We all know the famous quote “Think out of the box”. Technical knowledge is important but creativity is also. In bug bounty, to get nice rewards, sometimes you don’t need to be a crazy coder or great network engineer, you simply need to try what other didn’t.

This year, Slack get in trouble because many developers leave their credentials in their public repository. Last year Uber had to deal with a major security issue: database keys were stored in GitHub (this leads to a sweet bounty for the finder).

I found an interesting project, on GitHub itself, to parse the search engine results: vcsmap from Melvinsh. Unfortunately the scrapper seems to have trouble with search that required authentication. Since I don’t understand Ruby, I wrote my own tool with PHP.

...

While I was working on a famous bug bounty program, WPScan returns me the list of the plugins configured on the Wordpress install. Here is what I found in one of them: Image Gallery by Huge-IT.

WPScan output, no issues known:

[+] Name: gallery-images - v1.8.6  
 |  Location: https://[REDACTED]/wp-content/plugins/gallery-images/  
 |  Readme: https://[REDACTED]/wp-content/plugins/gallery-images/readme.txt  

After a fast search on exploit-db.com with no success, I finally decided to download it and read the code to find vulnerabilites by myself. Since the readme was awailable, I was able to confirm the version of the plugin.

I was looking for two kind of vulnerabilities: file upload and sql injection. First thing I did was to locate PHP files, and grepping the result to find Content-Disposition header:

$ find . -name "*.php*" | xargs grep -i header
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:		/*HEIGHT FROM HEADER.PHP*/
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./admin/gallery_func.php:			header('Location: admin.php?page=gallerys_huge_it_gallery&id='.$rowsldccs->id.'&task=apply');
./admin/gallery_view.php:	header('Location: admin.php?page=gallerys_huge_it_gallery&id='.$row->id.'&task=apply');
./admin/gallery_view.php:	<div id="gallery-header">
...

In my opinion the best way to learn hacking and security is to read public disclosure. It’s a great resources of tips and tools to use to make your life easier.

Here are some blogs I frequently visit from bounty hunters themself. They explain their findings, why it occurs, how they were able to exploit and sometimes how much they win. I visit them once a week and I also follow their writer on Twitter to not miss the bugs they don’t review.

Ben Sadeghipour, plays with many various vulns:
http://archive.nahamsec.com/

Filedescriptor, I don’t know who is this guy but his profil on HackerOne is truely awesome:
https://blog.innerht.ml/

Sean Melia, swings between the first and the second place on HackerOne:
https://seanmelia.wordpress.com/

Jack Whitton, is a true XSS jedi:
https://whitton.io/

Nir Goldshlager, CEO of Break Security:
http://www.breaksec.com/

...

Amazon Simple Storage Service aka S3 is a cloud storage for the Internet. You first create a bucket and you can then upload any number of objects (photos, videos, documents etc.) to it. However if the permissions (ACL) are not well settled, bad things can happen.

Recently disclosed by Hackerone, a misconfiguration in their Amazon Web Services S3 buckets allowed any authenticated user to write in there. From here an attacker could upload a malicious file waiting for someone open it, or overwrite existing files.

When you crawl a website, you can you can check the presence of S3 by intercepting calls to amazonaws.com. The bucket call can have different look: https://<aws_region>.amazonaws.com/<bucket_name>/<file_path>
or:
https://<bucket_name>.amazonaws.com/<file_path>

Once you get the bucket name, you can execute many tests using awscli to check his permissions. If you try to access to a bucket who doesn’t exist, you’ll get this message:

$ aws s3 ls s3://gwen001-azertyuiop  
A client error (NoSuchBucket) occurred when calling the ListObjects operation: The specified bucket does not exist

If you try to execute a command you are not allowed to, you’ll then get something like this:

$ aws s3 ls s3://gwen001-test000/
A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied
...

bWAPP is a PHP web application which is intentionnally crackable. It covers a very large set of common vulns but also some unusual case you can meet on the Internet.

The goal here is to train your development skill and hacking knowledge to be able to write a better (more secure) code. Compared to DVWA, you have to consider bWAPP as a much more advanced level of difficulty.

bwapp

...