Notes from OWASP Helsinki chapter meeting 35: Bug Bounty programs

Have you ever wondered how to become a bug bounty hunter or wanted to organize a bug bounty program? OWASP Helsinki chapter meeting number 35 told all about bug bounty programs from hacker and organizer point of views. The event was held 6.11.2018 at Second Nature Security (2NS) premises in Keilaniemi. Here’s my short notes.

Notes from OWASP Helsinki chapter meeting #35

“Hunting for bounties in a web browser” by Juho Nurminen from 2NS started the event talks and told about how to approach the issue and showed some findings in details. For the usual of understanding the technology and focusing on what you know, it’s beneficial to read up prior art. Is it repeatable bug? Reproduce it in other context. The talk presented cve-2018-6033 (extension code can execute downloaded files), cve-2018-6039 (XSS in DevTools, privileged API can be overwritten) and cve-2011-2800 (data leak across origins). tl;dr; pwn things, submit crbug.com, profit.

“#OWASPHelsinki 35 started by @jupenur hunting bounties in web browsers. Understand the tech (web, js, extensions, plugin API, devtools, NaCI, WebAssembly, etc.). Focus on what you know. Read up prior art. Nice examples of bugs found. @OWASPHelsinki meetup hosted by @2NS_fi.” – @walokra

Why web browsers?
Why web browsers?

CVE-2018-6033
CVE-2018-6033

In “How to become a bug bounty hunter” Iiro Uusitalo from Solita talked about bug bounty platforms and tips to be succesful. In short: POC or GTFO, recon, stay on scope, automate all the things, focus, report, wait, profit, join the community.

“How to become a bug bounty hunter, told by @iiuusit at @OWASPHelsinki meetup. Tips: poc or gtfo, recon, stay on scope, automate all the things, focus, report, wait, profit, join the community. #OWASPHelsinki” – @walokra

Bug bounty programs in Finland
Bug bounty programs in Finland

Tips for recon
Tips for recon
How to report
How to report

tl;dr;
tl;dr;

“Running a successful bug bounty program” by Thomas Malmberg from Hackrfi bug bounty program covered the topic from the “random dude from the other side of the table” point of view. “What really matters is finding bugs” but there’s a lot of things to manage. It comes to managing expectations of hackers and program owners. And remembering that hackers work for you (program owners) but they are not your employees.

Expectation management
Expectation management

“What really matters is finding bugs.” @tsmalmbe from @hackrfi told how to run a successful bug bounty program at @OWASPHelsinki meetup. Managing expectations of hackers and program owners. Remember: hackers work for you; hackers are not your employees. #OWASPHelsinki” – @walokra

The evening ended with a panel & discussion about bug bounty with Juho, Iiro and Thomas. There was lots of interesting questions asked and here’s some of them in short.

  • Hardware bug bounties, how to do if device not publicly available?
    • On premises hack days -> not so successful, too little time, concentrate on low hanging fruits.
  • How to choose [bug bounty] program?
    • Wide scope -> low hanging fruits.
  • What kind of reports of findings
    • OWASP Top 10 covers almost everything.
    • Everyone is scared of finding remote code execution.
    • Business impact findings.
    • Recon: who we are, what we do -> what has big business impact. Also where’s the legacy code?
  • Impact of how hacker and product owner sees findings? Owner will set the impact, how it should happen at both ends? how to define the final impact corresponding the value?
    • Always estimate, run some CVSS estimator.
    • Use Google’s approach.
    • Fairness and trust. Programs task is to create trust.
  • Awfraid of reporting found bugs when there’s no bug bounty program?
    • Program has rules which covers legal matters. Read the rules, ask.
  • Top 3 negative things?
    • Program runner went public, lots of bugs, hackers pwned whole system.
    • Communication issues.
    • Program runner: call on Friday night, database lost. bug bounty program to blame.
  • Bug bounty programs role, client and customer: public programs. -> ncss, cert-fi.
  • Pentesting vs. bug bounty?
    • Not competing.
    • You shouldn’t do bug bounty if you don’t have enough security maturity. Too many reports at start (duplicates, cost much, etc.), then nothing if you don’t pay.
    • Low hanging fruits are not interesting for good hackers
    • Pentesting last 30 days and result is report covering certain things.
    • Bug bounty concentrates on specific aspect.
  • Bug bounty and threat model? When program open, easier for black market to find vulnerabilities?
    • Threat model for users? Depends on product / service you are providing.
    • 0-day on some Finnish site selling on USA black market -> not much interest.
    • Pentesting should be done first.
  • How to improve process?
    • Educating the bottom of the pyramid. Hammer and nails.
    • Public programs generate lots of noice vs. private
  • Bug bounty in 5 years?
    • More automated things, scripts to detectivive things, AI
    • Bug hunter side: more professional all around the pyramid, more spam

OWASP Helsinki chapter meeting 34: Secure API

OWASP Helsinki Chapter held a meeting number 34 last week at Eficode with topics of
“Perfectly secure API” and “Best friends: API security & API management”. The event gave good overview to the topics covered and was quite packed with people. Eficode’s premises were modern and there was snacks and beverages. And also a sauna. Here is a short recap of the talks.

OWASP Helsinki Chapter Meeting 34

Perfectly secure API

Matti Suominen from Nixu talked about perfectly secure API and things related to get there. Can API be secure? On gut feeling APIs seems to be rubbish and have problems. He covered the topic from three view points: security, risks and defense. Good starting point is to read OWASP resources like ASVS, Top 10 and Security cheat sheet. Also implement security centrally, involve business in design and DIY never works out.

Best friends: API security & API management

Antti Virtanen from Solita talked about API security and API management and how we’ve traveled from dark ages to modern times. You can do API security with tools like Amazon AWS API Gateway but the main point was to step further with API management. Use some already made products like Apigee and open source alternative Tyk.io. Slides are available in Slideshare.

Snacks and beverages

Refreshments were basic and different

Notes from Owasp Helsinki Chapter Meeting 27

Security is important part of software development and often it doesn’t get enough attention or developers don’t know enough about it. I have been following Troy Hunt on Twitter for some time and as he was coming to Owasp Helsinki Chapter Meeting #27 it was great opportunity to hear about application security at first hand. Especially about hacking yourself first. The event was held at Life Science Center in Keilaranta and although it didnt’ provide much new information about security and how to protect against hackers, it was nice event. The event consisted talks presented by Troy Hunt: 50 Shades of AppSec and Hack yourself first.

50 Shades of AppSec

50 Shades of AppSec

The first talk was “50 shades of appsec” which covered a broad spectrum of what’s happening in our industry and how challenging it’s becoming for those of us working in AppSec to keep ahead of the attacks. Troy covered everything from the social aspects of hacking through to some of the more obscure attacks and the increasing challenges we have as defenders.

There was some nice bad examples how not to do things and hilarious examples how even criminal masterminds are fallible. Asking questions in StackOverflow with an account tied to your real identity, take a photo with iPhone and not clearing the EXIF data (which has location info).

“50 Shades of AppSec” talk didn’t provide much new information which I wouldn’t have read from Twitter or other news sources but was entertaining anyways. Good presentation matters.

Hack yourself first

If you’re protecting applications against attacks it’s good to know how attackers can exploit your application’s security holes. The online attacks against websites has accelerated quickly and the same risks continue to be exploited. These are often easily identified directly within the browser; it’s just a matter of understanding the vulnerable patterns to look for.

Troy Hunt’s “Hack Yourself First” talk was about developers building up cyber-offence skills and proactively seeking out security vulnerabilities in their own websites before an attacker does. It looked at website security from the attacker’s perspective and how to exploit common risks in a vulnerable web application. As usual the issues were quite basic information and could be easily identified and fixed with right knowledge and tools like Havij and Fiddler.

One interesting example was to use Fiddler to proxy your device’s traffic and look how remote server communicates with it and even decrypt HTTPS. You can e.g. edit request and response and change values sent to mobile. One example is to change the value for admin and see if the mobile application validates it on every request or do you really get admin rights to the application or service. Practical example was capture the traffic sent to British Airways mobile app and see the WiFi password list for free WiFi.

Or is it?

Second interesting example was about using WiFi Pineapple. To trick devices to connect with “known” wireless network, capture and circumvent it’s traffic. You did know that devices broadcasts the SSIDs they have previously connected and with devices like Pineapple you can easily see it and then do some magic.

WiFi Pineapple and captured SSIDs.

Q & A and afterwords

Views from Life Science Center Sauna

The questions and answers section was quite active as security is an interesting topic. There were good questions like how do you verify companies you use, like you’re using Freedome from F-Secure? It’s about choosing the least risky option. Better than WiFi at airport without VPN. You don’t really know.

Other interesting topic was about how security people don’t understand development and developers don’t understand security. It’s about working together and not just security people saying “There are vulnerabilities, fix those.” More cooperation would be better and it needs support from higher up to work together.

Afterwards the event had reserved the sauna on the 7th floor which provided also nice views over Laajalahti and some refreshments. Time to network and try to do small talk although I’m not the most social person. I wasn’t surprised that Troy didn’t join us to the sauna but it was nice that he had some time to talk in the lounge.

I didn’t get the Owasp sticker but I got some crafty swag from Nixu and Troy also provided one month free pass for Pluralsight which has courses to educate yourself

One of the crafty takeouts from the event camera cover sticker for laptop. Who is paranoid about infosec?
Will be busy month after to see all Pluralsight courses

Thanks to the organizers and event sponsor Nixu. Nicely noticed that Hunt is in Europe and to get him to talk about security. I also got a ride home with some good tips about restaurants in Tallinn which was nice. Thumbs up.