brute_focused_content
uri_check_security_headers
uri_check_subdomain_hijack
uri_enumerate_js
uri_extract_metadata
uri_gather_linked_content
uri_gather_robots
uri_gather_sitemap
uri_gather_ssl_certificate
uri_screenshot
uri_spider
uri_youtube_metadata
vulns/etcd_harvester
vulns/ssrf_brute_parameter
vulns/ssrf_proxy_host_header
vulns/tomcat_put_jsp
web_account_check
whois_lookup
 autonomous_system github_account person
aws_credential github_repository phone_number
aws_s3_bucket info physical_location
credential ip_address screenshot
dns_record nameserver software_package
document net_block ssl_certificate
domain network_service string
email_address organization uri
file web_account

Intrigue Core Built-In Entities

Enrichment builds out the entity.
Enrichment can trigger new tasks too.
Enrichment on an entity of type Uri.
 Service Fingerprinting with Recog
Ideal Qualities
Application & Network
Comprehensive
Easy to Extend
Version-Aware
Vulnerability-Aware
Browser Enabled
Free (as in Freedom)
XML
(Thanks @jonhart and @rapid7!)
Application Fingerprinting with Ident
Application & Network
Comprehensive
Easy to Extend
Version-Aware
Vulnerability-Aware
Browser Enabled
Free (as in Freedom)
JSON
 We can use
enrichment to
match
vulnerabilities to the
application as soon
as fingerprinting is
complete.
Let’s put these concepts in action to...

Broadly Discover Assets

Enumerate App Stacks
Identify Issues
 DNSGrep (intrigue-core: dns_search_sonar)

vs
(thanks @erbbysam!)
How can we
get a list of
applications?

Machines use recursion to kick off tasks.

Vulns
from
CPEs!
Now let’s do some
content discovery!
uri_brute_focused_content
… misconfigurations too: saas_google_calendar_check
Putting It All Together…
(Demo Time!)
 Try it out
Spread the word
Send us ideas
Make a pull request
 Thank You!

@jcran
@jgamblin

@intrigueio
https://core.intrigue.io
 Ideal Qualities
Application &
Network
Comprehensive
Easy to Extend
Version-Aware
Vulnerability-Aware
Browser Enabled
Free (as in Freedom)
 Ideal Qualities
Application & Network
Comprehensive
Easy to Extend
Version-Aware
Vulnerability-Aware
Browser Enabled
Free (as in Freedom)
JSON
 Ideal Qualities
Application & Network
Comprehensive
Easy to Extend
Version-Aware
Vulnerability-Aware
Browser Enabled
Free (as in Freedom)
But how can we focus on risk?
Which Vulns Matter?!