Automating Bug Bounty

Jan Masarik

whoami


AppSec Team Lead @ Kiwi.com (hiring Cloud Security Engineer)

OWASP Czech Chapter Leader (looking for sponsors and speakers)

Bug bounty hunter

Subpar Python dev

CTF player with TUNA team

Agenda

  1. What is bug bounty?
  2. Common bugs in bug bounty
  3. Existing solutions for bug bounty automation

What is bug bounty?

Let's show it on an example of bug bounty program of Facebook

Company publishes vulnerability disclosure policy with contact details

... scope

... Rewards

... Rules

Hacker then comes,

chooses the site to hack,

reports the findings,

and gets paid only for the valid bugs.

Win - Win

Companies improve their security.

Hackers can do what they love, on target of their choice, legally.

Bug bounty platforms

Software-as-a-Service (SaaS) platforms which offer a web application tailored to the needs of vulnerability disclosure.

Advantages:

  • Registered hackers waiting for launch of new programs
  • Web platform for reports
  • Private programs
  • Guidance
  • (optional) Dedicated triage team
Examples include: HackerOne, Bugcrowd, Hacktrophy (CZ/SK) or Intigriti

Common bugs in bugbounty

  • Cross-site scripting (XSS)
  • Server Side Request Forgery (SSRF)
  • Object storage misconfiguration (buckets)
  • Broken Authentication
  • Leaked secrets
  • Security Misconfiguration

Object storage misconfiguration

What is object storage?

  • Unlimited & reliable storage of objects (files)
  • Used for backups, attachments, logs, static files or as an FTP replacement
  • 
    $ aws s3 cp cat-image.png s3://cat-bucket
    200 OK
    $ aws s3 ls cat-bucket # authenticated
    2019-02-12 13:37:23 42 cat-image.png
    2019-02-11 04:42:02 78 secret-dog-image.png
                        

    What can go wrong?

    AWS S3 allows configuring public read, list and write... to bucket's ACLs

    Example of public LIST/READ:

    
    $ curl https://cat-bucket.s3.amazonaws.com # public LIST
        cat-image.png
        secret-dog.png
    ...
    $ curl https://cat-bucket.s3.amazonaws.com/secret-dog.png
    200 OK... # public READ
                        

    Root cause?

    How to automate finding of misconfigured buckets?

    Use public "indexes"

    Automate on your own

    From defensive side, it's quite easy now
    (AWS Config / Google Cloud Security Command Center)

    For offense, you can use numerous OSS tools like goGetBucket

    However, newly misconfigured buckets are now less prevalent as even AWS is finally waking up in the area of usable security 😒

    ... and most of the old buckets were already picked up by others

    How can we do better?

    1. Optimize discovery

    2. What about other object storage providers?

    Optimize discovery

    Use DNS instead of HTTP

    Custom wordlists adjusted to the target

    Use HEAD method if you need to use HTTP

    Check all permissions (READ_ACP or WRITE_ACP are often forgotten)

    Providers of object storage

    Provider READ LIST WRITE READ_ACP WRITE_ACP Comment
    AWS βœ“ βœ“ βœ“ βœ“ βœ“ Good warnings (now), notification emails, bucket-only policy
    Google Cloud βœ“ βœ“ βœ“ βœ“ βœ“ Great warnings, bucket-only policy, write "AllUsers" instead of checkbox
    Microsoft Azure βœ“ βœ“ Okay-ish warnings, (paid) ML addon to detect compromise
    DigitalOcean βœ“ βœ“ via API via API via API Okay-ish warnings, but setting LIST via API won't show in UI 😈 (Won't fix)
    Alibaba Cloud βœ“ βœ“ No public LIST πŸ‘
    Oracle Cloud βœ“ βœ“ Not the best UI, but very difficult to enumerate valid buckets

    Broken Authentication

    MongoDB, Kibana, Jenkins, internal apps, ...

    Mistakenly exposed services are far more common than you would think :-)

    Automate discovery via:

    1. Blackbox: Enumerate e.g. using OWASP Amass
      Whitebox: dump DNS/IPs
    2. Make screenshots with aquatone
    3. Look for unauthenticated pages or status code changes (401->200)

    Leaked secrets

    Git repositories

    How bad can it git? (2019)

    • Research on tokens leakage done by Michael Meli, Matthew R. McNiece and Bradley Reaves from North Carolina State University
    • Real-time scan of all public GitHub commits for 6 months + scan of old GitHub archives
    • Scanning for 11 high-impact API keys for AWS, Google, Facebook, Twitter or Stripe

    We find that not only is secret leakage pervasive – affecting over 100,000 repositories – but that thousands of new, unique secrets are leaked every day.

    Our results show that TruffleHog is largely ineffective at detecting secrets, as its algorithm only detected 25.236% of the secrets in our Search dataset and 29.39% in the BigQuery dataset.

    Automate discovery via:

    CI logs

    Embeded in applications

    Forgotten files on webservers

    • Assetnote is continously monitoring (sub)domains of Slack
    • Month after the start of monitoring, they detected a new .git folder on a QA server
    • Git contained whole source code of the Slack web app (1.6 GB) with over 300 hardcoded secrets

    Security Misconfiguration

    (Django) Debug mode enabled

    Public Google Calendar

    • You can share your Google Calendar with the world, via a single checkbox.
    • Events may include Google docs sharing links, links to conference calls, etc.

    Wrapping all this automation together?

    (β•―Β°β–‘Β°)β•―οΈ΅ ┻━┻

    Existing solutions - Free

    • Lazy Recon - series of bash scripts with integrated OSS tools
    • Intrigue Core - ruby tool which abstracts assets into a graph system
    • Project Discovery - new tool in closed beta, written by Ice3man543 (author of subfinder)

    Existing solutions - Paid

    • Intrigue Core / Project Discovery - offering also paid subscriptions
    • Assetnote - originally written for bug bounty hunting, pretty cool
    • Detectify - damn good hacker-powered vulnerability scanner with a bit of asset discovery
    • Sweepatic - new Attack Surface Monitoring startup with origins in Brno (haven't tried it)

    My solution - BugShop

    Technology used

    Docker

    Kubernetes

    Argo Workflows

    Argo Events

    GitLab

    GitLab CI

    PostgreSQL

    Overall design

    Bugshop - Demo

    Lessons learned

    • Start small - build a πŸ—‘οΈ, not a πŸ”¨
    • Don't expect to earn money right away (or at all πŸ’Έ)
    • Pick 1 thing and do it well ✨
    • KISS - bash/python is probably good enough
    • Ideas are everywhere - proper execution is what matters

    Thanks for your attention!

    Questions?

    Slides at https://masarik.sh/s/automating-bug-bounty

    Blog with some more research will be published on masarik.sh soon

    Read the full thesis on is.muni.cz/th/de05t/master_thesis_final.pdf